diff --git a/data/web/json_api.php b/data/web/json_api.php index ea4304af..d59cfe56 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -69,6 +69,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u // check for valid json if ($action != 'get' && $requestDecoded === null) { + http_response_code(400); echo json_encode(array( 'type' => 'error', 'msg' => 'Request body doesn\'t contain valid json!' @@ -126,6 +127,15 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u $attr = (array)json_decode($_POST['attr'], true); unset($attr['csrf_token']); } + // only allow POST requests to POST API endpoints + if ($_SERVER['REQUEST_METHOD'] != 'POST') { + http_response_code(405); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'only POST method is allowed' + )); + exit(); + } switch ($category) { case "time_limited_alias": process_add_return(mailbox('add', 'time_limited_alias', $attr)); @@ -196,12 +206,29 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u case "tls-policy-map": process_add_return(tls_policy_maps('add', $attr)); break; + // return no route found if no case is matched + default: + http_response_code(404); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'route not found' + )); + exit(); } break; case "get": function process_get_return($data) { echo (!isset($data) || empty($data)) ? '{}' : json_encode($data, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT); } + // only allow GET requests to GET API endpoints + if ($_SERVER['REQUEST_METHOD'] != 'GET') { + http_response_code(405); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'only GET method is allowed' + )); + exit(); + } switch ($category) { case "rspamd": switch ($object) { @@ -561,6 +588,14 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u } echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}'; break; + // return no route found if no case is matched + default: + http_response_code(404); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'route not found' + )); + exit(); } break; case "mailbox": @@ -1026,9 +1061,14 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u break; } break; + // return no route found if no case is matched default: - echo '{}'; - break; + http_response_code(404); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'route not found' + )); + exit(); } break; case "delete": @@ -1055,6 +1095,15 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u else { $items = (array)json_decode($_POST['items'], true); } + // only allow POST requests to POST API endpoints + if ($_SERVER['REQUEST_METHOD'] != 'POST') { + http_response_code(405); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'only POST method is allowed' + )); + exit(); + } switch ($category) { case "alias": process_delete_return(mailbox('delete', 'alias', array('id' => $items))); @@ -1135,6 +1184,14 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u case "rlhash": echo ratelimit('delete', null, implode($items)); break; + // return no route found if no case is matched + default: + http_response_code(404); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'route not found' + )); + exit(); } break; case "edit": @@ -1163,6 +1220,15 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u unset($attr['csrf_token']); $items = isset($_POST['items']) ? (array)json_decode($_POST['items'], true) : null; } + // only allow POST requests to POST API endpoints + if ($_SERVER['REQUEST_METHOD'] != 'POST') { + http_response_code(405); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'only POST method is allowed' + )); + exit(); + } switch ($category) { case "bcc": process_edit_return(bcc('edit', array_merge(array('id' => $items), $attr))); @@ -1271,8 +1337,29 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u process_edit_return(edit_user_account($attr)); } break; + // return no route found if no case is matched + default: + http_response_code(404); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'route not found' + )); + exit(); } break; + // return no route found if no case is matched + default: + http_response_code(404); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'route not found' + )); + exit(); + } + } + if ($_SESSION['mailcow_cc_api'] === true) { + if (isset($_SESSION['mailcow_cc_api']) && $_SESSION['mailcow_cc_api'] === true) { + unset($_SESSION['return']); } } }