Having a source like "sub2.sub1.example.com" gets stripped to "sub1.example.com" which is then compared to embed_filter_getwhiltelist().

I'm not sure what the most efficient way to handle it would be... perhaps something like this?

$parts['host'] = implode('.', array_slice(explode('.', $parts['host']), -2, 2));

Comments

karens’s picture

karens commented
Status: Active » Closed (works as designed)

This is by design. The original code required that you put in each domain that you wanted to allow and you had to enter every possible variation on that domain. People found that too restrictive and the code was changed so that you only have to enter the top level domain in the whitelist. Put the top level domain in the whitelist.

timtrinidad’s picture

timtrinidad commented

That's what I had - I put example.com in the whitelist. However, the following code does not extract the top-level domain and instead only removes the first subdomain:

elseif ((!in_array(ltrim(strstr($parts['host'],'.'),'.'), embedfilter_get_whitelist())) 
      && (!in_array($parts['host'], embedfilter_get_whitelist()))) {
  ...
}

So with a subdomain like sub2.sub1.example.com, the left part of the AND operator checks sub1.example.com, and the right side checks sub2.sub2.example.com; example.com is never checked against the whitelist.

timtrinidad’s picture

timtrinidad commented
Status: Closed (works as designed) » Active

reopening