SBRL-Archive/sandpiper
Archived
1
0
Fork 0
Code Issues Pull requests Activity

Security fix: Only allow PUT requests to Report action.

Browse source
This commit is contained in:
Starbeamrainbowlabs 2018-03-10 11:02:07 +00:00
parent 76fc1e5363
commit d51e44b132
Signed by: sbrl
GPG key ID: 1BE5172E637709C2
2 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
AbstractAction.php
View file

@ -5,6 +5,10 @@ namespace Sandpiper;
abstract class AbstractAction abstract class AbstractAction
{ {
public abstract function handle(); public abstract function handle();
public function get_request_method() {
return strtolower($_SERVER["REQUEST_METHOD"]);
}
public function param_exists($key) { public function param_exists($key) {
return !empty($_GET[$key]); return !empty($_GET[$key]);

3
Actions/Report.php
View file

@ -20,6 +20,9 @@ class Report extends \Sandpiper\AbstractAction
global $settings; global $settings;
header("content-type: text/plain"); header("content-type: text/plain");
if($this->get_request_method() !== "PUT")
\send_error(405, "Only PUT requests to this action are allowed.");
if(!$this->param_exists("place_id")) if(!$this->param_exists("place_id"))
exit("Error: No place id provided.\n"); exit("Error: No place id provided.\n");