From 490df818aac1def999e519354c9b0e976e4243a0 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Tue, 22 Sep 2020 09:34:39 +0300
Subject: [PATCH] router: only allow functions without required parameters as
 handler methods

---
 backend.php | 9 ++++++++-
 public.php  | 9 ++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/backend.php b/backend.php
index 9e6751af1..4c93f9b6d 100644
--- a/backend.php
+++ b/backend.php
@@ -107,7 +107,14 @@
 			if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) {
 				if ($handler->before($method)) {
 					if ($method && method_exists($handler, $method)) {
-						$handler->$method();
+						$reflection = new ReflectionMethod($handler, $method);
+
+						if ($reflection->getNumberOfRequiredParameters() == 0) {
+							$handler->$method();
+						} else {
+							header("Content-Type: text/json");
+							print error_json(6);
+						}
 					} else {
 						if (method_exists($handler, "catchall")) {
 							$handler->catchall($method);
diff --git a/public.php b/public.php
index e37c44172..36308e25e 100644
--- a/public.php
+++ b/public.php
@@ -32,7 +32,14 @@
 
 	if (implements_interface($handler, "IHandler") && $handler->before($method)) {
 		if ($method && method_exists($handler, $method)) {
-			$handler->$method();
+			$reflection = new ReflectionMethod($handler, $method);
+
+			if ($reflection->getNumberOfRequiredParameters() == 0) {
+				$handler->$method();
+			} else {
+				header("Content-Type: text/json");
+				print error_json(6);
+			}
 		} else if (method_exists($handler, 'index')) {
 			$handler->index();
 		}