Skip to content

Commit ac16927

Browse files
yunbaoisy-records
yunbaoi
and
sy-records
committed
Add POST method request restrictions for write operations
Co-authored-by: yunbaoi <52o@qq52o.me> Co-authored-by: sy-records <52o@qq52o.cn> Reviewed-on: https://git.swoole.com/swoole/library/pulls/35 Co-authored-by: yun <52o@qq52o.me> Co-committed-by: yun <52o@qq52o.me>
1 parent c73f647 commit ac16927

File tree

1 file changed

+18
-4
lines changed

1 file changed

+18
-4
lines changed

src/core/Server/Admin.php

Lines changed: 18 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,12 @@ class Admin
6262
'specific',
6363
];
6464

65+
private static $postMethodMap = [
66+
'server_reload',
67+
'server_shutdown',
68+
'close_session',
69+
];
70+
6571
public static function init(Server $server)
6672
{
6773
$accepted_process_types = SWOOLE_SERVER_COMMAND_MASTER |
@@ -423,17 +429,25 @@ public static function start(Server $server)
423429
$resp->header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
424430
$resp->header('Access-Control-Allow-Headers', 'X-ACCESS-TOKEN');
425431

426-
if ($req->getMethod() == 'GET') {
432+
$method = $req->getMethod();
433+
434+
$cmd = $path_array->get(1)->toString();
435+
436+
if (in_array($cmd, self::$postMethodMap) && $method != 'POST') {
437+
$resp->status(403);
438+
$resp->end(self::json('Bad request method', 4003));
439+
return;
440+
}
441+
442+
if ($method == 'GET') {
427443
$data = $req->get;
428444
} else {
429445
$data = $req->post;
430446
}
431447

432-
$cmd = $path_array->get(1)->toString();
433-
434448
if ($cmd === 'multi') {
435449
$body = json_decode($req->getContent(), true);
436-
if (empty($body) || !is_array($body) || $req->getMethod() != 'POST') {
450+
if (empty($body) || !is_array($body) || $method != 'POST') {
437451
goto _bad_process;
438452
}
439453

0 commit comments

Comments
 (0)