diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp index f471da42e..7c3d8469b 100644 --- a/src/webui/webapplication.cpp +++ b/src/webui/webapplication.cpp @@ -276,6 +276,20 @@ void WebApplication::doProcessRequest() if (!session() && !isPublicAPI(scope, action)) throw ForbiddenHTTPError(); + // Filter HTTP methods + const auto allowedMethodIter = m_allowedMethod.find({scope, action}); + if (allowedMethodIter == m_allowedMethod.end()) + { + // by default allow both GET, POST methods + if ((m_request.method != Http::METHOD_GET) && (m_request.method != Http::METHOD_POST)) + throw MethodNotAllowedHTTPError(); + } + else + { + if (*allowedMethodIter != m_request.method) + throw MethodNotAllowedHTTPError(); + } + DataMap data; for (const Http::UploadedFile &torrent : request().files) data[torrent.filename] = torrent.data; diff --git a/src/webui/webapplication.h b/src/webui/webapplication.h index a6514fcaa..da863d1bd 100644 --- a/src/webui/webapplication.h +++ b/src/webui/webapplication.h @@ -28,6 +28,8 @@ #pragma once +#include + #include #include #include @@ -130,6 +132,20 @@ private: QHash m_apiControllers; QSet m_publicAPIs; + const QHash, QString> m_allowedMethod = + { + // <, HTTP method> + // TODO: this list is incomplete + {{QLatin1String("app"), QLatin1String("setPreferences")}, Http::METHOD_POST}, + {{QLatin1String("app"), QLatin1String("shutdown")}, Http::METHOD_POST}, + {{QLatin1String("auth"), QLatin1String("login")}, Http::METHOD_POST}, + {{QLatin1String("auth"), QLatin1String("logout")}, Http::METHOD_POST}, + {{QLatin1String("rss"), QLatin1String("addFeed")}, Http::METHOD_POST}, + {{QLatin1String("search"), QLatin1String("installPlugin")}, Http::METHOD_POST}, + {{QLatin1String("torrents"), QLatin1String("add")}, Http::METHOD_POST}, + {{QLatin1String("torrents"), QLatin1String("addPeers")}, Http::METHOD_POST}, + {{QLatin1String("torrents"), QLatin1String("addTrackers")}, Http::METHOD_POST} + }; bool m_isAltUIUsed = false; QString m_rootFolder;