diff options
| -rw-r--r-- | backend.php | 12 | ||||
| -rwxr-xr-x | classes/pref/feeds.php | 4 | ||||
| -rw-r--r-- | public.php | 10 |
3 files changed, 25 insertions, 1 deletions
diff --git a/backend.php b/backend.php index 030676dcb..e72d97ca4 100644 --- a/backend.php +++ b/backend.php @@ -30,6 +30,9 @@ require_once "db.php"; require_once "db-prefs.php"; + $op = (string)clean($op); + $method = (string)clean($method); + startup_gettext(); $script_started = microtime(true); @@ -92,6 +95,13 @@ if (class_exists($op) || $override) { + if (strpos($method, "_") === 0) { + user_error("Refusing to invoke method $method of handler $op which starts with underscore.", E_USER_WARNING); + header("Content-Type: text/json"); + print error_json(6); + return; + } + if ($override) { $handler = $override; } else { @@ -110,6 +120,7 @@ if ($reflection->getNumberOfRequiredParameters() == 0) { $handler->$method(); } else { + user_error("Refusing to invoke method $method of handler $op which has required parameters.", E_USER_WARNING); header("Content-Type: text/json"); print error_json(6); } @@ -126,6 +137,7 @@ return; } } else { + user_error("Refusing to invoke method $method of handler $op with invalid CSRF token.", E_USER_WARNING); header("Content-Type: text/json"); print error_json(6); return; diff --git a/classes/pref/feeds.php b/classes/pref/feeds.php index edba71c5c..4c865e9f0 100755 --- a/classes/pref/feeds.php +++ b/classes/pref/feeds.php @@ -109,6 +109,10 @@ class Pref_Feeds extends Handler_Protected { return $items; } + function _getfeedtree() { + print "OK"; + } + function getfeedtree() { print json_encode($this->makefeedtree()); } diff --git a/public.php b/public.php index 3e4a9e023..dcfc4056e 100644 --- a/public.php +++ b/public.php @@ -16,7 +16,7 @@ if (!init_plugins()) return; - $method = $_REQUEST["op"]; + $method = (string)clean($_REQUEST["op"]); $override = PluginHost::getInstance()->lookup_handler("public", $method); @@ -26,6 +26,13 @@ $handler = new Handler_Public($_REQUEST); } + if (strpos($method, "_") === 0) { + user_error("Refusing to invoke method $method which starts with underscore.", E_USER_WARNING); + header("Content-Type: text/json"); + print error_json(6); + return; + } + if (implements_interface($handler, "IHandler") && $handler->before($method)) { if ($method && method_exists($handler, $method)) { $reflection = new ReflectionMethod($handler, $method); @@ -33,6 +40,7 @@ if ($reflection->getNumberOfRequiredParameters() == 0) { $handler->$method(); } else { + user_error("Refusing to invoke method $method which has required parameters.", E_USER_WARNING); header("Content-Type: text/json"); print error_json(6); } |