From 538c22f61a860f688ea0e0f04e321486dedcb299 Mon Sep 17 00:00:00 2001
From: Kyle Drake <kyledrake@gmail.com>
Date: Fri, 21 Jun 2013 15:57:58 -0700
Subject: [PATCH] attempt to plug CSRF attack

---
 app.rb | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/app.rb b/app.rb
index bb466ab7..c3edf165 100644
--- a/app.rb
+++ b/app.rb
@@ -200,7 +200,7 @@ get '/site_files/text_editor/:filename' do |filename|
 end
 
 post '/site_files/save/:filename' do |filename|
-  halt 'You are not logged in!' if current_site.nil?
+  require_login_ajax
 
   tmpfile = Tempfile.new 'neocities_saving_file'
 
@@ -243,8 +243,16 @@ def dashboard_if_signed_in
   redirect '/dashboard' if signed_in?
 end
 
+def require_login_ajax
+  halt 'You are not logged in!' unless signed_in? && csrf_safe
+end
+
+def csrf_safe
+  (request.referer =~ /.+\.neocities\.org/i).nil?
+end
+
 def require_login
-  redirect '/' unless signed_in?
+  redirect '/' unless signed_in? && csrf_safe
 end
 
 def signed_in?