From 318ab179865e0707d7945edc3a13a464a108d583 Mon Sep 17 00:00:00 2001
From: Calum Lind <calumlind+deluge@gmail.com>
Date: Wed, 1 Mar 2017 12:00:46 +0000
Subject: [WebUI] Only accept application/json content-type requests

 - Protects against CSRF (Cross-site request forgery)
---
 deluge/ui/web/json_api.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/deluge/ui/web/json_api.py b/deluge/ui/web/json_api.py
index 4b1e8ffd3..57ce5473c 100644
--- a/deluge/ui/web/json_api.py
+++ b/deluge/ui/web/json_api.py
@@ -262,6 +262,10 @@ class JSON(resource.Resource, component.Component):
         Handler to take the json data as a string and pass it on to the
         _handle_request method for further processing.
         """
+        if request.getHeader('content-type') != 'application/json':
+            message = 'Invalid JSON request content-type: %s' % request.getHeader('content-type')
+            raise JSONException(message)
+
         log.debug("json-request: %s", request.json)
         response = {"result": None, "error": None, "id": None}
         response["id"], d, response["error"] = self._handle_request(request)
-- 
cgit