From cb32c5572acce1d4e1b63d7ba36ca04fb6b2aa04 Mon Sep 17 00:00:00 2001
From: Mcat12 <newtoncat12@yahoo.com>
Date: Sun, 3 Jul 2016 16:29:19 -0400
Subject: [PATCH] Fix up CORS

Previously had been checking Origin AND Host header, but we should not
check Host header... Removed Host check and only check if Origin header
is set, because otherwise CORS doesn't apply (could be a same-origin
request).
---
 php/add.php | 21 ++++++++++++---------
 php/sub.php | 19 +++++++++++--------
 2 files changed, 23 insertions(+), 17 deletions(-)

diff --git a/php/add.php b/php/add.php
index d8bfe925..0a072722 100644
--- a/php/add.php
+++ b/php/add.php
@@ -3,21 +3,24 @@ if(!isset($_POST['domain'], $_POST['list'], $_POST['token']))
     die("Missing POST variables");
 
 // Check CORS
-if($_SERVER['HTTP_ORIGIN'] == "http://pi.hole" || $_SERVER['HTTP_ORIGIN'] == "http://${_SERVER['SERVER_ADDR']}")
-    header("Access-Control-Allow-Origin: ${_SERVER['HTTP_ORIGIN']}");
-else if($_SERVER['HTTP_HOST'] == $_SERVER['SERVER_ADDR'] || $_SERVER['HTTP_HOST'] == "pi.hole")
-    header("Access-Control-Allow-Origin: ${_SERVER['HTTP_HOST']}");
-else
-    die("Failed CORS");
-
-session_start();
+if(isset($_SERVER['HTTP_ORIGIN'])) {
+    if ($_SERVER['HTTP_ORIGIN'] == "http://pi.hole" ||
+        $_SERVER['HTTP_ORIGIN'] == "http://${_SERVER['SERVER_ADDR']}" ||
+        $_SERVER['HTTP_ORIGIN'] == "http://localhost"
+    )
+        header("Access-Control-Allow-Origin: ${_SERVER['HTTP_ORIGIN']}");
+    else
+        die("Failed CORS");
+}
+// Otherwise probably same origin... out of the scope of CORS
 
 // Check CSRF token
+session_start();
 if(!hash_equals($_SESSION['token'], $_POST['token']))
     die("Wrong token");
 
 switch($_POST['list']) {
-    case "white":        
+    case "white":
         echo exec("sudo pihole -w -q ${_POST['domain']}");
         break;
     case "black":
diff --git a/php/sub.php b/php/sub.php
index cee19723..aa13d4c1 100644
--- a/php/sub.php
+++ b/php/sub.php
@@ -3,16 +3,19 @@ if(!isset($_POST['domain'], $_POST['list'], $_POST['token']))
     die("Missing POST variables");
 
 // Check CORS
-if($_SERVER['HTTP_ORIGIN'] == "http://pi.hole" || $_SERVER['HTTP_ORIGIN'] == "http://${_SERVER['SERVER_ADDR']}")
-    header("Access-Control-Allow-Origin: ${_SERVER['HTTP_ORIGIN']}");
-else if($_SERVER['HTTP_HOST'] == $_SERVER['SERVER_ADDR'] || $_SERVER['HTTP_HOST'] == "pi.hole")
-    header("Access-Control-Allow-Origin: ${_SERVER['HTTP_HOST']}");
-else
-    die("Failed CORS");
-
-session_start();
+if(isset($_SERVER['HTTP_ORIGIN'])) {
+    if ($_SERVER['HTTP_ORIGIN'] == "http://pi.hole" ||
+        $_SERVER['HTTP_ORIGIN'] == "http://${_SERVER['SERVER_ADDR']}" ||
+        $_SERVER['HTTP_ORIGIN'] == "http://localhost"
+    )
+        header("Access-Control-Allow-Origin: ${_SERVER['HTTP_ORIGIN']}");
+    else
+        die("Failed CORS");
+}
+// Otherwise probably same origin... out of the scope of CORS
 
 // Check CSRF token
+session_start();
 if(!hash_equals($_SESSION['token'], $_POST['token']))
     die("Wrong token");