From 490df818aac1def999e519354c9b0e976e4243a0 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Tue, 22 Sep 2020 09:34:39 +0300
Subject: router: only allow functions without required parameters as handler
 methods

---
 backend.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'backend.php')

diff --git a/backend.php b/backend.php
index 9e6751af1..4c93f9b6d 100644
--- a/backend.php
+++ b/backend.php
@@ -107,7 +107,14 @@
 			if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) {
 				if ($handler->before($method)) {
 					if ($method && method_exists($handler, $method)) {
-						$handler->$method();
+						$reflection = new ReflectionMethod($handler, $method);
+
+						if ($reflection->getNumberOfRequiredParameters() == 0) {
+							$handler->$method();
+						} else {
+							header("Content-Type: text/json");
+							print error_json(6);
+						}
 					} else {
 						if (method_exists($handler, "catchall")) {
 							$handler->catchall($method);
-- 
cgit v1.2.3