Elgato_dark/appwrite
1
0
Fork 0
mirror of https://github.com/appwrite/appwrite synced 2026-05-24 01:18:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch '1.8.x' into feat-audits-upgrade

Browse source
This commit is contained in:
Damodar Lohani 2025-12-15 09:44:52 +05:45 committed by GitHub
commit cec5cd7bdc
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 19 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
src/Appwrite/Network/Cors.php
View file

@ -2,6 +2,8 @@
namespace Appwrite\Network;
use Utopia\Validator\Hostname;
/**
* Generate CORS response headers for an incoming request.
*
@ -76,7 +78,8 @@ final class Cors
}
// Match only by host
if (!\in_array($host, $this->allowedHosts, true)) {
$validator = new Hostname($this->allowedHosts);
if (!$validator->isValid($host)) {
return $headers;
}

15
tests/unit/Network/CorsTest.php
View file

@ -36,6 +36,21 @@ final class CorsTest extends TestCase
$this->assertSame('https://foo.com', $result[Cors::HEADER_ALLOW_ORIGIN]);
}
public function testSubdomainWildcardAllowsAnySubdomain(): void
{
$cors = new Cors(
allowedHosts: ['*.example.com'],
allowedMethods: ['GET'],
allowedHeaders: ['X-Test'],
exposedHeaders: [],
allowCredentials: false
);
$result = $cors->headers('https://foo.example.com');
$this->assertSame('https://foo.example.com', $result[Cors::HEADER_ALLOW_ORIGIN]);
}
public function testEmptyOriginReturnsStaticHeadersOnly(): void
{
$cors = new Cors(