Security fix: Only allow PUT requests to Report action.
This commit is contained in:
parent
76fc1e5363
commit
d51e44b132
GPG key ID:
1BE5172E637709C2
2 changed files with 7 additions and 0 deletions
|
|
@ -5,6 +5,10 @@ namespace Sandpiper;
|
|||
abstract class AbstractAction
|
||||
{
|
||||
public abstract function handle();
|
||||
|
||||
public function get_request_method() {
|
||||
return strtolower($_SERVER["REQUEST_METHOD"]);
|
||||
}
|
||||
|
||||
public function param_exists($key) {
|
||||
return !empty($_GET[$key]);
|
||||
|
|
|
|||
|
|
@ -20,6 +20,9 @@ class Report extends \Sandpiper\AbstractAction
|
|||
global $settings;
|
||||
|
||||
header("content-type: text/plain");
|
||||
|
||||
if($this->get_request_method() !== "PUT")
|
||||
\send_error(405, "Only PUT requests to this action are allowed.");
|
||||
|
||||
if(!$this->param_exists("place_id"))
|
||||
exit("Error: No place id provided.\n");
|
||||
|
|
|
|||
Reference in a new issue