X-Git-Url: http://www.git.stargrave.org/?a=blobdiff_plain;f=lib%2FPublicInbox%2FWwwAttach.pm;h=87844bf3f0e466a1b686f4e54eb0a9a6d5dd60ad;hb=refs%2Fheads%2Fmaster;hp=c17394afe8709b61caae9315f549d53c84ad758d;hpb=5c8909925072804901e9c3b45bbf25446d379e7b;p=public-inbox.git
diff --git a/lib/PublicInbox/WwwAttach.pm b/lib/PublicInbox/WwwAttach.pm
index c17394af..87844bf3 100644
--- a/lib/PublicInbox/WwwAttach.pm
+++ b/lib/PublicInbox/WwwAttach.pm
@@ -1,4 +1,4 @@
-# Copyright (C) 2016-2021 all contributors
+# Copyright (C) all contributors
# License: AGPL-3.0+
# For retrieving attachments from messages in the WWW interface
@@ -11,16 +11,17 @@ use PublicInbox::Eml;
sub referer_match ($) {
my ($ctx) = @_;
my $env = $ctx->{env};
- my $referer = $env->{HTTP_REFERER} // '';
+ return 1 if $env->{REQUEST_METHOD} eq 'POST';
+ my $referer = lc($env->{HTTP_REFERER} // '');
return 1 if $referer eq ''; # no referer is always OK for wget/curl
# prevent deep-linking from other domains on some browsers (Firefox)
# n.b.: $ctx->{ibx}->base_url($env) with INBOX_URL won't work
# with dillo, we can only match "$url_scheme://$HTTP_HOST/" without
# path components
- my $base_url = $env->{'psgi.url_scheme'} . '://' .
+ my $base_url = lc($env->{'psgi.url_scheme'} . '://' .
($env->{HTTP_HOST} //
- "$env->{SERVER_NAME}:$env->{SERVER_PORT}") . '/';
+ "$env->{SERVER_NAME}:$env->{SERVER_PORT}") . '/');
index($referer, $base_url) == 0;
}
@@ -46,8 +47,13 @@ sub get_attach_i { # ->each_part callback
$part = $part->body;
} else {
$res->[0] = 403;
- $res->[1]->[1] = 'text/plain';
- $part = "Deep-linking prevented\n";
+ $res->[1]->[1] = 'text/html';
+ $part = <<"";
+download
+attachmentDeep-linking prevented
+
}
}
push @{$res->[1]}, 'Content-Length', length($part);