|
|
@@ -1,16 +1,46 @@
|
|
|
<?php
|
|
|
-// proxy.php
|
|
|
+// proxy.php — server-side proxy restricted to the Tasmanian LIST ArcGIS service.
|
|
|
+// Originally used by plan-view.html for planning data lookups; the main app now uses
|
|
|
+// classes/list_lookup.php instead. This file is kept for legacy/diagnostic use only.
|
|
|
|
|
|
-// Allow requests from your domain
|
|
|
header("Access-Control-Allow-Origin: https://modulosdesign.com.au");
|
|
|
header("Content-Type: application/json");
|
|
|
|
|
|
-// Get the target URL from the query parameters
|
|
|
-$url = $_GET['url'];
|
|
|
+$ALLOWED_HOSTS = [
|
|
|
+ 'services.thelist.tas.gov.au',
|
|
|
+ 'thelistsrv.thelist.tas.gov.au',
|
|
|
+];
|
|
|
+
|
|
|
+$url = $_GET['url'] ?? '';
|
|
|
+
|
|
|
+if (!$url) {
|
|
|
+ http_response_code(400);
|
|
|
+ echo json_encode(['error' => 'Missing url parameter']);
|
|
|
+ exit;
|
|
|
+}
|
|
|
+
|
|
|
+$parsed = parse_url($url);
|
|
|
+$host = strtolower($parsed['host'] ?? '');
|
|
|
+
|
|
|
+if (!in_array($host, $ALLOWED_HOSTS, true)) {
|
|
|
+ http_response_code(403);
|
|
|
+ echo json_encode(['error' => 'Host not permitted: ' . htmlspecialchars($host, ENT_QUOTES, 'UTF-8')]);
|
|
|
+ exit;
|
|
|
+}
|
|
|
+
|
|
|
+// Only allow HTTPS to prevent downgrade to plain HTTP
|
|
|
+if (($parsed['scheme'] ?? '') !== 'https') {
|
|
|
+ http_response_code(403);
|
|
|
+ echo json_encode(['error' => 'Only HTTPS URLs are permitted']);
|
|
|
+ exit;
|
|
|
+}
|
|
|
|
|
|
-// Make the request to the external server
|
|
|
$response = file_get_contents($url);
|
|
|
|
|
|
-// Output the response
|
|
|
+if ($response === false) {
|
|
|
+ http_response_code(502);
|
|
|
+ echo json_encode(['error' => 'Upstream request failed']);
|
|
|
+ exit;
|
|
|
+}
|
|
|
+
|
|
|
echo $response;
|
|
|
-?>
|
