router: add additional logging for refused requests; reject requests for methods starting with _

This commit is contained in:
Andrew Dolgov 2021-02-15 16:34:44 +03:00
parent d1c83fad14
commit 91285e3868
3 changed files with 25 additions and 1 deletions

View File

@ -30,6 +30,9 @@
require_once "db.php"; require_once "db.php";
require_once "db-prefs.php"; require_once "db-prefs.php";
$op = (string)clean($op);
$method = (string)clean($method);
startup_gettext(); startup_gettext();
$script_started = microtime(true); $script_started = microtime(true);
@ -92,6 +95,13 @@
if (class_exists($op) || $override) { if (class_exists($op) || $override) {
if (strpos($method, "_") === 0) {
user_error("Refusing to invoke method $method of handler $op which starts with underscore.", E_USER_WARNING);
header("Content-Type: text/json");
print error_json(6);
return;
}
if ($override) { if ($override) {
$handler = $override; $handler = $override;
} else { } else {
@ -110,6 +120,7 @@
if ($reflection->getNumberOfRequiredParameters() == 0) { if ($reflection->getNumberOfRequiredParameters() == 0) {
$handler->$method(); $handler->$method();
} else { } else {
user_error("Refusing to invoke method $method of handler $op which has required parameters.", E_USER_WARNING);
header("Content-Type: text/json"); header("Content-Type: text/json");
print error_json(6); print error_json(6);
} }
@ -126,6 +137,7 @@
return; return;
} }
} else { } else {
user_error("Refusing to invoke method $method of handler $op with invalid CSRF token.", E_USER_WARNING);
header("Content-Type: text/json"); header("Content-Type: text/json");
print error_json(6); print error_json(6);
return; return;

View File

@ -109,6 +109,10 @@ class Pref_Feeds extends Handler_Protected {
return $items; return $items;
} }
function _getfeedtree() {
print "OK";
}
function getfeedtree() { function getfeedtree() {
print json_encode($this->makefeedtree()); print json_encode($this->makefeedtree());
} }

View File

@ -16,7 +16,7 @@
if (!init_plugins()) return; if (!init_plugins()) return;
$method = $_REQUEST["op"]; $method = (string)clean($_REQUEST["op"]);
$override = PluginHost::getInstance()->lookup_handler("public", $method); $override = PluginHost::getInstance()->lookup_handler("public", $method);
@ -26,6 +26,13 @@
$handler = new Handler_Public($_REQUEST); $handler = new Handler_Public($_REQUEST);
} }
if (strpos($method, "_") === 0) {
user_error("Refusing to invoke method $method which starts with underscore.", E_USER_WARNING);
header("Content-Type: text/json");
print error_json(6);
return;
}
if (implements_interface($handler, "IHandler") && $handler->before($method)) { if (implements_interface($handler, "IHandler") && $handler->before($method)) {
if ($method && method_exists($handler, $method)) { if ($method && method_exists($handler, $method)) {
$reflection = new ReflectionMethod($handler, $method); $reflection = new ReflectionMethod($handler, $method);
@ -33,6 +40,7 @@
if ($reflection->getNumberOfRequiredParameters() == 0) { if ($reflection->getNumberOfRequiredParameters() == 0) {
$handler->$method(); $handler->$method();
} else { } else {
user_error("Refusing to invoke method $method which has required parameters.", E_USER_WARNING);
header("Content-Type: text/json"); header("Content-Type: text/json");
print error_json(6); print error_json(6);
} }