From 540872824575ecfcdf42511a7784ccbd1d3f4e13 Mon Sep 17 00:00:00 2001
From: Sherif Ramadan <googleguy@php.net>
Date: Tue, 10 Dec 2013 16:55:48 -0500
Subject: [PATCH] Fix potential Access-Control-Allow-Origin bug in
 vote-note.php - Bug #65887

---
 manual/vote-note.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/manual/vote-note.php b/manual/vote-note.php
index 8aa3acc72..c56c57feb 100644
--- a/manual/vote-note.php
+++ b/manual/vote-note.php
@@ -19,6 +19,14 @@ $master_url = "http://master.php.net/entry/user-notes-vote.php";
 
 if ($_SERVER['REQUEST_METHOD'] == 'POST') {
   if (isset($_SERVER['HTTP_X_JSON']) && $_SERVER['HTTP_X_JSON'] == 'On' && !empty($_REQUEST['id']) && !empty($_REQUEST['page']) && ($N = manual_notes_load($_REQUEST['page'])) && array_key_exists($_REQUEST['id'], $N) && !empty($_REQUEST['vote']) && ($_REQUEST['vote'] === 'up' || $_REQUEST['vote'] === 'down')) {
+    // Set Access-Control-Allow-Origin response headers here
+    $accessAllowed = array('http://php.net','http://www.php.net','https://www.php.net'); // include the default php.net hosts
+    if (isset($_SERVER['HTTP_HOST']) && $_SERVER['HTTP_HOST'] !== 'php.net' && $_SERVER['HTTP_HOST'] !== 'www.php.net') {
+        // include the current host requested in case we're using a mirror
+        $accessAllowed[] = 'http://' . $_SERVER['HTTP_HOST'];
+    }
+    header('Access-Control-Allow-Origin: ' . implode(',',$accessAllowed));
+    
     $response = array();
     $update = $N[$_REQUEST['id']]['votes']['up'] - $N[$_REQUEST['id']]['votes']['down'];
     $hash = substr(md5($_REQUEST['page']), 0, 16);