Allow regex and url component matching in whitelist 👍

Svish · Svish · commit 5a6ce5d7e6da · 2016-01-15T02:08:18.000+01:00
diff --git a/README.md b/README.md
@@ -15,12 +15,13 @@ Installation
 ---
 
 Since `proxy.php` is completely self-contained, you can just
-1. Copy `proxy.php` into your web application
-2. Edit the $whitelist array
-3. And that's pretty much it
+
+1. Copy `proxy.php` into your web application,
+2. Edit the $whitelist array,
+3. And that's pretty much it...
 
 If using [Composer](http://getcomposer.org), you can also add
-the following dependency to your `composer.json`:
+the [geekality/php-cross-domain-proxy](https://packagist.org/packages/geekality/php-cross-domain-proxy) to your `composer.json` like this:
 
 ``` JSON
 "require":
@@ -29,26 +30,53 @@ the following dependency to your `composer.json`:
 },
 ```
 
-And then add a `proxy.php` like this to your web application:
+And then for example add a `proxy.php` like this to your web application:
 
 ``` PHP
 	<?php
 		require 'vendor/autoload.php';
 
 		CrossOriginProxy::proxy([
-			'www.example.com',
-			'api.example.com',
+			['host' => 'example.com'],
 		]);
 
 ```
 
 Security
 ---
 
-As a simple sanity check the proxy will that the `Referer` header is set and that the hostname is the same as for the proxy. This can be easily spoofed of course, so you should also add entries to the whitelist array.
+The whitelist array can contain any number of these criterias:
+
+- Exact paths  
+    `['http://example.com/api/specific-method']`
+- Array with single regex key  
+    `['regex' => '%^http://example.com/api/%']`
+- Array with any [parse_url](http://php.net/manual/en/function.parse-url.php) components to match  
+    `['host' => 'example.com']`  
+    `['host' => 'example.com', 'scheme' => 'https']`
+
+The requested URL must match at least one of the whitelisted criterias to be accepted, otherwise a 403 will be returned. An empty whitelist will accept any requests.
+
+**An example using all types**
+
+``` PHP
+<?php
+
+require 'vendor/autoload.php';
+
+CrossOriginProxy::proxy([
+	// Exact matching
+	['http://www.yr.no/place/Sweden/Stockholm/Stockholm/forecast.xml'],
 
-If the whitelist array is empty, any requests will be accepted.
+	// URL component matching
+	['host' => 'localhost'],
+	['host' => 'example.com', 'scheme' => 'http'],
 
+	// Regex matching
+	['regex' => '%^http://www.yr.no/place/Norway/%'],
+]);
+
+```
 
 Usage
 ---
diff --git a/proxy.php b/proxy.php
@@ -4,11 +4,11 @@
 if( ! isset($whitelist))
 	$whitelist = [];
 
-if( ! isset($maxredirs))
-	$maxredirs = 10;
+if( ! isset($curl_maxredirs))
+	$curl_maxredirs = 10;
 
-if( ! isset($timeout))
-	$timeout = 60;
+if( ! isset($curl_timeout))
+	$curl_timeout = 30;
 
 
 
@@ -22,19 +22,19 @@
 
 // Check that we have a URL
 if( ! $url)
-	http_response_code(400) and exit('X-Proxy-URL header missing');
+	http_response_code(400) and exit("X-Proxy-URL header missing");
 
 // Check that the URL looks like an absolute URL
 if( ! parse_url($url, PHP_URL_SCHEME))
-	http_response_code(403) and exit('X-Proxy-URL must be an absolute URL');
+	http_response_code(403) and exit("Not an absolute URL: $url");
 
-// Check that target hostname is in whitelist
-if( ! empty($whitelist) && ! in_array(parse_url($url, PHP_URL_HOST), $whitelist))
-	http_response_code(403) and exit('Hostname not in whitelist');
-
-// Check that current and referer hostnames are equal
+// Check referer hostname
 if( ! parse_url(__('Referer', $headers), PHP_URL_HOST) == $_SERVER['HTTP_HOST'])
-	http_response_code(403) and exit('Referer mismatch');
+	http_response_code(403) and exit("Referer mismatch");
+
+// Check whitelist, if not empty
+if( ! empty($whitelist) and ! array_reduce($whitelist, 'whitelist', [$url, false]))
+	http_response_code(403) and exit("Not whitelisted: $url");
 
 
 // Remove ignored headers and prepare the rest for resending
@@ -53,9 +53,9 @@
 			CURLOPT_URL => $url,
 			CURLOPT_HTTPHEADER => $headers,
 			CURLOPT_HEADER => TRUE,
-			CURLOPT_TIMEOUT => $timeout,
+			CURLOPT_TIMEOUT => $curl_timeout,
 			CURLOPT_FOLLOWLOCATION => TRUE,
-			CURLOPT_MAXREDIRS => $maxredirs,
+			CURLOPT_MAXREDIRS => $curl_maxredirs,
 		]);
 
 	// Method specific options
@@ -104,14 +104,36 @@
 array_map('header', explode("\r\n", $header));
 
 // And finally the body
-exit(substr($out, $info['header_size']));
+echo substr($out, $info['header_size']);
 
 
 
 
 
-// Clean, safe array get
+// Helper functions
 function __($key, array $array, $default = null)
 {
 	return array_key_exists($key, $array) ? $array[$key] : $default;
 }
+
+function whitelist($carry, $item)
+{
+	static $url;
+	if(is_array($carry))
+	{
+		$url = parse_url($carry[0]);
+		$url['raw'] = $carry[0];
+		$carry = $carry[1];
+	}
+
+	// Equals the full URL
+	if(isset($item[0]))
+		return $carry or $url['raw'] == $item[0];
+	
+	// Regex matches the full URL
+	if(isset($item['regex']))
+		return $carry or preg_match($item['regex'], $url['raw']);
+
+	// Select components matches same components in the URL
+	return $carry or $item == array_intersect_key($url, $item);
+}
diff --git a/src/CrossOriginProxy.php b/src/CrossOriginProxy.php
@@ -1,9 +1,21 @@
 <?php
 
+/**
+ * Cross origin request proxy for client-side scripts.
+ *
+ * @see https://github.com/Svish/php-cross-domain-proxy
+ */
 class CrossOriginProxy
 {
-	public static function proxy($whitelist = [], $timeout = 30, $maxredirs = 10)
+	/**
+	 * Proxies the incoming request and outputs the response, including headers.
+	 *
+	 * @param whitelist       Array of acceptable request URLs.
+	 * @param curl_timeout    Timeout for the request.
+	 * @param curl_maxredirs  Maximum number of allowed redirects.
+	 */
+	public static function proxy($whitelist = [], $curl_timeout = 30, $curl_maxredirs = 10)
 	{
 		require dirname(__FILE__).DIRECTORY_SEPARATOR.'..'.DIRECTORY_SEPARATOR.'proxy.php';
 	}
-}
+}
