diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index bcfe1243f..901b894ec 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -2146,11 +2146,21 @@ function cors($action, $data = null) { } $allowed_origins = isset($data['allowed_origins']) ? $data['allowed_origins'] : array($_SERVER['SERVER_NAME']); - $allowed_origins = !is_array($allowed_origins) ? array_map('trim', preg_split( "/( |,|;|\n)/", $allowed_origins)) : $allowed_origins; + $allowed_origins = !is_array($allowed_origins) ? array_filter(array_map('trim', explode("\n", $allowed_origins))) : $allowed_origins; + foreach ($allowed_origins as $origin) { + if (!filter_var($origin, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) && $origin != '*') { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $data), + 'msg' => 'cors_invalid_origin' + ); + return false; + } + } $allowed_methods = isset($data['allowed_methods']) ? $data['allowed_methods'] : array('GET', 'POST', 'PUT', 'DELETE'); $allowed_methods = !is_array($allowed_methods) ? array_map('trim', preg_split( "/( |,|;|\n)/", $allowed_methods)) : $allowed_methods; - $available_methods = array('GET', 'POST', 'PUT', 'DELETE', 'OPTION'); + $available_methods = array('GET', 'POST', 'PUT', 'DELETE'); foreach ($allowed_methods as $method) { if (!in_array($method, $available_methods)) { $_SESSION['return'][] = array( diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json index d994cd135..b7137a15f 100644 --- a/data/web/lang/lang.de-de.json +++ b/data/web/lang/lang.de-de.json @@ -359,6 +359,8 @@ "bcc_exists": "Ein BCC-Map-Eintrag %s existiert bereits als Typ %s", "bcc_must_be_email": "BCC-Ziel %s ist keine gültige E-Mail-Adresse", "comment_too_long": "Kommentarfeld darf maximal 160 Zeichen enthalten", + "cors_invalid_method": "Allow-Methods enthält eine ungültige Methode", + "cors_invalid_origin": "Allow-Origins enthält eine ungültige Origin", "defquota_empty": "Standard-Quota darf nicht 0 sein", "demo_mode_enabled": "Demo Mode ist aktiviert", "description_invalid": "Ressourcenbeschreibung für %s ist ungültig", @@ -997,7 +999,7 @@ "bcc_deleted": "BCC-Map-Einträge gelöscht: %s", "bcc_edited": "BCC-Map-Eintrag %s wurde geändert", "bcc_saved": "BCC- Map-Eintrag wurde gespeichert", - "cors_headers_edited": "CORS headers wurden erfolgreich gespeichert", + "cors_headers_edited": "CORS Einstellungen wurden erfolgreich gespeichert", "db_init_complete": "Datenbankinitialisierung abgeschlossen", "delete_filter": "Filter-ID %s wurde gelöscht", "delete_filters": "Filter gelöscht: %s", diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json index cc0d8a69c..45c91bb51 100644 --- a/data/web/lang/lang.en-gb.json +++ b/data/web/lang/lang.en-gb.json @@ -362,6 +362,7 @@ "bcc_must_be_email": "BCC destination %s is not a valid email address", "comment_too_long": "Comment too long, max 160 chars allowed", "cors_invalid_method": "Invalid Allow-Method specified", + "cors_invalid_origin": "Invalid Allow-Origin specified", "defquota_empty": "Default quota per mailbox must not be 0.", "demo_mode_enabled": "Demo Mode is enabled", "description_invalid": "Resource description for %s is invalid", @@ -1007,7 +1008,7 @@ "bcc_deleted": "BCC map entries deleted: %s", "bcc_edited": "BCC map entry %s edited", "bcc_saved": "BCC map entry saved", - "cors_headers_edited": "CORS headers successfully set.", + "cors_headers_edited": "CORS settings have been saved", "db_init_complete": "Database initialization completed", "delete_filter": "Deleted filters ID %s", "delete_filters": "Deleted filters: %s",