diff options
| author | Andrew Dolgov <[email protected]> | 2021-02-15 16:34:44 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2021-02-15 16:34:44 +0300 |
| commit | 91285e3868fadcfb907cd57a90bb3e5c263c0979 (patch) | |
| tree | 4d18dbf387c3ad865952d2177e9c4436fddc4435 /public.php | |
| parent | d1c83fad14ef4f9c3e90033c4012c43ac16634e5 (diff) | |
router: add additional logging for refused requests; reject requests for methods starting with _
Diffstat (limited to 'public.php')
| -rw-r--r-- | public.php | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/public.php b/public.php index 3e4a9e023..dcfc4056e 100644 --- a/public.php +++ b/public.php @@ -16,7 +16,7 @@ if (!init_plugins()) return; - $method = $_REQUEST["op"]; + $method = (string)clean($_REQUEST["op"]); $override = PluginHost::getInstance()->lookup_handler("public", $method); @@ -26,6 +26,13 @@ $handler = new Handler_Public($_REQUEST); } + if (strpos($method, "_") === 0) { + user_error("Refusing to invoke method $method which starts with underscore.", E_USER_WARNING); + header("Content-Type: text/json"); + print error_json(6); + return; + } + if (implements_interface($handler, "IHandler") && $handler->before($method)) { if ($method && method_exists($handler, $method)) { $reflection = new ReflectionMethod($handler, $method); @@ -33,6 +40,7 @@ if ($reflection->getNumberOfRequiredParameters() == 0) { $handler->$method(); } else { + user_error("Refusing to invoke method $method which has required parameters.", E_USER_WARNING); header("Content-Type: text/json"); print error_json(6); } |