From 328a3da27ebac687af555ceb569c693d6058b987 Mon Sep 17 00:00:00 2001
From: Anthony Donlon <idonlon@hotmail.com>
Date: Tue, 16 Dec 2025 20:43:15 +0800
Subject: [PATCH] editor/server: add simple CSRF check

---
 editor/server/share.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/editor/server/share.py b/editor/server/share.py
index 42df085..33dd022 100644
--- a/editor/server/share.py
+++ b/editor/server/share.py
@@ -65,7 +65,19 @@ def get_rand_name(digits=8):
 def create():
     if len(request.data) > 4096:
         abort(413)
+
+    # Simple CSRF check
+    sec_fetch_site = request.headers.get('Sec-Fetch-Site')
+    if sec_fetch_site is not None and sec_fetch_site != 'same-origin':
+        return jsonify({
+            'status': 'failed',
+            'message': 'CSRF check failed (Sec-Fetch-Site)',
+        }), 403
+
+    # Accessing request.json raises 415 error if Content-Type is not application/json. This also prevents CSRF requests.
+    # See https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/CSRF#avoiding_simple_requests
     params = request.json['parameters']  # throws KeyError
+
     # TODO: strip unused params
     try:
         item = models.Item()