diff options
author | Andrew Dolgov <[email protected]> | 2021-02-15 16:34:44 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2021-02-15 16:34:44 +0300 |
commit | 91285e3868fadcfb907cd57a90bb3e5c263c0979 (patch) | |
tree | 4d18dbf387c3ad865952d2177e9c4436fddc4435 /backend.php | |
parent | d1c83fad14ef4f9c3e90033c4012c43ac16634e5 (diff) |
router: add additional logging for refused requests; reject requests for methods starting with _
Diffstat (limited to 'backend.php')
-rw-r--r-- | backend.php | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/backend.php b/backend.php index 030676dcb..e72d97ca4 100644 --- a/backend.php +++ b/backend.php @@ -30,6 +30,9 @@ require_once "db.php"; require_once "db-prefs.php"; + $op = (string)clean($op); + $method = (string)clean($method); + startup_gettext(); $script_started = microtime(true); @@ -92,6 +95,13 @@ if (class_exists($op) || $override) { + if (strpos($method, "_") === 0) { + user_error("Refusing to invoke method $method of handler $op which starts with underscore.", E_USER_WARNING); + header("Content-Type: text/json"); + print error_json(6); + return; + } + if ($override) { $handler = $override; } else { @@ -110,6 +120,7 @@ if ($reflection->getNumberOfRequiredParameters() == 0) { $handler->$method(); } else { + user_error("Refusing to invoke method $method of handler $op which has required parameters.", E_USER_WARNING); header("Content-Type: text/json"); print error_json(6); } @@ -126,6 +137,7 @@ return; } } else { + user_error("Refusing to invoke method $method of handler $op with invalid CSRF token.", E_USER_WARNING); header("Content-Type: text/json"); print error_json(6); return; |