Congegni
/
libretime
mirror of https://github.com/libretime/libretime.git
7
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Better cors error logging

This commit is contained in:
jo 2021-10-07 19:05:56 +02:00
parent 46685f45aa
commit e4551bb321
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
airtime_mvc/application/common/CORSHelper.php
View File

@ -7,11 +7,13 @@ class CORSHelper
{ {
//Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well. //Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well.
$origin = $request->getHeader('Origin'); $origin = $request->getHeader('Origin');
$allowedOrigins = self::getAllowedOrigins($request);
if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") && if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") &&
(!in_array($origin, self::getAllowedOrigins($request)))) (!in_array($origin, $allowedOrigins))
{ ) {
//Don't allow CORS from other domains to prevent XSS. //Don't allow CORS from other domains to prevent XSS.
Logging::error("request origin '{$origin}' is not in allowed '" . implode(', ', $allowedOrigins) . "'!");
throw new Zend_Controller_Action_Exception('Forbidden', 403); throw new Zend_Controller_Action_Exception('Forbidden', 403);
} }
//Allow AJAX requests from configured websites. We use this to allow other pages to use LibreTimes API. //Allow AJAX requests from configured websites. We use this to allow other pages to use LibreTimes API.