Merge pull request #167 from lbryio/block-api-requests-by-referer

block api requests by referer
2016-09-16 03:49:55 -04:00 · 2016-09-16 03:49:55 -04:00 · b3a16f95f7
parent a9e4343775 7085b1e3c3
commit b3a16f95f7
1 changed files with 6 additions and 0 deletions
--- a/lbrynet/lbrynet_daemon/LBRYDaemon.py
+++ b/lbrynet/lbrynet_daemon/LBRYDaemon.py
@ -402,10 +402,16 @@ class LBRYDaemon(jsonrpc.JSONRPC):

    def render(self, request):
        origin = request.getHeader("Origin")
+        referer = request.getHeader("Referer")
+
        if origin not in [None, 'http://localhost:5279']:
            log.warning("Attempted api call from %s", origin)
            return server.failure

+        if referer not in [None, 'http://localhost:5279/']:
+            log.warning("Attempted api call from %s", referer)
+            return server.failure
+
        request.content.seek(0, 0)
        # Unmarshal the JSON-RPC data.
        content = request.content.read()