1 files changed, 21 insertions, 1 deletions

diff --git a/lib/serve.js b/lib/serve.js
index fdf24f7..414cef5 100644
--- a/lib/serve.js
+++ b/lib/serve.js
@@ -122,6 +122,19 @@ Serve.prototype.go = function () {
     Boolean(conf.replyMentionFeeds)
 
   if (this.req.method === 'POST' || this.req.method === 'PUT') {
+    var referer = this.req.headers.referer
+    var refererPath = this.app.getRefererPath(referer)
+    if (!refererPath) {
+      if (!referer) console.error('Missing referer')
+      else console.error('Referer not allowed: "' + referer + '"')
+      this.res.writeHead(403)
+      return this.res.end('Forbidden')
+    }
+    if (this.isUnsafePath(refererPath)) {
+      console.error('Unsafe referer path not allowed: "' + refererPath + '"')
+      this.res.writeHead(403)
+      return this.res.end('Forbidden')
+    }
     if (/^multipart\/form-data/.test(this.req.headers['content-type'])) {
       var data = {}
       var erred
@@ -213,6 +226,14 @@ Serve.prototype.go = function () {
   }
 }
 
+Serve.prototype.isUnsafePath = function (path) {
+  return typeof path !== 'string'
+    || /^&|^%26/.test(path)
+    || path.indexOf('../') !== -1
+    || path.startsWith('/web/')
+    || path.startsWith('/npm-readme/')
+}
+
 Serve.prototype.saveDraft = function (content, cb) {
   var self = this
   var data = self.data
@@ -2426,7 +2447,6 @@ Serve.prototype.wrapPage = function (title, searchQ) {
       var done = multicb({pluck: 1, spread: true})
       done()(null, h('html', h('head',
         h('meta', {charset: 'utf-8'}),
-        h('meta', {name: 'referrer', content: 'no-referrer'}),
         h('title', title),
         h('meta', {name: 'viewport', content: 'width=device-width,initial-scale=1'}),
         h('link', {rel: 'icon', href: render.toUrl('/static/hermie.ico'), type: 'image/x-icon'}),