From 71df2ba9fe7ab8462b7643e198f6cdc4d6899673 Mon Sep 17 00:00:00 2001 From: Serghei Iakovlev Date: Wed, 20 Sep 2017 22:29:36 +0300 Subject: [PATCH] Fixed CorsMiddleware::beforeHandleRoute After the changes made by @thecharge in #1 the CorsMiddleware::beforeHandleRoute is completely broken. This is obvious because the $allowedOrigin variable is undefined now. Note: I've added the 'i' modifier to the regular expression. Refs: https://github.com/redound/phalcon-api/commit/44031455fa299d0f87861a68adb047dcb7728b79#diff-e0f68aa0c2eadb45e6b357a76fa5aa50 / cc: @bblok11 --- src/PhalconApi/Middleware/CorsMiddleware.php | 32 +++++++++++++------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/src/PhalconApi/Middleware/CorsMiddleware.php b/src/PhalconApi/Middleware/CorsMiddleware.php index 9d7fb94..a48da46 100644 --- a/src/PhalconApi/Middleware/CorsMiddleware.php +++ b/src/PhalconApi/Middleware/CorsMiddleware.php @@ -131,24 +131,34 @@ public function beforeHandleRoute(Event $event, \PhalconApi\Api $api) $origin = $this->request->getHeader('Origin'); $originDomain = $origin ? parse_url($origin, PHP_URL_HOST) : null; - if ($originDomain) { + if (!$originDomain) { + return; + } + + $allowed = false; - $allowed = in_array($allowedOrigin, $this->_allowedOrigins); + foreach ($this->_allowedOrigins as $allowedOrigin) { - if (false === $allowed) { - // Parse wildcards - $expression = '/^' . str_replace('\*', '(.+)', preg_quote($allowedOrigin, '/')) . '$/'; - if (preg_match($expression, $originDomain) == 1) { + // First try exact domain + if ($originDomain == $allowedOrigin) { - $allowed = true; - } + $allowed = true; + break; } + + // Parse wildcards + $expression = '/^' . str_replace('\*', '(.+)', preg_quote($allowedOrigin, '/')) . '$/i'; + if (preg_match($expression, $originDomain) == 1) { - if ($allowed) { - - $originValue = $origin; + $allowed = true; + break; } } + + if ($allowed) { + + $originValue = $origin; + } } if ($originValue != null) {