mirror/mailcow-dockerized
2
0
Fork 0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2024-12-03 08:40:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

[Web] cors - add check if origin is valid

Browse Source
This commit is contained in:
FreddleSpl0it 2023-04-26 11:19:50 +02:00
parent 192f67cd41
commit 6b82284a41
No known key found for this signature in database
GPG Key ID: 00E14E7634F4BEC5
3 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
data/web/inc/functions.inc.php
View File

@ -2146,11 +2146,21 @@ function cors($action, $data = null) {
} }
$allowed_origins = isset($data['allowed_origins']) ? $data['allowed_origins'] : array($_SERVER['SERVER_NAME']); $allowed_origins = isset($data['allowed_origins']) ? $data['allowed_origins'] : array($_SERVER['SERVER_NAME']);
$allowed_origins = !is_array($allowed_origins) ? array_map('trim', preg_split( "/( |,|;|\n)/", $allowed_origins)) : $allowed_origins; $allowed_origins = !is_array($allowed_origins) ? array_filter(array_map('trim', explode("\n", $allowed_origins))) : $allowed_origins;
foreach ($allowed_origins as $origin) {
if (!filter_var($origin, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) && $origin != '*') {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $action, $data),
'msg' => 'cors_invalid_origin'
);
return false;
}
}
$allowed_methods = isset($data['allowed_methods']) ? $data['allowed_methods'] : array('GET', 'POST', 'PUT', 'DELETE'); $allowed_methods = isset($data['allowed_methods']) ? $data['allowed_methods'] : array('GET', 'POST', 'PUT', 'DELETE');
$allowed_methods = !is_array($allowed_methods) ? array_map('trim', preg_split( "/( |,|;|\n)/", $allowed_methods)) : $allowed_methods; $allowed_methods = !is_array($allowed_methods) ? array_map('trim', preg_split( "/( |,|;|\n)/", $allowed_methods)) : $allowed_methods;
$available_methods = array('GET', 'POST', 'PUT', 'DELETE', 'OPTION'); $available_methods = array('GET', 'POST', 'PUT', 'DELETE');
foreach ($allowed_methods as $method) { foreach ($allowed_methods as $method) {
if (!in_array($method, $available_methods)) { if (!in_array($method, $available_methods)) {
$_SESSION['return'][] = array( $_SESSION['return'][] = array(

4
data/web/lang/lang.de-de.json
View File

@ -359,6 +359,8 @@
"bcc_exists": "Ein BCC-Map-Eintrag %s existiert bereits als Typ %s", "bcc_exists": "Ein BCC-Map-Eintrag %s existiert bereits als Typ %s",
"bcc_must_be_email": "BCC-Ziel %s ist keine gültige E-Mail-Adresse", "bcc_must_be_email": "BCC-Ziel %s ist keine gültige E-Mail-Adresse",
"comment_too_long": "Kommentarfeld darf maximal 160 Zeichen enthalten", "comment_too_long": "Kommentarfeld darf maximal 160 Zeichen enthalten",
"cors_invalid_method": "Allow-Methods enthält eine ungültige Methode",
"cors_invalid_origin": "Allow-Origins enthält eine ungültige Origin",
"defquota_empty": "Standard-Quota darf nicht 0 sein", "defquota_empty": "Standard-Quota darf nicht 0 sein",
"demo_mode_enabled": "Demo Mode ist aktiviert", "demo_mode_enabled": "Demo Mode ist aktiviert",
"description_invalid": "Ressourcenbeschreibung für %s ist ungültig", "description_invalid": "Ressourcenbeschreibung für %s ist ungültig",
@ -997,7 +999,7 @@
"bcc_deleted": "BCC-Map-Einträge gelöscht: %s", "bcc_deleted": "BCC-Map-Einträge gelöscht: %s",
"bcc_edited": "BCC-Map-Eintrag %s wurde geändert", "bcc_edited": "BCC-Map-Eintrag %s wurde geändert",
"bcc_saved": "BCC- Map-Eintrag wurde gespeichert", "bcc_saved": "BCC- Map-Eintrag wurde gespeichert",
"cors_headers_edited": "CORS headers wurden erfolgreich gespeichert", "cors_headers_edited": "CORS Einstellungen wurden erfolgreich gespeichert",
"db_init_complete": "Datenbankinitialisierung abgeschlossen", "db_init_complete": "Datenbankinitialisierung abgeschlossen",
"delete_filter": "Filter-ID %s wurde gelöscht", "delete_filter": "Filter-ID %s wurde gelöscht",
"delete_filters": "Filter gelöscht: %s", "delete_filters": "Filter gelöscht: %s",

3
data/web/lang/lang.en-gb.json
View File

@ -362,6 +362,7 @@
"bcc_must_be_email": "BCC destination %s is not a valid email address", "bcc_must_be_email": "BCC destination %s is not a valid email address",
"comment_too_long": "Comment too long, max 160 chars allowed", "comment_too_long": "Comment too long, max 160 chars allowed",
"cors_invalid_method": "Invalid Allow-Method specified", "cors_invalid_method": "Invalid Allow-Method specified",
"cors_invalid_origin": "Invalid Allow-Origin specified",
"defquota_empty": "Default quota per mailbox must not be 0.", "defquota_empty": "Default quota per mailbox must not be 0.",
"demo_mode_enabled": "Demo Mode is enabled", "demo_mode_enabled": "Demo Mode is enabled",
"description_invalid": "Resource description for %s is invalid", "description_invalid": "Resource description for %s is invalid",
@ -1007,7 +1008,7 @@
"bcc_deleted": "BCC map entries deleted: %s", "bcc_deleted": "BCC map entries deleted: %s",
"bcc_edited": "BCC map entry %s edited", "bcc_edited": "BCC map entry %s edited",
"bcc_saved": "BCC map entry saved", "bcc_saved": "BCC map entry saved",
"cors_headers_edited": "CORS headers successfully set.", "cors_headers_edited": "CORS settings have been saved",
"db_init_complete": "Database initialization completed", "db_init_complete": "Database initialization completed",
"delete_filter": "Deleted filters ID %s", "delete_filter": "Deleted filters ID %s",
"delete_filters": "Deleted filters: %s", "delete_filters": "Deleted filters: %s",