From 7d721ccff09c4740c7331c11a477413f00f14ea9 Mon Sep 17 00:00:00 2001 From: Lee Newson Date: Mon, 16 Nov 2020 13:58:30 +1000 Subject: [PATCH] DOC-717: Improved the postAcceptor.php script to actually work for cross origin requests (#1753) * DOC-717: Improved the postAcceptor.php script to actually work for cross origin requests * Fixed a typo Co-authored-by: Tyler Kelly --- advanced/php-upload-handler.md | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/advanced/php-upload-handler.md b/advanced/php-upload-handler.md index 3bf432733..38b0dc3d3 100644 --- a/advanced/php-upload-handler.md +++ b/advanced/php-upload-handler.md @@ -25,19 +25,25 @@ The following PHP script creates a server-side upload handler suitable for {{sit *********************************************/ $imageFolder = "images/"; + if (isset($_SERVER['HTTP_ORIGIN'])) { + // same-origin requests won't set an origin. If the origin is set, it must be valid. + if (in_array($_SERVER['HTTP_ORIGIN'], $accepted_origins)) { + header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']); + } else { + header("HTTP/1.1 403 Origin Denied"); + return; + } + } + + // Don't attempt to process the upload on an OPTIONS request + if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') { + header("Access-Control-Allow-Methods: POST, OPTIONS"); + return; + } + reset ($_FILES); $temp = current($_FILES); if (is_uploaded_file($temp['tmp_name'])){ - if (isset($_SERVER['HTTP_ORIGIN'])) { - // same-origin requests won't set an origin. If the origin is set, it must be valid. - if (in_array($_SERVER['HTTP_ORIGIN'], $accepted_origins)) { - header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']); - } else { - header("HTTP/1.1 403 Origin Denied"); - return; - } - } - /* If your script needs to receive cookies, set images_upload_credentials : true in the configuration and enable the following two headers. @@ -61,10 +67,14 @@ The following PHP script creates a server-side upload handler suitable for {{sit $filetowrite = $imageFolder . $temp['name']; move_uploaded_file($temp['tmp_name'], $filetowrite); + // Determine the base URL + $protocol = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ? "https://" : "http://"; + $baseurl = $protocol . $_SERVER["HTTP_HOST"] . rtrim(dirname($_SERVER['REQUEST_URI']), "/") . "/"; + // Respond to the successful upload with JSON. // Use a location key to specify the path to the saved image resource. // { location : '/your/uploaded/image/file'} - echo json_encode(array('location' => $filetowrite)); + echo json_encode(array('location' => $baseurl . $filetowrite)); } else { // Notify editor that the upload failed header("HTTP/1.1 500 Server Error");