From 46685f45aa78410d592e30c0c8fbb30bc87a1901 Mon Sep 17 00:00:00 2001
From: jo <ljonas@riseup.net>
Date: Thu, 7 Oct 2021 19:04:01 +0200
Subject: [PATCH 1/3] Sanitize CORS value before insert

---
 airtime_mvc/application/models/Preference.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/airtime_mvc/application/models/Preference.php b/airtime_mvc/application/models/Preference.php
index c2f9fe4b3..0d164e7c8 100644
--- a/airtime_mvc/application/models/Preference.php
+++ b/airtime_mvc/application/models/Preference.php
@@ -1556,7 +1556,16 @@ class Application_Model_Preference
      * @param string $value
      * @return void
      */
-    public static function SetAllowedCorsUrls($value) {
+    public static function SetAllowedCorsUrls($value)
+    {
+        // Trim and strip trailing slash for each entry
+        $value = implode(PHP_EOL, array_map(
+            function ($v) {
+                return rtrim(trim($v), '/');
+            },
+            explode(PHP_EOL, $value)
+        ));
+
         self::setValue('allowed_cors_urls', $value);
     }
 

From e4551bb321a79c83ebca00d1ba587506349a6d91 Mon Sep 17 00:00:00 2001
From: jo <ljonas@riseup.net>
Date: Thu, 7 Oct 2021 19:05:56 +0200
Subject: [PATCH 2/3] Better cors error logging

---
 airtime_mvc/application/common/CORSHelper.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/airtime_mvc/application/common/CORSHelper.php b/airtime_mvc/application/common/CORSHelper.php
index 04c9d8c38..af5ab1635 100644
--- a/airtime_mvc/application/common/CORSHelper.php
+++ b/airtime_mvc/application/common/CORSHelper.php
@@ -7,11 +7,13 @@ class CORSHelper
     {
         //Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well.
         $origin = $request->getHeader('Origin');
+        $allowedOrigins = self::getAllowedOrigins($request);
 
         if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") &&
-            (!in_array($origin, self::getAllowedOrigins($request))))
-        {
+            (!in_array($origin, $allowedOrigins))
+        ) {
             //Don't allow CORS from other domains to prevent XSS.
+            Logging::error("request origin '{$origin}' is not in allowed '" . implode(', ', $allowedOrigins) . "'!");
             throw new Zend_Controller_Action_Exception('Forbidden', 403);
         }
         //Allow AJAX requests from configured websites. We use this to allow other pages to use LibreTimes API.

From 4123f9f755f00029d882cf004eed3a71356d173a Mon Sep 17 00:00:00 2001
From: jo <ljonas@riseup.net>
Date: Thu, 7 Oct 2021 19:16:37 +0200
Subject: [PATCH 3/3] Add current url in CORS urls during install

---
 airtime_mvc/build/airtime-setup/forms/general-settings.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/airtime_mvc/build/airtime-setup/forms/general-settings.php b/airtime_mvc/build/airtime-setup/forms/general-settings.php
index 50426a543..72439396e 100644
--- a/airtime_mvc/build/airtime-setup/forms/general-settings.php
+++ b/airtime_mvc/build/airtime-setup/forms/general-settings.php
@@ -42,6 +42,9 @@
 </form>
 
 <script>
+    $("#corsUrl").text(function() {
+        return window.location.origin;
+    });
     $("#corsSlideToggle").click(function() {
         $("#corsFormBody").slideToggle(500);
         $("#corsCaret").toggleClass("caret-up");