Security fix: Only allow PUT requests to Report action.

This commit is contained in:
Starbeamrainbowlabs 2018-03-10 11:02:07 +00:00
parent 76fc1e5363
commit d51e44b132
Signed by: sbrl
GPG Key ID: 1BE5172E637709C2
2 changed files with 7 additions and 0 deletions

View File

@ -5,6 +5,10 @@ namespace Sandpiper;
abstract class AbstractAction
{
public abstract function handle();
public function get_request_method() {
return strtolower($_SERVER["REQUEST_METHOD"]);
}
public function param_exists($key) {
return !empty($_GET[$key]);

View File

@ -20,6 +20,9 @@ class Report extends \Sandpiper\AbstractAction
global $settings;
header("content-type: text/plain");
if($this->get_request_method() !== "PUT")
\send_error(405, "Only PUT requests to this action are allowed.");
if(!$this->param_exists("place_id"))
exit("Error: No place id provided.\n");