php/archived-web-php
1
0
Fork 0
mirror of https://github.com/php/web-php.git synced 2026-03-24 07:12:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix potential Access-Control-Allow-Origin bug in vote-note.php - Bug #65887

Browse Source
This commit is contained in:
Sherif Ramadan
2013-12-10 16:55:48 -05:00
parent 92aa114f85
commit 5408728245
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
manual/vote-note.php
View File

@@ -19,6 +19,14 @@ $master_url = "http://master.php.net/entry/user-notes-vote.php";
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (isset($_SERVER['HTTP_X_JSON']) && $_SERVER['HTTP_X_JSON'] == 'On' && !empty($_REQUEST['id']) && !empty($_REQUEST['page']) && ($N = manual_notes_load($_REQUEST['page'])) && array_key_exists($_REQUEST['id'], $N) && !empty($_REQUEST['vote']) && ($_REQUEST['vote'] === 'up' || $_REQUEST['vote'] === 'down')) {
// Set Access-Control-Allow-Origin response headers here
$accessAllowed = array('http://php.net','http://www.php.net','https://www.php.net'); // include the default php.net hosts
if (isset($_SERVER['HTTP_HOST']) && $_SERVER['HTTP_HOST'] !== 'php.net' && $_SERVER['HTTP_HOST'] !== 'www.php.net') {
// include the current host requested in case we're using a mirror
$accessAllowed[] = 'http://' . $_SERVER['HTTP_HOST'];
}
header('Access-Control-Allow-Origin: ' . implode(',',$accessAllowed));
$response = array();
$update = $N[$_REQUEST['id']]['votes']['up'] - $N[$_REQUEST['id']]['votes']['down'];
$hash = substr(md5($_REQUEST['page']), 0, 16);