Added SERVER_NAME var check for CORS and refactor

php/add.php

@@ -1,20 +1,42 @@
 <?php
-if(!isset($_POST['domain'], $_POST['list'], $_POST['token']))
-    die("Missing POST variables");
+function pi_log($message) {
+    error_log($message . "\n", 3, '/var/log/lighttpd/pihole_php.log');
+}
+
+function die_and_log($message) {
+    pi_log($message);
+    die($message);
+}
+
+if(!isset($_POST['domain'], $_POST['list'], $_POST['token'])) {
+    die_and_log("Missing POST variables");
+}
+
+$SERVER_SIDE_IDS = [
+    $_SERVER['SERVER_ADDR'],
+    $_SERVER['SERVER_NAME'],
+    'pi.hole'
+];
 
 // Check CORS
-if($_SERVER['HTTP_ORIGIN'] == "http://pi.hole" || $_SERVER['HTTP_ORIGIN'] == "http://${_SERVER['SERVER_ADDR']}")
-    header("Access-Control-Allow-Origin: ${_SERVER['HTTP_ORIGIN']}");
-else if($_SERVER['HTTP_HOST'] == $_SERVER['SERVER_ADDR'] || $_SERVER['HTTP_HOST'] == "pi.hole")
-    header("Access-Control-Allow-Origin: ${_SERVER['HTTP_HOST']}");
-else
-    die("Failed CORS");
+$CORS_ALLOW_ORIGIN = false;
+if(in_array($_SERVER['HTTP_ORIGIN'], $SERVER_SIDE_IDS)) {
+    $CORS_ALLOW_ORIGIN = $_SERVER['HTTP_ORIGIN'];
+} else if(in_array($_SERVER['HTTP_HOST'], $SERVER_SIDE_IDS)) {
+    $CORS_ALLOW_ORIGIN = $_SERVER['HTTP_HOST'];
+}
+ 
+if (!$CORS_ALLOW_ORIGIN)
+    die_and_log("Failed CORS");
+
+header("Access-Control-Allow-Origin: $CORS_ALLOW_ORIGIN");
 
 session_start();
 
 // Check CSRF token
 if(!hash_equals($_SESSION['token'], $_POST['token']))
-    die("Wrong token");
+    die_and_log("Wrong token");
+
 
 switch($_POST['list']) {
     case "white":        
@@ -24,3 +46,5 @@ switch($_POST['list']) {
         echo exec("sudo pihole -b -q ${_POST['domain']}");
         break;
 }
+
+?>