router: add additional logging for refused requests; reject requests for methods starting with _

2025-12-13 14:25:55 +00:00 · 2021-02-15 16:34:44 +03:00
parent d1c83fad14
commit 91285e3868
3 changed files with 25 additions and 1 deletions
--- a/backend.php
+++ b/backend.php
@@ -30,6 +30,9 @@
 	require_once "db.php";
 	require_once "db-prefs.php";

+	$op = (string)clean($op);
+	$method = (string)clean($method);
+
 	startup_gettext();

 	$script_started = microtime(true);
@@ -92,6 +95,13 @@

 	if (class_exists($op) || $override) {

+		if (strpos($method, "_") === 0) {
+			user_error("Refusing to invoke method $method of handler $op which starts with underscore.", E_USER_WARNING);
+			header("Content-Type: text/json");
+			print error_json(6);
+			return;
+		}
+
 		if ($override) {
 			$handler = $override;
 		} else {
@@ -110,6 +120,7 @@
 						if ($reflection->getNumberOfRequiredParameters() == 0) {
 							$handler->$method();
 						} else {
+							user_error("Refusing to invoke method $method of handler $op which has required parameters.", E_USER_WARNING);
 							header("Content-Type: text/json");
 							print error_json(6);
 						}
@@ -126,6 +137,7 @@
 					return;
 				}
 			} else {
+				user_error("Refusing to invoke method $method of handler $op with invalid CSRF token.", E_USER_WARNING);
 				header("Content-Type: text/json");
 				print error_json(6);
 				return;