feat: move allowed cors url to configuration file

- don't set cors origins form field as readonly and add deprecation notice.
2022-05-23 17:12:40 +02:00 · 2022-05-23 17:12:40 +02:00 · eb8e7b3415
commit eb8e7b3415
parent 510e978952
5 changed files with 63 additions and 26 deletions
--- a/legacy/application/common/CORSHelper.php
+++ b/legacy/application/common/CORSHelper.php
@ -1,5 +1,8 @@
 <?php

+use League\Uri\Contracts\UriException;
+use League\Uri\Uri;
+
 class CORSHelper
 {
    public static function enableCrossOriginRequests(&$request, &$response)
@ -8,9 +11,7 @@ class CORSHelper
        $origin = $request->getHeader('Origin');
        $allowedOrigins = self::getAllowedOrigins($request);

-        if ((!(preg_match('/https?:\/\/localhost/', $origin) === 1)) && ($origin != '')
-            && (!in_array($origin, $allowedOrigins))
-        ) {
+        if (!($origin == '' || preg_match('/https?:\/\/localhost/', $origin) === 1 || in_array($origin, $allowedOrigins))) {
            // Don't allow CORS from other domains to prevent XSS.
            Logging::error("request origin '{$origin}' is not in allowed '" . implode(', ', $allowedOrigins) . "'!");

@ -29,32 +30,56 @@ class CORSHelper
     */
    public static function getAllowedOrigins($request)
    {
-        $allowedCorsUrls = array_map(
-            function ($v) { return trim($v); },
-            explode(PHP_EOL, Application_Model_Preference::GetAllowedCorsUrls())
-        );
+        $config = Config::getConfig();

-        // always allow the configured server in (as reported by the server and not what is i baseUrl)
+        return array_merge(
+            $config['allowedCorsOrigins'],
+            self::getDatabaseAllowedOrigins(),
+            self::getServerAllowedOrigins($request),
+        );
+    }
+
+    /**
+     * Get configured server origins.
+     *
+     * @param Request $request request object
+     *
+     * @return array
+     */
+    private static function getServerAllowedOrigins($request)
+    {
        $scheme = $request->getServer('REQUEST_SCHEME');
        $host = $request->getServer('SERVER_NAME');
-        $port = $request->getServer('SERVER_PORT');
+        $port = intval($request->getServer('SERVER_PORT'));

-        $portString = '';
-        if (
-            $scheme == 'https' && $port != 443
-            || $scheme == 'http' && $port != 80
-        ) {
-            $portString = sprintf(':%s', $port);
+        try {
+            return [
+                strval(Uri::createFromComponents([
+                    'scheme' => $scheme,
+                    'host' => $host,
+                    'port' => $port,
+                ])),
+            ];
+        } catch (UriException|TypeError $e) {
+            Logging::warn("could not parse server origin : {$e}");
+
+            return [];
        }
-        $requestedUrl = sprintf(
-            '%s://%s%s',
-            $scheme,
-            $host,
-            $portString
-        );
+    }

-        return array_merge($allowedCorsUrls, [
-            $requestedUrl,
-        ]);
+    /**
+     * Get database allowed origins.
+     *
+     * @return array
+     */
+    private static function getDatabaseAllowedOrigins()
+    {
+        return array_map(
+            'trim',
+            explode(
+                PHP_EOL,
+                Application_Model_Preference::GetAllowedCorsUrls(),
+            )
+        );
    }
 }
--- a/legacy/application/configs/conf.php
+++ b/legacy/application/configs/conf.php
@ -44,6 +44,10 @@ class Config
        $CC_CONFIG['basePort'] = $port;
        $CC_CONFIG['baseDir'] = $path;

+        // Allowed hosts
+        $CC_CONFIG['allowedCorsOrigins'] = $values['general']['allowed_cors_origins'] ?? [];
+        $CC_CONFIG['allowedCorsOrigins'][] = strval($public_url->withPath(''));
+
        $CC_CONFIG['dev_env'] = $values['general']['dev_env'] ?? 'production';
        $CC_CONFIG['auth'] = $values['general']['auth'] ?? 'local';
        $CC_CONFIG['cache_ahead_hours'] = $values['general']['cache_ahead_hours'] ?? 1;
--- a/legacy/application/forms/GeneralPreferences.php
+++ b/legacy/application/forms/GeneralPreferences.php
@ -170,8 +170,8 @@ class Application_Form_GeneralPreferences extends Zend_Form_SubForm

        $allowedCorsUrlsValue = Application_Model_Preference::GetAllowedCorsUrls();
        $allowedCorsUrls = new Zend_Form_Element_Textarea('allowedCorsUrls');
-        $allowedCorsUrls->setLabel(_('Allowed CORS URLs'));
-        $allowedCorsUrls->setDescription(_('Remote URLs that are allowed to access this LibreTime instance in a browser. One URL per line.'));
+        $allowedCorsUrls->setLabel(_('Allowed CORS URLs (DEPRECATED)'));
+        $allowedCorsUrls->setDescription(_('Remote URLs that are allowed to access this LibreTime instance in a browser. One URL per line. (DEPRECATED: Allowed CORS origins configuration moved to the configuration file.)'));
        $allowedCorsUrls->setValue($allowedCorsUrlsValue);
        $this->addElement($allowedCorsUrls);