Congegni
/
sintonia
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #250 from radiorabe/fix/cors-response-on-non-stdandard-port 

Fix non default local CORS URL case
This commit is contained in:
Robb 2017-07-18 22:20:00 -04:00 committed by GitHub
parent 6e2cb2b2a8 04e2402276
commit 0837c97263
2 changed files with 30 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
airtime_mvc/application/common/CORSHelper.php
View File

@ -7,8 +7,9 @@ class CORSHelper
{ {
//Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well. //Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well.
$origin = $request->getHeader('Origin'); $origin = $request->getHeader('Origin');
if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") && if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") &&
(!in_array($origin, self::getAllowedOrigins()))) (!in_array($origin, self::getAllowedOrigins($request))))
{ {
//Don't allow CORS from other domains to prevent XSS. //Don't allow CORS from other domains to prevent XSS.
throw new Zend_Controller_Action_Exception('Forbidden', 403); throw new Zend_Controller_Action_Exception('Forbidden', 403);
@ -19,14 +20,38 @@ class CORSHelper
} }
} }
public static function getAllowedOrigins() /**
* Get all allowed origins
*
* @param Request $request request object
*/
public static function getAllowedOrigins($request)
{ {
$allowedCorsUrls = array_map( $allowedCorsUrls = array_map(
function($v) { return trim($v); }, function($v) { return trim($v); },
explode(PHP_EOL, Application_Model_Preference::GetAllowedCorsUrls()) explode(PHP_EOL, Application_Model_Preference::GetAllowedCorsUrls())
); );
// always allow the configured server in (as reported by the server and not what is i baseUrl)
$scheme = $request->getServer('REQUEST_SCHEME');
$host = $request->getServer('SERVER_NAME');
$port = $request->getServer('SERVER_PORT');
$portString = '';
if (
$scheme == 'https' && $port != 443 ||
$scheme == 'http' && $port != 80
) {
$portString = sprintf(':%s', $port);
}
$requestedUrl = sprintf(
'%s://%s%s',
$scheme,
$host,
$portString
);
return array_merge($allowedCorsUrls, array( return array_merge($allowedCorsUrls, array(
"http://" . $_SERVER['SERVER_NAME'], $requestedUrl
"https://" . $_SERVER['SERVER_NAME'])); ));
} }
} }

2
airtime_mvc/application/forms/Login.php
View File

@ -16,7 +16,7 @@ class Application_Form_Login extends Zend_Form
if ($request) { if ($request) {
$refererUrl = $request->getHeader('referer'); $refererUrl = $request->getHeader('referer');
$originIsSafe = false; $originIsSafe = false;
foreach (CORSHelper::getAllowedOrigins() as $safeOrigin) { foreach (CORSHelper::getAllowedOrigins($request) as $safeOrigin) {
if ($this->startsWith($safeOrigin, $refererUrl)) { if ($this->startsWith($safeOrigin, $refererUrl)) {
$originIsSafe = true; $originIsSafe = true;
break; break;