From 5080d776a7afce10ff2c6e624d893bcdbfa42d7e Mon Sep 17 00:00:00 2001
From: Bernd Bestel <bernd@berrnd.de>
Date: Fri, 1 Sep 2023 00:53:25 +0200
Subject: [PATCH] Only accept `application/json` requests for (JSON) API
 requests

---
 controllers/BaseController.php  |  6 ++++++
 controllers/LoginController.php |  2 +-
 public/js/grocy.js              | 10 +++++-----
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/controllers/BaseController.php b/controllers/BaseController.php
index cbb6b3ad..0d430be1 100644
--- a/controllers/BaseController.php
+++ b/controllers/BaseController.php
@@ -19,6 +19,7 @@ use Grocy\Services\TasksService;
 use Grocy\Services\UserfieldsService;
 use Grocy\Services\UsersService;
 use DI\Container;
+use Slim\Exception\HttpException;
 
 class BaseController
 {
@@ -213,6 +214,11 @@ class BaseController
 
 	protected function GetParsedAndFilteredRequestBody($request)
 	{
+		if ($request->getHeaderLine('Content-Type') != 'application/json')
+		{
+			throw new HttpException($request, 'Bad Content-Type', 400);
+		}
+
 		if (self::$htmlPurifierInstance == null)
 		{
 			$htmlPurifierConfig = \HTMLPurifier_Config::createDefault();
diff --git a/controllers/LoginController.php b/controllers/LoginController.php
index f4ee0f65..03e5e965 100644
--- a/controllers/LoginController.php
+++ b/controllers/LoginController.php
@@ -22,7 +22,7 @@ class LoginController extends BaseController
 	public function ProcessLogin(Request $request, Response $response, array $args)
 	{
 		$authMiddlewareClass = GROCY_AUTH_CLASS;
-		if ($authMiddlewareClass::ProcessLogin($this->GetParsedAndFilteredRequestBody($request)))
+		if ($authMiddlewareClass::ProcessLogin($request->getParsedBody()))
 		{
 			return $response->withRedirect($this->AppContainer->get('UrlManager')->ConstructUrl('/'));
 		}
diff --git a/public/js/grocy.js b/public/js/grocy.js
index f1a94c77..ac1184d9 100644
--- a/public/js/grocy.js
+++ b/public/js/grocy.js
@@ -70,7 +70,7 @@ Grocy.Api.Post = function(apiFunction, jsonData, success, error)
 	};
 
 	xhr.open('POST', url, true);
-	xhr.setRequestHeader('Content-type', 'application/json');
+	xhr.setRequestHeader('Content-Type', 'application/json');
 	xhr.send(JSON.stringify(jsonData));
 };
 
@@ -108,7 +108,7 @@ Grocy.Api.Put = function(apiFunction, jsonData, success, error)
 	};
 
 	xhr.open('PUT', url, true);
-	xhr.setRequestHeader('Content-type', 'application/json');
+	xhr.setRequestHeader('Content-Type', 'application/json');
 	xhr.send(JSON.stringify(jsonData));
 };
 
@@ -146,7 +146,7 @@ Grocy.Api.Delete = function(apiFunction, jsonData, success, error)
 	};
 
 	xhr.open('DELETE', url, true);
-	xhr.setRequestHeader('Content-type', 'application/json');
+	xhr.setRequestHeader('Content-Type', 'application/json');
 	xhr.send(JSON.stringify(jsonData));
 };
 
@@ -184,7 +184,7 @@ Grocy.Api.UploadFile = function(file, group, fileName, success, error)
 	};
 
 	xhr.open('PUT', url, true);
-	xhr.setRequestHeader('Content-type', 'application/octet-stream');
+	xhr.setRequestHeader('Content-Type', 'application/octet-stream');
 	xhr.send(file);
 };
 
@@ -222,7 +222,7 @@ Grocy.Api.DeleteFile = function(fileName, group, success, error)
 	};
 
 	xhr.open('DELETE', url, true);
-	xhr.setRequestHeader('Content-type', 'application/json');
+	xhr.setRequestHeader('Content-Type', 'application/json');
 	xhr.send();
 };