Fixes #5423: `yii\behaviors\Cors` causes "undefined index" error when its `cors` is configured

framework/CHANGELOG.md

@@ -9,6 +9,7 @@ Yii Framework 2 Change Log
 - Bug #5314: Fixed typo in the implementation of `yii\web\Session::getHasSessionId()` (qiangxue)
 - Bug #5323: Nested dropdown does not work for `yii\bootstrap\DropDown` (aryraditya)
 - Bug #5336: `yii\bootstrap\DropDown` should register bootstrap plugin asset (zelenin)
+- Bug #5423: `yii\behaviors\Cors` causes "undefined index" error when its `cors` is configured (qiangxue) 
 - Bug: Date and time formatting now assumes UTC as the timezone for input dates unless a timezone is explicitly given (cebe)
 - Enh #4040: Added `$viewFile` and `$params` to the `EVENT_BEFORE_RENDER` and `EVENT_AFTER_RENDER` events for `View` (qiangxue) 
 - Enh #4275: Added `removeChildren()` to `yii\rbac\ManagerInterface` and implementations (samdark)

framework/filters/Cors.php

@@ -15,7 +15,7 @@ use yii\web\Response;
 /**
  * Cors filter implements [Cross Origin Resource Sharing](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing).
  * Make sure to read carefully what CORS does and does not. CORS do not secure your API,
- * but allow the developper to grant access to third party code (ajax calls from external domain)
+ * but allow the developer to grant access to third party code (ajax calls from external domain)
  *
  * You may use CORS filter by attaching it as a behavior to a controller or module, like the following,
  *
@@ -90,8 +90,8 @@ class Cors extends ActionFilter
      */
     public function beforeAction($action)
     {
-        $this->request = $this->request ? : Yii::$app->getRequest();
-        $this->response = $this->response ? : Yii::$app->getResponse();
+        $this->request = $this->request ?: Yii::$app->getRequest();
+        $this->response = $this->response ?: Yii::$app->getResponse();
 
         $this->overrideDefaultSettings($action);
 
@@ -129,7 +129,7 @@ class Cors extends ActionFilter
         $requestHeaders = array_keys($this->cors);
         foreach ($requestHeaders as $headerField) {
             $serverField = $this->headerizeToPhp($headerField);
-            $headerData = isset($_SERVER[$serverField])?$_SERVER[$serverField]:null;
+            $headerData = isset($_SERVER[$serverField]) ? $_SERVER[$serverField] : null;
             if ($headerData !== null) {
                 $headers[$headerField] = $headerData;
             }
@@ -148,7 +148,8 @@ class Cors extends ActionFilter
         // handle Origin
         if (isset($requestHeaders['Origin'])) {
             if ((in_array('*', $this->cors['Origin']) === true)
-             || (in_array($requestHeaders['Origin'], $this->cors['Origin']))) {
+                || (in_array($requestHeaders['Origin'], $this->cors['Origin']))
+            ) {
                 $responseHeaders['Access-Control-Allow-Origin'] = $requestHeaders['Origin'];
             }
         }
@@ -160,13 +161,11 @@ class Cors extends ActionFilter
             $responseHeaders['Access-Control-Allow-Methods'] = implode(', ', $this->cors['Access-Control-Request-Method']);
         }
 
-        if ($this->cors['Access-Control-Allow-Credentials'] === true) {
-            $responseHeaders['Access-Control-Allow-Credentials'] = 'true';
-        } elseif ($this->cors['Access-Control-Allow-Credentials'] === false) {
-            $responseHeaders['Access-Control-Allow-Credentials'] = 'false';
+        if (isset($this->cors['Access-Control-Allow-Credentials'])) {
+            $responseHeaders['Access-Control-Allow-Credentials'] = $this->cors['Access-Control-Allow-Credentials'] ? 'true' : 'false';
         }
 
-        if (($_SERVER['REQUEST_METHOD'] === 'OPTIONS') && ($this->cors['Access-Control-Max-Age'] !== null)) {
+        if (isset($this->cors['Access-Control-Max-Age']) && Yii::$app->getRequest()->getIsOptions()) {
             $responseHeaders['Access-Control-Max-Age'] = $this->cors['Access-Control-Max-Age'];
         }
 
@@ -181,8 +180,8 @@ class Cors extends ActionFilter
      */
     protected function prepareAllowHeaders($type, $requestHeaders, &$responseHeaders)
     {
-        $requestHeaderField = 'Access-Control-Request-'.$type;
-        $responseHeaderField = 'Access-Control-Allow-'.$type;
+        $requestHeaderField = 'Access-Control-Request-' . $type;
+        $responseHeaderField = 'Access-Control-Allow-' . $type;
         if (isset($requestHeaders[$requestHeaderField])) {
             if (in_array('*', $this->cors[$requestHeaderField])) {
                 $responseHeaders[$responseHeaderField] = $this->headerize($requestHeaders[$requestHeaderField]);
@@ -226,8 +225,8 @@ class Cors extends ActionFilter
      */
     protected function headerize($string)
     {
-        $headers = preg_split("/[\s,]+/", $string, -1, PREG_SPLIT_NO_EMPTY);
-        $headers = array_map(function($element) {
+        $headers = preg_split("/[\\s,]+/", $string, -1, PREG_SPLIT_NO_EMPTY);
+        $headers = array_map(function ($element) {
             return str_replace(' ', '-', ucwords(strtolower(str_replace(['_', '-'], [' ', ' '], $element))));
         }, $headers);
         return implode(', ', $headers);
@@ -242,6 +241,6 @@ class Cors extends ActionFilter
      */
     protected function headerizeToPhp($string)
     {
-        return 'HTTP_'.strtoupper(str_replace([' ', '-'], ['_', '_'], $string));
+        return 'HTTP_' . strtoupper(str_replace([' ', '-'], ['_', '_'], $string));
     }
 }