Skip to content
This repository was archived by the owner on Sep 10, 2021. It is now read-only.

Commit 3acc245

Browse files
jcfrthewtexMichael Grauer
committed
BUG: Update viewAction to accept only valid verbs
See http://resources.infosecinstitute.com/http-verb-tempering-bypassing-web-authentication-and-authorization/ Co-authored-by: Matt McCormick <matt.mccormick@kitware.com> Co-authored-by: Michael Grauer <michael.grauer@kitware.com>
1 parent 37c9062 commit 3acc245

File tree

3 files changed

+14
-1
lines changed

3 files changed

+14
-1
lines changed

core/controllers/FolderController.php

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -160,7 +160,9 @@ public function viewAction()
160160
$folder_id = $this->getParam('folderId');
161161
$folder = $this->Folder->load($folder_id);
162162

163-
if (!isset($folder_id)) {
163+
if (!$this->_request->isGet()) {
164+
throw new Zend_Exception('Only HTTP Get requests are accepted', 400);
165+
} elseif (!isset($folder_id)) {
164166
throw new Zend_Exception('Please set the folderId.');
165167
} elseif ($folder === false) {
166168
throw new Zend_Exception("The folder doesn't exist.", 404);

core/controllers/ItemController.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -112,6 +112,10 @@ public function editmetadataAction()
112112
*/
113113
public function viewAction()
114114
{
115+
if (!($this->_request->isGet() || $this->_request->isPost())) {
116+
throw new Zend_Exception('Only HTTP Get or Post requests are accepted', 400);
117+
}
118+
115119
$this->view->Date = $this->Component->Date;
116120
$itemId = $this->getParam('itemId');
117121

core/controllers/UserController.php

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -699,6 +699,10 @@ public function userexistsAction()
699699
/** Settings page action */
700700
public function settingsAction()
701701
{
702+
if (!($this->_request->isGet() || $this->_request->isPost())) {
703+
throw new Zend_Exception('Only HTTP Get or Post requests are accepted', 400);
704+
}
705+
702706
if (!$this->logged) {
703707
$this->disableView();
704708

@@ -1061,6 +1065,9 @@ public function settingsAction()
10611065
/** User page action */
10621066
public function userpageAction()
10631067
{
1068+
if (!$this->_request->isGet()) {
1069+
throw new Zend_Exception('Only HTTP Get requests are accepted', 400);
1070+
}
10641071
$this->view->Date = $this->Component->Date;
10651072
$user_id = $this->getParam('user_id');
10661073

0 commit comments

Comments
 (0)