Fix logins from WHMCS by disabling CSRF token on login page for trusted

origins
2014-11-20 19:33:11 -05:00 · 2014-11-20 19:33:11 -05:00 · a62e98beb4
commit a62e98beb4
parent ca7d0688e7
2 changed files with 31 additions and 11 deletions
--- a/airtime_mvc/application/common/CORSHelper.php
+++ b/airtime_mvc/application/common/CORSHelper.php
@ -11,17 +11,19 @@ class CORSHelper
        $response = $response->setHeader('Access-Control-Allow-Origin', '*');
        $origin = $request->getHeader('Origin');
        if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") &&
-        (!in_array($origin,
-                array("http://www.airtime.pro",
-                        "https://www.airtime.pro",
-                        "https://account.sourcefabric.com",
-                        "http://" . $_SERVER['SERVER_NAME'],
-                        "https://" . $_SERVER['SERVER_NAME']
-                ))
-        ))
+            (!in_array($origin, self::getAllowedOrigins())))
        {
            //Don't allow CORS from other domains to prevent XSS.
            throw new Zend_Controller_Action_Exception('Forbidden', 403);
        }
    }
+
+    public static function getAllowedOrigins()
+    {
+        return array("http://www.airtime.pro",
+                        "https://www.airtime.pro",
+                        "https://account.sourcefabric.com",
+                        "http://" . $_SERVER['SERVER_NAME'],
+                        "https://" . $_SERVER['SERVER_NAME']);
+    }
 }