PRESIDECMS-2953 prevent browser prefetches from performing actions

pixl8 · Oct 14, 2024 · f8330ef · f8330ef
1 parent ac116c9
commit f8330ef
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/system/coldboxModifications/RequestContextDecorator.cfc b/system/coldboxModifications/RequestContextDecorator.cfc
@@ -691,6 +691,10 @@ component accessors=true extends="preside.system.coldboxModifications.RequestCon
 		return IsBoolean( request._sessionSettings.statelessRequest ?: "" ) && request._sessionSettings.statelessRequest;
 	}
 
+	public boolean function isPrefetchRequest() {
+		return getHTTPHeader( "sec-purpose" ) == "prefetch";
+	}
+
 	public void function setXFrameOptionsHeader( string value ) {
 		if ( !StructKeyExists( arguments, "value" ) ) {
 			var setting = getPageProperty( propertyName="iframe_restriction", cascading=true );

diff --git a/system/handlers/General.cfc b/system/handlers/General.cfc
@@ -50,6 +50,7 @@ component {
 		_reloadChecks( argumentCollection = arguments );
 		_recordUserVisits( argumentCollection = arguments );
 		_setLocale( argumentCollection = arguments );
+		_prefetchCheck( argumentCollection = arguments );
 	}
 
 	public void function requestEnd( event, rc, prc ) {
@@ -217,6 +218,14 @@ component {
 		SetLocale( getModel( "i18n" ).getFwLocale() );
 	}
 
+	private void function _prefetchCheck( event, rc, prc ) {
+		if ( event.isActionRequest() && event.isPrefetchRequest() ) {
+			content reset=true;
+			header statuscode="400" statustext="Not allowed";
+			abort;
+		}
+	}
+
 	private void function _performDbMigrations() {
 		coreDatabaseMigrationService.migrate();
 		appDatabaseMigrationService.doMigrations();