Gnous/mailcow
2
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

[API] Only allow POST method for edit apis

Browse Source
This commit is contained in:
ntimo 2019-10-03 18:14:27 +02:00
parent 5fa456770f
commit b9c244b746
No known key found for this signature in database
GPG Key ID: 3AF3627FB0440D55
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
data/web/json_api.php
View File

@ -1192,6 +1192,15 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
unset($attr['csrf_token']); unset($attr['csrf_token']);
$items = isset($_POST['items']) ? (array)json_decode($_POST['items'], true) : null; $items = isset($_POST['items']) ? (array)json_decode($_POST['items'], true) : null;
} }
// only allow POST requests to POST API endpoints
if ($_SERVER['REQUEST_METHOD'] != 'POST') {
http_response_code(405);
echo json_encode(array(
'type' => 'error',
'msg' => 'only POST method is allowed'
));
die();
}
switch ($category) { switch ($category) {
case "bcc": case "bcc":
process_edit_return(bcc('edit', array_merge(array('id' => $items), $attr))); process_edit_return(bcc('edit', array_merge(array('id' => $items), $attr)));