From b9c244b746f79b148d919174cc5c6f8d4b857f97 Mon Sep 17 00:00:00 2001 From: ntimo Date: Thu, 3 Oct 2019 18:14:27 +0200 Subject: [PATCH] [API] Only allow POST method for edit apis --- data/web/json_api.php | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/data/web/json_api.php b/data/web/json_api.php index 46e65519..88fa3fdb 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -1192,6 +1192,15 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u unset($attr['csrf_token']); $items = isset($_POST['items']) ? (array)json_decode($_POST['items'], true) : null; } + // only allow POST requests to POST API endpoints + if ($_SERVER['REQUEST_METHOD'] != 'POST') { + http_response_code(405); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'only POST method is allowed' + )); + die(); + } switch ($category) { case "bcc": process_edit_return(bcc('edit', array_merge(array('id' => $items), $attr)));