Only accept application/json requests for (JSON) API requests

2025-08-15 10:14:39 +00:00 · 2023-09-01 00:53:25 +02:00
parent 8c21969b84
commit 5080d776a7
3 changed files with 12 additions and 6 deletions
--- a/controllers/BaseController.php
+++ b/controllers/BaseController.php
@@ -19,6 +19,7 @@ use Grocy\Services\TasksService;
 use Grocy\Services\UserfieldsService;
 use Grocy\Services\UsersService;
 use DI\Container;
+use Slim\Exception\HttpException;

 class BaseController
 {
@@ -213,6 +214,11 @@ class BaseController

 	protected function GetParsedAndFilteredRequestBody($request)
 	{
+		if ($request->getHeaderLine('Content-Type') != 'application/json')
+		{
+			throw new HttpException($request, 'Bad Content-Type', 400);
+		}
+
 		if (self::$htmlPurifierInstance == null)
 		{
 			$htmlPurifierConfig = \HTMLPurifier_Config::createDefault();