[Web] cors - add check if origin is valid

2024-12-03 08:40:05 +08:00 · 2023-04-26 11:19:50 +02:00 · 2023-04-26 11:19:50 +02:00 · 6b82284a41
commit 6b82284a41
parent 192f67cd41
3 changed files with 17 additions and 4 deletions
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@ -2146,11 +2146,21 @@ function cors($action, $data = null) {
      }    

      $allowed_origins = isset($data['allowed_origins']) ? $data['allowed_origins'] : array($_SERVER['SERVER_NAME']);
-      $allowed_origins = !is_array($allowed_origins) ? array_map('trim', preg_split( "/( |,|;|\n)/", $allowed_origins)) : $allowed_origins;
+      $allowed_origins = !is_array($allowed_origins) ? array_filter(array_map('trim', explode("\n", $allowed_origins))) : $allowed_origins;
+      foreach ($allowed_origins as $origin) {
+        if (!filter_var($origin, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) && $origin != '*') {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $action, $data),
+            'msg' => 'cors_invalid_origin'
+          );
+          return false;
+        }
+      }

      $allowed_methods = isset($data['allowed_methods']) ? $data['allowed_methods'] : array('GET', 'POST', 'PUT', 'DELETE');
      $allowed_methods  = !is_array($allowed_methods) ? array_map('trim', preg_split( "/( |,|;|\n)/", $allowed_methods)) : $allowed_methods;
-      $available_methods = array('GET', 'POST', 'PUT', 'DELETE', 'OPTION');
+      $available_methods = array('GET', 'POST', 'PUT', 'DELETE');
      foreach ($allowed_methods as $method) {
        if (!in_array($method, $available_methods)) {
          $_SESSION['return'][] = array(
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@ -359,6 +359,8 @@
        "bcc_exists": "Ein BCC-Map-Eintrag %s existiert bereits als Typ %s",
        "bcc_must_be_email": "BCC-Ziel %s ist keine gültige E-Mail-Adresse",
        "comment_too_long": "Kommentarfeld darf maximal 160 Zeichen enthalten",
+        "cors_invalid_method": "Allow-Methods enthält eine ungültige Methode",
+        "cors_invalid_origin": "Allow-Origins enthält eine ungültige Origin",
        "defquota_empty": "Standard-Quota darf nicht 0 sein",
        "demo_mode_enabled": "Demo Mode ist aktiviert",
        "description_invalid": "Ressourcenbeschreibung für %s ist ungültig",
@ -997,7 +999,7 @@
        "bcc_deleted": "BCC-Map-Einträge gelöscht: %s",
        "bcc_edited": "BCC-Map-Eintrag %s wurde geändert",
        "bcc_saved": "BCC- Map-Eintrag wurde gespeichert",
-        "cors_headers_edited": "CORS headers wurden erfolgreich gespeichert",
+        "cors_headers_edited": "CORS Einstellungen wurden erfolgreich gespeichert",
        "db_init_complete": "Datenbankinitialisierung abgeschlossen",
        "delete_filter": "Filter-ID %s wurde gelöscht",
        "delete_filters": "Filter gelöscht: %s",
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@ -362,6 +362,7 @@
        "bcc_must_be_email": "BCC destination %s is not a valid email address",
        "comment_too_long": "Comment too long, max 160 chars allowed",
        "cors_invalid_method": "Invalid Allow-Method specified",
+        "cors_invalid_origin": "Invalid Allow-Origin specified",
        "defquota_empty": "Default quota per mailbox must not be 0.",
        "demo_mode_enabled": "Demo Mode is enabled",
        "description_invalid": "Resource description for %s is invalid",
@ -1007,7 +1008,7 @@
        "bcc_deleted": "BCC map entries deleted: %s",
        "bcc_edited": "BCC map entry %s edited",
        "bcc_saved": "BCC map entry saved",
-        "cors_headers_edited": "CORS headers successfully set.",
+        "cors_headers_edited": "CORS settings have been saved",
        "db_init_complete": "Database initialization completed",
        "delete_filter": "Deleted filters ID %s",
        "delete_filters": "Deleted filters: %s",