[Web] cors - add check if origin is valid
This commit is contained in:
parent
192f67cd41
commit
6b82284a41
@ -2146,11 +2146,21 @@ function cors($action, $data = null) {
|
||||
}
|
||||
|
||||
$allowed_origins = isset($data['allowed_origins']) ? $data['allowed_origins'] : array($_SERVER['SERVER_NAME']);
|
||||
$allowed_origins = !is_array($allowed_origins) ? array_map('trim', preg_split( "/( |,|;|\n)/", $allowed_origins)) : $allowed_origins;
|
||||
$allowed_origins = !is_array($allowed_origins) ? array_filter(array_map('trim', explode("\n", $allowed_origins))) : $allowed_origins;
|
||||
foreach ($allowed_origins as $origin) {
|
||||
if (!filter_var($origin, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) && $origin != '*') {
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'danger',
|
||||
'log' => array(__FUNCTION__, $action, $data),
|
||||
'msg' => 'cors_invalid_origin'
|
||||
);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
$allowed_methods = isset($data['allowed_methods']) ? $data['allowed_methods'] : array('GET', 'POST', 'PUT', 'DELETE');
|
||||
$allowed_methods = !is_array($allowed_methods) ? array_map('trim', preg_split( "/( |,|;|\n)/", $allowed_methods)) : $allowed_methods;
|
||||
$available_methods = array('GET', 'POST', 'PUT', 'DELETE', 'OPTION');
|
||||
$available_methods = array('GET', 'POST', 'PUT', 'DELETE');
|
||||
foreach ($allowed_methods as $method) {
|
||||
if (!in_array($method, $available_methods)) {
|
||||
$_SESSION['return'][] = array(
|
||||
|
@ -359,6 +359,8 @@
|
||||
"bcc_exists": "Ein BCC-Map-Eintrag %s existiert bereits als Typ %s",
|
||||
"bcc_must_be_email": "BCC-Ziel %s ist keine gültige E-Mail-Adresse",
|
||||
"comment_too_long": "Kommentarfeld darf maximal 160 Zeichen enthalten",
|
||||
"cors_invalid_method": "Allow-Methods enthält eine ungültige Methode",
|
||||
"cors_invalid_origin": "Allow-Origins enthält eine ungültige Origin",
|
||||
"defquota_empty": "Standard-Quota darf nicht 0 sein",
|
||||
"demo_mode_enabled": "Demo Mode ist aktiviert",
|
||||
"description_invalid": "Ressourcenbeschreibung für %s ist ungültig",
|
||||
@ -997,7 +999,7 @@
|
||||
"bcc_deleted": "BCC-Map-Einträge gelöscht: %s",
|
||||
"bcc_edited": "BCC-Map-Eintrag %s wurde geändert",
|
||||
"bcc_saved": "BCC- Map-Eintrag wurde gespeichert",
|
||||
"cors_headers_edited": "CORS headers wurden erfolgreich gespeichert",
|
||||
"cors_headers_edited": "CORS Einstellungen wurden erfolgreich gespeichert",
|
||||
"db_init_complete": "Datenbankinitialisierung abgeschlossen",
|
||||
"delete_filter": "Filter-ID %s wurde gelöscht",
|
||||
"delete_filters": "Filter gelöscht: %s",
|
||||
|
@ -362,6 +362,7 @@
|
||||
"bcc_must_be_email": "BCC destination %s is not a valid email address",
|
||||
"comment_too_long": "Comment too long, max 160 chars allowed",
|
||||
"cors_invalid_method": "Invalid Allow-Method specified",
|
||||
"cors_invalid_origin": "Invalid Allow-Origin specified",
|
||||
"defquota_empty": "Default quota per mailbox must not be 0.",
|
||||
"demo_mode_enabled": "Demo Mode is enabled",
|
||||
"description_invalid": "Resource description for %s is invalid",
|
||||
@ -1007,7 +1008,7 @@
|
||||
"bcc_deleted": "BCC map entries deleted: %s",
|
||||
"bcc_edited": "BCC map entry %s edited",
|
||||
"bcc_saved": "BCC map entry saved",
|
||||
"cors_headers_edited": "CORS headers successfully set.",
|
||||
"cors_headers_edited": "CORS settings have been saved",
|
||||
"db_init_complete": "Database initialization completed",
|
||||
"delete_filter": "Deleted filters ID %s",
|
||||
"delete_filters": "Deleted filters: %s",
|
||||
|
Loading…
Reference in New Issue
Block a user