From: Alex Z Date: Fri, 21 Aug 2009 00:22:08 +0000 (+0000) Subject: Tweak Access-Control-Allow-Origin stuff per comments on r54127. X-Git-Tag: 1.31.0-rc.0~40169 X-Git-Url: http://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/categories/modifier.php?a=commitdiff_plain;h=b97ce2011532881dd8ce698f54baedfab5e56a3a;p=lhc%2Fweb%2Fwiklou.git Tweak Access-Control-Allow-Origin stuff per comments on r54127. Use a wildcard syntax rather than string/regex options --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 2d0947a1c7..312442f28c 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -75,7 +75,7 @@ this. Was used when mwEmbed was going to be an extension. PHP and database version. * $wgSecondaryGoNamespaces allows an arry of namespaces to be checked when the GO button is pressed, in addition to the main namespace. -* (bug 19907) $wgCrossSiteAJAXdomains and $wgCrossSiteAJAXdomainsRegex added +* (bug 19907) $wgCrossSiteAJAXdomains and $wgCrossSiteAJAXdomainExceptions added to control which external domains may access the API via cross-site AJAX. * $wgMaintenanceScripts for extensions to add their scripts to the default list * $wgMemoryLimit has been added, default value '50M' diff --git a/api.php b/api.php index 16657ca9de..6c32baa86f 100644 --- a/api.php +++ b/api.php @@ -64,21 +64,37 @@ if (!$wgEnableAPI) { } // Selectively allow cross-site AJAX -if ( $wgCrossSiteAJAXdomains && isset($_SERVER['HTTP_ORIGIN']) ) { - if ( $wgCrossSiteAJAXdomains == '*' ) { - header( "Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}" ); - header( 'Access-Control-Allow-Credentials: true' ); - } elseif ( $wgCrossSiteAJAXdomainsRegex ) { - foreach ( $wgCrossSiteAJAXdomains as $regex ) { - if ( preg_match( $regex, $_SERVER['HTTP_ORIGIN'] ) ) { - header( "Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}" ); - header( 'Access-Control-Allow-Credentials: true' ); - break; + +/* + * Helper function to convert wildcard string into a regex + * '*' => '.*?' + * '?' => '.' + * @ return string + */ +function convertWildcard( $search ) { + $search = preg_quote( $search, '/' ); + $search = str_replace( + array( '\*', '\?' ), + array( '.*?', '.' ), + $search + ); + return "/$search/"; +} + +if ( $wgCrossSiteAJAXdomains && isset($_SERVER['HTTP_ORIGIN']) ) { + $exceptions = array_map( 'convertWildcard', $wgCrossSiteAJAXdomainExceptions ); + $regexes = array_map( 'convertWildcard', $wgCrossSiteAJAXdomains ); + foreach ( $regexes as $regex ) { + if ( preg_match( $regex, $_SERVER['HTTP_ORIGIN'] ) ) { + foreach ( $exceptions as $exc ) { // Check against exceptions + if ( preg_match( $exc, $_SERVER['HTTP_ORIGIN'] ) ) { + break 2; + } } + header( "Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}" ); + header( 'Access-Control-Allow-Credentials: true' ); + break; } - } elseif ( in_array( $_SERVER['HTTP_ORIGIN'], $wgCrossSiteAJAXdomains ) ) { - header( "Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}" ); - header( 'Access-Control-Allow-Credentials: true' ); } } diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index f468db0f0d..5b5c5f161e 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -4142,20 +4142,29 @@ $wgSecondaryGoNamespaces = null; * Newer browsers support cross-site AJAX when the target resource allows requests * from the origin domain by the Access-Control-Allow-Origin header. * This is currently only used by the API (requests to api.php) - * $wgCrossSiteAJAXdomains can be set as follows: + * $wgCrossSiteAJAXdomains can be set using a wildcard syntax: * - * - the string '*' to allow requests from any domain - * - an array of domains to allow AJAX requests from, e.g. - * array( 'http://en.wikipedia.org', 'http://en.wikibooks.org' ); - * - if $wgCrossSiteAJAXdomainsRegex is true, an array of regexes to be - * matched against the request origin. Anything that matches will be allowed + * '*' matches any number of characters + * '?' matches any 1 character + * + * Example: + $wgCrossSiteAJAXdomains = array( + 'www.mediawiki.org', + '*.wikipedia.org', + '*.wikimedia.org', + '*.wiktionary.org', + ); + * */ $wgCrossSiteAJAXdomains = array(); /** - * Set to true to treat $wgCrossSiteAJAXdomains as regexes instead of strings + * Domains that should not be allowed to make AJAX requests, + * even if they match one of the domains allowed by $wgCrossSiteAJAXdomains + * Uses the same syntax as $wgCrossSiteAJAXdomains */ -$wgCrossSiteAJAXdomainsRegex = false; + +$wgCrossSiteAJAXdomainExceptions = array(); /** * The minimum amount of memory that MediaWiki "needs"; MediaWiki will try to raise PHP's memory limit if it's below this amount.