2

1. <?php
2.  
3. /*
4. * Place here any hosts for which we are to be a proxy -
5. * e.g. the host on which the J2EE APIs we'll be proxying are running
6. * */
7. @require_once('config.php');
8. $ALLOWED_HOSTS = array();
9. if(isset($SETTING_ALLOWED_HOSTS))
10. $ALLOWED_HOSTS = $SETTING_ALLOWED_HOSTS; # Override with setting from config.php
11.  
12. /**
13. * AJAX Cross Domain (PHP) Proxy 0.8
14. * by Iacovos Constantinou (http://www.iacons.net)
15. *
16. * Released under CC-GNU GPL
17. */
18.  
19. /**
20. * Enables or disables filtering for cross domain requests.
21. * Recommended value: true
22. */
23. define( 'CSAJAX_FILTERS', true );
24.  
25. /**
26. * If set to true, $valid_requests should hold only domains i.e. a.example.com, b.example.com, usethisdomain.com
27. * If set to false, $valid_requests should hold the whole URL ( without the parameters ) i.e. http://example.com/this/is/long/url/
28. * Recommended value: false (for security reasons - do not forget that anyone can access your proxy)
29. */
30. define( 'CSAJAX_FILTER_DOMAIN', true );
31.  
32. /**
33. * Set debugging to true to receive additional messages - really helpful on development
34. */
35. define( 'CSAJAX_DEBUG', true );
36.  
37. /**
38. * A set of valid cross domain requests
39. */
40. /*$valid_requests = array(
41. 'localhost'
42. );*/
43. $valid_requests = $ALLOWED_HOSTS;
44.  
45. /* * * STOP EDITING HERE UNLESS YOU KNOW WHAT YOU ARE DOING * * */
46.  
47. // identify request headers
48. $request_headers = array( );
49. $setContentType = true;
50. $isMultiPart = false;
51. foreach ( $_SERVER as $key => $value ) {
52. if(preg_match('/Content.Type/i', $key)){
53. $setContentType = false;
54. $content_type = explode(";", $value)[0];
55. $isMultiPart = preg_match('/multipart/i', $content_type);
56. $request_headers[] = "Content-Type: ".$content_type;
57. continue;
58. }
59. if ( substr( $key, 0, 5 ) == 'HTTP_' ) {
60. $headername = str_replace( '_', ' ', substr( $key, 5 ) );
61. $headername = str_replace( ' ', '-', ucwords( strtolower( $headername ) ) );
62. if ( !in_array( $headername, array( 'Host', 'X-Proxy-Url' ) ) ) {
63. $request_headers[] = "$headername: $value";
64. }
65. }
66. }
67.  
68. if($setContentType)
69. $request_headers[] = "Content-Type: application/json";
70.  
71. // identify request method, url and params
72. $request_method = $_SERVER['REQUEST_METHOD'];
73. if ( 'GET' == $request_method ) {
74. $request_params = $_GET;
75. } elseif ( 'POST' == $request_method ) {
76. $request_params = $_POST;
77. if ( empty( $request_params ) ) {
78. $data = file_get_contents( 'php://input' );
79. if ( !empty( $data ) ) {
80. $request_params = $data;
81. }
82. }
83. } elseif ( 'PUT' == $request_method || 'DELETE' == $request_method ) {
84. $request_params = file_get_contents( 'php://input' );
85. } else {
86. $request_params = null;
87. }
88.  
89. // Get URL from `csurl` in GET or POST data, before falling back to X-Proxy-URL header.
90. if ( isset( $_REQUEST['csurl'] ) ) {
91. $request_url = urldecode( $_REQUEST['csurl'] );
92. } else if ( isset( $_SERVER['HTTP_X_PROXY_URL'] ) ) {
93. $request_url = urldecode( $_SERVER['HTTP_X_PROXY_URL'] );
94. } else {
95. header( $_SERVER['SERVER_PROTOCOL'] . ' 404 Not Found');
96. header( 'Status: 404 Not Found' );
97. $_SERVER['REDIRECT_STATUS'] = 404;
98. exit;
99. }
100.  
101. $p_request_url = parse_url( $request_url );
102.  
103. // csurl may exist in GET request methods
104. if ( is_array( $request_params ) && array_key_exists('csurl', $request_params ) )
105. unset( $request_params['csurl'] );
106.  
107. // ignore requests for proxy :)
108. if ( preg_match( '!' . $_SERVER['SCRIPT_NAME'] . '!', $request_url ) || empty( $request_url ) || count( $p_request_url ) == 1 ) {
109. csajax_debug_message( 'Invalid request - make sure that csurl variable is not empty' );
110. exit;
111. }
112.  
113. // check against valid requests
114. if ( CSAJAX_FILTERS ) {
115. $parsed = $p_request_url;
116. if ( CSAJAX_FILTER_DOMAIN ) {
117. if ( !in_array( $parsed['host'], $valid_requests ) ) {
118. csajax_debug_message( 'Invalid domain - ' . $parsed['host'] . ' is not included in valid request domains' );
119. exit;
120. }
121. } else {
122. $check_url = isset( $parsed['scheme'] ) ? $parsed['scheme'] . '://' : '';
123. $check_url .= isset( $parsed['user'] ) ? $parsed['user'] . ($parsed['pass'] ? ':' . $parsed['pass'] : '') . '@' : '';
124. $check_url .= isset( $parsed['host'] ) ? $parsed['host'] : '';
125. $check_url .= isset( $parsed['port'] ) ? ':' . $parsed['port'] : '';
126. $check_url .= isset( $parsed['path'] ) ? $parsed['path'] : '';
127. if ( !in_array( $check_url, $valid_requests ) ) {
128. csajax_debug_message( 'Invalid domain - ' . $request_url . ' is not included in valid request domain' );
129. exit;
130. }
131. }
132. }
133.  
134. // append query string for GET requests
135. if ( $request_method == 'GET' && count( $request_params ) > 0 && (!array_key_exists( 'query', $p_request_url ) || empty( $p_request_url['query'] ) ) ) {
136. $request_url .= '?' . http_build_query( $request_params );
137. }
138.  
139.  
140. // let the request begin
141. $ch = curl_init( $request_url );
142. curl_setopt( $ch, CURLOPT_HTTPHEADER, $request_headers ); // (re-)send headers
143. curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true ); // return response
144. curl_setopt( $ch, CURLOPT_HEADER, true ); // enabled response headers
145. // add data for POST, PUT or DELETE requests
146. if ( 'POST' == $request_method ) {
147. $post_data = is_array( $request_params ) ? http_build_query( $request_params ) : $request_params;
148.  
149. $has_files = false;
150. $file_params = array();
151.  
152. foreach ($_FILES as $f => $file) {
153. if($file['size']){
154. $file_params[$f] = '@'. $file['tmp_name'] .";type=". $file['type'];
155. $has_files = true;
156. }
157. }
158.  
159. if($isMultiPart || $has_files){
160. foreach(explode("&",$post_data) as $i => $param) {
161. $params = explode("=", $param);
162. $xvarname = $params[0];
163. if (!empty($xvarname))
164. $file_params[$xvarname] = $params[1];
165. }
166. }
167.  
168. curl_setopt( $ch, CURLOPT_POST, true );
169. curl_setopt( $ch, CURLOPT_POSTFIELDS, $isMultiPart || $has_files ? $file_params : $post_data );
170. } elseif ( 'PUT' == $request_method || 'DELETE' == $request_method ) {
171. curl_setopt( $ch, CURLOPT_CUSTOMREQUEST, $request_method );
172. curl_setopt( $ch, CURLOPT_POSTFIELDS, $request_params );
173. }
174.  
175. // retrieve response (headers and content)
176. $response = curl_exec( $ch );
177. curl_close( $ch );
178.  
179. // split response to header and content
180. list($response_headers, $response_content) = preg_split( '/(\r\n){2}/', $response, 2 );
181.  
182. // (re-)send the headers
183. $response_headers = preg_split( '/(\r\n){1}/', $response_headers );
184. foreach ( $response_headers as $key => $response_header ) {
185. // Rewrite the `Location` header, so clients will also use the proxy for redirects.
186. if ( preg_match( '/^Location:/', $response_header ) ) {
187. list($header, $value) = preg_split( '/: /', $response_header, 2 );
188. $response_header = 'Location: ' . $_SERVER['REQUEST_URI'] . '?csurl=' . $value;
189. }
190. if ( !preg_match( '/^(Transfer-Encoding):/', $response_header ) ) {
191. header( $response_header, false );
192. }
193. }
194.  
195. // finally, output the content
196. print( $response_content );
197.  
198. function csajax_debug_message( $message )
199. {
200. if ( true == CSAJAX_DEBUG ) {
201. print $message . PHP_EOL;
202. }
203. }