Comments added, along with tiny fixes

This commit is contained in:
djpbessems 2019-01-28 14:42:49 +01:00
parent 01bb3f33da
commit 47281ed7fc
2 changed files with 3 additions and 1 deletions

View File

@ -20,6 +20,8 @@
// Save authentication token in cookie // Save authentication token in cookie
$httpHost = $_SERVER['HTTP_HOST']; $httpHost = $_SERVER['HTTP_HOST'];
$cookieDomain = array_values(array_filter($settings->Session['CookieDomains'], function ($value) use ($httpHost) { $cookieDomain = array_values(array_filter($settings->Session['CookieDomains'], function ($value) use ($httpHost) {
// Check if $_SERVER['HTTP_HOST'] matches any of the configured domains (either explicitly or as a subdomain)
// This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks
return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value))); return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value)));
}))[0]; }))[0];
setcookie('JWT', $result['token'], (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain); setcookie('JWT', $result['token'], (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain);

View File

@ -20,7 +20,7 @@
file_put_contents('../requestHeaders.log', (new DateTime())->format('Y-m-d\TH:i:s.u') . ' --- ' . (json_encode($proxyHeaders, JSON_FORCE_OBJECT)) . PHP_EOL, FILE_APPEND); file_put_contents('../requestHeaders.log', (new DateTime())->format('Y-m-d\TH:i:s.u') . ' --- ' . (json_encode($proxyHeaders, JSON_FORCE_OBJECT)) . PHP_EOL, FILE_APPEND);
} }
if (sizeof($proxyHeaders) == 0) { if (sizeof($proxyHeaders) === 0) {
// Non-proxied request; this is senseless, go fetch! // Non-proxied request; this is senseless, go fetch!
header("HTTP/1.1 403 Forbidden"); header("HTTP/1.1 403 Forbidden");
exit; exit;