Merge pull request #1382 from jooola/fix/cors_insert

Fix CORS setup

airtime_mvc/application/common/CORSHelper.php

@@ -7,11 +7,13 @@ class CORSHelper
     {
         //Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well.
         $origin = $request->getHeader('Origin');
+        $allowedOrigins = self::getAllowedOrigins($request);
 
         if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") &&
-            (!in_array($origin, self::getAllowedOrigins($request))))
+            (!in_array($origin, $allowedOrigins))
-        {
+        ) {
             //Don't allow CORS from other domains to prevent XSS.
+            Logging::error("request origin '{$origin}' is not in allowed '" . implode(', ', $allowedOrigins) . "'!");
             throw new Zend_Controller_Action_Exception('Forbidden', 403);
         }
         //Allow AJAX requests from configured websites. We use this to allow other pages to use LibreTimes API.

airtime_mvc/application/models/Preference.php

@@ -1556,7 +1556,16 @@ class Application_Model_Preference
      * @param string $value
      * @return void
      */
-    public static function SetAllowedCorsUrls($value) {
+    public static function SetAllowedCorsUrls($value)
+    {
+        // Trim and strip trailing slash for each entry
+        $value = implode(PHP_EOL, array_map(
+            function ($v) {
+                return rtrim(trim($v), '/');
+            },
+            explode(PHP_EOL, $value)
+        ));
+
         self::setValue('allowed_cors_urls', $value);
     }
 

airtime_mvc/build/airtime-setup/forms/general-settings.php

@@ -42,6 +42,9 @@
 </form>
 
 <script>
+    $("#corsUrl").text(function() {
+        return window.location.origin;
+    });
     $("#corsSlideToggle").click(function() {
         $("#corsFormBody").slideToggle(500);
         $("#corsCaret").toggleClass("caret-up");