From 91285e3868fadcfb907cd57a90bb3e5c263c0979 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Mon, 15 Feb 2021 16:34:44 +0300
Subject: router: add additional logging for refused requests; reject requests
 for methods starting with _

---
 backend.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'backend.php')

diff --git a/backend.php b/backend.php
index 030676dcb..e72d97ca4 100644
--- a/backend.php
+++ b/backend.php
@@ -30,6 +30,9 @@
 	require_once "db.php";
 	require_once "db-prefs.php";
 
+	$op = (string)clean($op);
+	$method = (string)clean($method);
+
 	startup_gettext();
 
 	$script_started = microtime(true);
@@ -92,6 +95,13 @@
 
 	if (class_exists($op) || $override) {
 
+		if (strpos($method, "_") === 0) {
+			user_error("Refusing to invoke method $method of handler $op which starts with underscore.", E_USER_WARNING);
+			header("Content-Type: text/json");
+			print error_json(6);
+			return;
+		}
+
 		if ($override) {
 			$handler = $override;
 		} else {
@@ -110,6 +120,7 @@
 						if ($reflection->getNumberOfRequiredParameters() == 0) {
 							$handler->$method();
 						} else {
+							user_error("Refusing to invoke method $method of handler $op which has required parameters.", E_USER_WARNING);
 							header("Content-Type: text/json");
 							print error_json(6);
 						}
@@ -126,6 +137,7 @@
 					return;
 				}
 			} else {
+				user_error("Refusing to invoke method $method of handler $op with invalid CSRF token.", E_USER_WARNING);
 				header("Content-Type: text/json");
 				print error_json(6);
 				return;
-- 
cgit v1.2.3