Make host validation not depend on CSRF being enabled (see #468)

diff --git a/extras/rpc-spec.txt b/extras/rpc-spec.txt
index 827ebf99c99ccfdc20975ac08cc6ebe01856c2e3..f75dbed1383bd3606965fa483e3c88a6aa7cb1ab 100644 (file)
--- a/extras/rpc-spec.txt
+++ b/extras/rpc-spec.txt
@@ -68,9 +68,9 @@
 
 2.3.2.  DNS Rebinding Protection
 
-   If CSRF protection is enabled, additional check is being made on each RPC
-   request to make sure that the client sending the request does so using
-   one of the allowed hostnames by which RPC server is meant to be available.
+   Additional check is being made on each RPC request to make sure that the
+   client sending the request does so using one of the allowed hostnames by
+   which RPC server is meant to be available.
 
    If host whitelisting is enabled (which is true by default), Transmission
    inspects the "Host:" HTTP header value (with port stripped, if any) and

diff --git a/libtransmission/rpc-server.c b/libtransmission/rpc-server.c
index 60a8320f79c254571d446c4aca663d3e05675968..3ae724583006980a036d8cdc306039167510c487 100644 (file)
--- a/libtransmission/rpc-server.c
+++ b/libtransmission/rpc-server.c
@@ -719,7 +719,6 @@ handle_request (struct evhttp_request * req, void * arg)
         {
           handle_upload (req, server);
         }
-#ifdef REQUIRE_SESSION_ID
       else if (!isHostnameAllowed (server, req))
         {
           char * const tmp = tr_strdup_printf (
@@ -736,6 +735,7 @@ handle_request (struct evhttp_request * req, void * arg)
           send_simple_response (req, 421, tmp);
           tr_free (tmp);
         }
+#ifdef REQUIRE_SESSION_ID
       else if (!test_session_id (server, req))
         {
           const char * sessionId = get_current_session_id (server);