From 91285e3868fadcfb907cd57a90bb3e5c263c0979 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Mon, 15 Feb 2021 16:34:44 +0300
Subject: [PATCH] router: add additional logging for refused requests; reject
 requests for methods starting with _

---
 backend.php            | 12 ++++++++++++
 classes/pref/feeds.php |  4 ++++
 public.php             | 10 +++++++++-
 3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/backend.php b/backend.php
index 030676dcb..e72d97ca4 100644
--- a/backend.php
+++ b/backend.php
@@ -30,6 +30,9 @@
 	require_once "db.php";
 	require_once "db-prefs.php";
 
+	$op = (string)clean($op);
+	$method = (string)clean($method);
+
 	startup_gettext();
 
 	$script_started = microtime(true);
@@ -92,6 +95,13 @@
 
 	if (class_exists($op) || $override) {
 
+		if (strpos($method, "_") === 0) {
+			user_error("Refusing to invoke method $method of handler $op which starts with underscore.", E_USER_WARNING);
+			header("Content-Type: text/json");
+			print error_json(6);
+			return;
+		}
+
 		if ($override) {
 			$handler = $override;
 		} else {
@@ -110,6 +120,7 @@
 						if ($reflection->getNumberOfRequiredParameters() == 0) {
 							$handler->$method();
 						} else {
+							user_error("Refusing to invoke method $method of handler $op which has required parameters.", E_USER_WARNING);
 							header("Content-Type: text/json");
 							print error_json(6);
 						}
@@ -126,6 +137,7 @@
 					return;
 				}
 			} else {
+				user_error("Refusing to invoke method $method of handler $op with invalid CSRF token.", E_USER_WARNING);
 				header("Content-Type: text/json");
 				print error_json(6);
 				return;
diff --git a/classes/pref/feeds.php b/classes/pref/feeds.php
index edba71c5c..4c865e9f0 100755
--- a/classes/pref/feeds.php
+++ b/classes/pref/feeds.php
@@ -109,6 +109,10 @@ class Pref_Feeds extends Handler_Protected {
 		return $items;
 	}
 
+	function _getfeedtree() {
+		print "OK";
+	}
+
 	function getfeedtree() {
 		print json_encode($this->makefeedtree());
 	}
diff --git a/public.php b/public.php
index 3e4a9e023..dcfc4056e 100644
--- a/public.php
+++ b/public.php
@@ -16,7 +16,7 @@
 
 	if (!init_plugins()) return;
 
-	$method = $_REQUEST["op"];
+	$method = (string)clean($_REQUEST["op"]);
 
 	$override = PluginHost::getInstance()->lookup_handler("public", $method);
 
@@ -26,6 +26,13 @@
 		$handler = new Handler_Public($_REQUEST);
 	}
 
+	if (strpos($method, "_") === 0) {
+		user_error("Refusing to invoke method $method which starts with underscore.", E_USER_WARNING);
+		header("Content-Type: text/json");
+		print error_json(6);
+		return;
+	}
+
 	if (implements_interface($handler, "IHandler") && $handler->before($method)) {
 		if ($method && method_exists($handler, $method)) {
 			$reflection = new ReflectionMethod($handler, $method);
@@ -33,6 +40,7 @@
 			if ($reflection->getNumberOfRequiredParameters() == 0) {
 				$handler->$method();
 			} else {
+				user_error("Refusing to invoke method $method which has required parameters.", E_USER_WARNING);
 				header("Content-Type: text/json");
 				print error_json(6);
 			}