[Mapbender-commits] r10214 - trunk/mapbender/http/php

[svn_mapbender at osgeo.org]

Author: armin11
Date: 2019-08-22 01:39:23 -0700 (Thu, 22 Aug 2019)
New Revision: 10214

Modified:
   trunk/mapbender/http/php/mod_callMetadata.php
Log:
Fix - only allow userId get parameter for searches from hostname_whitelist (mapbender.conf)

Modified: trunk/mapbender/http/php/mod_callMetadata.php
===================================================================
--- trunk/mapbender/http/php/mod_callMetadata.php	2019-08-21 08:18:56 UTC (rev 10213)
+++ trunk/mapbender/http/php/mod_callMetadata.php	2019-08-22 08:39:23 UTC (rev 10214)
@@ -443,13 +443,18 @@
         $userId = $testMatch;
         $testMatch = NULL;
 	//$e = new mb_exception('php/mod_callMetadata.php: script invoked from HOST: '.$_SERVER['HTTP_HOST']);
-	if ($_SERVER['HTTP_HOST'] == 'localhost' or $_SERVER['HTTP_HOST'] == '127.0.0.1') {
-		$e = new mb_notice('php/mod_callMetadata.php: script invoked locally and userId given from GET parameter: '.$userId);
-	} else {
+
+	//look for whitelist in mapbender.conf
+	$HOSTNAME_WHITELIST_array = explode(",",HOSTNAME_WHITELIST);
+	if (!in_array($_SERVER['HTTP_HOST'],$HOSTNAME_WHITELIST_array)) {
+		$e = new mb_notice("Whitelist: ".HOSTNAME_WHITELIST);
+		$e = new mb_notice("hostName not found in whitelist - userId will not be read from get!!!!!");			
 		$userId = Mapbender::session()->get("mb_user_id");
   		if ($userId == false) {
 	  		$userId = PUBLIC_USER;
   		}
+	} else {
+		$e = new mb_notice('php/mod_callMetadata.php: script invoked locally and userId given from GET parameter: '.$userId);
 	}
 } else { //look for id in session
   $userId = Mapbender::session()->get("mb_user_id");