diff --git a/airtime_mvc/application/common/CORSHelper.php b/airtime_mvc/application/common/CORSHelper.php index 04c9d8c38..af5ab1635 100644 --- a/airtime_mvc/application/common/CORSHelper.php +++ b/airtime_mvc/application/common/CORSHelper.php @@ -7,11 +7,13 @@ class CORSHelper { //Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well. $origin = $request->getHeader('Origin'); + $allowedOrigins = self::getAllowedOrigins($request); if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") && - (!in_array($origin, self::getAllowedOrigins($request)))) - { + (!in_array($origin, $allowedOrigins)) + ) { //Don't allow CORS from other domains to prevent XSS. + Logging::error("request origin '{$origin}' is not in allowed '" . implode(', ', $allowedOrigins) . "'!"); throw new Zend_Controller_Action_Exception('Forbidden', 403); } //Allow AJAX requests from configured websites. We use this to allow other pages to use LibreTimes API. diff --git a/airtime_mvc/application/models/Preference.php b/airtime_mvc/application/models/Preference.php index c2f9fe4b3..0d164e7c8 100644 --- a/airtime_mvc/application/models/Preference.php +++ b/airtime_mvc/application/models/Preference.php @@ -1556,7 +1556,16 @@ class Application_Model_Preference * @param string $value * @return void */ - public static function SetAllowedCorsUrls($value) { + public static function SetAllowedCorsUrls($value) + { + // Trim and strip trailing slash for each entry + $value = implode(PHP_EOL, array_map( + function ($v) { + return rtrim(trim($v), '/'); + }, + explode(PHP_EOL, $value) + )); + self::setValue('allowed_cors_urls', $value); } diff --git a/airtime_mvc/build/airtime-setup/forms/general-settings.php b/airtime_mvc/build/airtime-setup/forms/general-settings.php index 50426a543..72439396e 100644 --- a/airtime_mvc/build/airtime-setup/forms/general-settings.php +++ b/airtime_mvc/build/airtime-setup/forms/general-settings.php @@ -42,6 +42,9 @@