Commit: 540872824575ecfcdf42511a7784ccbd1d3f4e13 Author: Sherif Ramadan <[email protected]> Tue, 10 Dec 2013 16:55:48 -0500 Parents: 92aa114f859b695b82743feba122a3b27a6925a7 Branches: master
Link: http://git.php.net/?p=web/php.git;a=commitdiff;h=540872824575ecfcdf42511a7784ccbd1d3f4e13 Log: Fix potential Access-Control-Allow-Origin bug in vote-note.php - Bug #65887 Bugs: https://bugs.php.net/65887 Changed paths: M manual/vote-note.php Diff: diff --git a/manual/vote-note.php b/manual/vote-note.php index 8aa3acc..c56c57f 100644 --- a/manual/vote-note.php +++ b/manual/vote-note.php @@ -19,6 +19,14 @@ $master_url = "http://master.php.net/entry/user-notes-vote.php";; if ($_SERVER['REQUEST_METHOD'] == 'POST') { if (isset($_SERVER['HTTP_X_JSON']) && $_SERVER['HTTP_X_JSON'] == 'On' && !empty($_REQUEST['id']) && !empty($_REQUEST['page']) && ($N = manual_notes_load($_REQUEST['page'])) && array_key_exists($_REQUEST['id'], $N) && !empty($_REQUEST['vote']) && ($_REQUEST['vote'] === 'up' || $_REQUEST['vote'] === 'down')) { + // Set Access-Control-Allow-Origin response headers here + $accessAllowed = array('http://php.net','http://www.php.net','https://www.php.net'); // include the default php.net hosts + if (isset($_SERVER['HTTP_HOST']) && $_SERVER['HTTP_HOST'] !== 'php.net' && $_SERVER['HTTP_HOST'] !== 'www.php.net') { + // include the current host requested in case we're using a mirror + $accessAllowed[] = 'http://' . $_SERVER['HTTP_HOST']; + } + header('Access-Control-Allow-Origin: ' . implode(',',$accessAllowed)); + $response = array(); $update = $N[$_REQUEST['id']]['votes']['up'] - $N[$_REQUEST['id']]['votes']['down']; $hash = substr(md5($_REQUEST['page']), 0, 16); -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
