Security fix: Only allow PUT requests to Report action.
This commit is contained in:
parent
76fc1e5363
commit
d51e44b132
GPG key ID:
1BE5172E637709C2
2 changed files with 7 additions and 0 deletions
|
|
@ -6,6 +6,10 @@ abstract class AbstractAction
|
|||
{
|
||||
public abstract function handle();
|
||||
|
||||
public function get_request_method() {
|
||||
return strtolower($_SERVER["REQUEST_METHOD"]);
|
||||
}
|
||||
|
||||
public function param_exists($key) {
|
||||
return !empty($_GET[$key]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,6 +21,9 @@ class Report extends \Sandpiper\AbstractAction
|
|||
|
||||
header("content-type: text/plain");
|
||||
|
||||
if($this->get_request_method() !== "PUT")
|
||||
\send_error(405, "Only PUT requests to this action are allowed.");
|
||||
|
||||
if(!$this->param_exists("place_id"))
|
||||
exit("Error: No place id provided.\n");
|
||||
if(!$this->param_exists("summary"))
|
||||
|
|
|
|||
Reference in a new issue