Revise Rest::approve_origin().

gallery · Jun 15, 2013 · 53ea5a1 · 53ea5a1
1 parent 770c137
commit 53ea5a1
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/modules/rest/classes/Rest/Rest.php b/modules/rest/classes/Rest/Rest.php
@@ -376,8 +376,10 @@ static function approve_origin($origin) {
       foreach (unserialize(Module::get_var("rest", "approved_domains", array())) as $domain) {
         // Check the end of the sent origin against our list.  So, if "example.com" is approved,
         // then "foo.example.com", "http://example.com", and "https://foo.example.com" are also
-        // approved.
-        if (substr($origin, -strlen($domain)) == $domain) {
+        // approved, but "badexample.com" is not.
+        if ((substr($origin, -strlen($domain)-1) == ".$domain") ||
+            (substr($origin, -strlen($domain)-1) == "/$domain") ||
+            ($origin == $domain)) {
           return $origin;
         }
       }