kenmirrors/grocy
1
0
Fork 0
mirror of https://github.com/grocy/grocy.git synced 2025-04-29 09:39:57 +00:00
Code Issues Projects Releases Wiki Activity

Only accept application/json requests for (JSON) API requests

Browse Source
This commit is contained in:
Bernd Bestel 2023-09-01 00:53:25 +02:00
parent 8c21969b84
commit 5080d776a7
No known key found for this signature in database
GPG Key ID: 71BD34C0D4891300
3 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
controllers/BaseController.php
View File

@ -19,6 +19,7 @@ use Grocy\Services\TasksService;
use Grocy\Services\UserfieldsService; use Grocy\Services\UserfieldsService;
use Grocy\Services\UsersService; use Grocy\Services\UsersService;
use DI\Container; use DI\Container;
use Slim\Exception\HttpException;
class BaseController class BaseController
{ {
@ -213,6 +214,11 @@ class BaseController
protected function GetParsedAndFilteredRequestBody($request) protected function GetParsedAndFilteredRequestBody($request)
{ {
if ($request->getHeaderLine('Content-Type') != 'application/json')
{
throw new HttpException($request, 'Bad Content-Type', 400);
}
if (self::$htmlPurifierInstance == null) if (self::$htmlPurifierInstance == null)
{ {
$htmlPurifierConfig = \HTMLPurifier_Config::createDefault(); $htmlPurifierConfig = \HTMLPurifier_Config::createDefault();

2
controllers/LoginController.php
View File

@ -22,7 +22,7 @@ class LoginController extends BaseController
public function ProcessLogin(Request $request, Response $response, array $args) public function ProcessLogin(Request $request, Response $response, array $args)
{ {
$authMiddlewareClass = GROCY_AUTH_CLASS; $authMiddlewareClass = GROCY_AUTH_CLASS;
if ($authMiddlewareClass::ProcessLogin($this->GetParsedAndFilteredRequestBody($request))) if ($authMiddlewareClass::ProcessLogin($request->getParsedBody()))
{ {
return $response->withRedirect($this->AppContainer->get('UrlManager')->ConstructUrl('/')); return $response->withRedirect($this->AppContainer->get('UrlManager')->ConstructUrl('/'));
} }

10
public/js/grocy.js
View File

@ -70,7 +70,7 @@ Grocy.Api.Post = function(apiFunction, jsonData, success, error)
}; };
xhr.open('POST', url, true); xhr.open('POST', url, true);
xhr.setRequestHeader('Content-type', 'application/json'); xhr.setRequestHeader('Content-Type', 'application/json');
xhr.send(JSON.stringify(jsonData)); xhr.send(JSON.stringify(jsonData));
}; };
@ -108,7 +108,7 @@ Grocy.Api.Put = function(apiFunction, jsonData, success, error)
}; };
xhr.open('PUT', url, true); xhr.open('PUT', url, true);
xhr.setRequestHeader('Content-type', 'application/json'); xhr.setRequestHeader('Content-Type', 'application/json');
xhr.send(JSON.stringify(jsonData)); xhr.send(JSON.stringify(jsonData));
}; };
@ -146,7 +146,7 @@ Grocy.Api.Delete = function(apiFunction, jsonData, success, error)
}; };
xhr.open('DELETE', url, true); xhr.open('DELETE', url, true);
xhr.setRequestHeader('Content-type', 'application/json'); xhr.setRequestHeader('Content-Type', 'application/json');
xhr.send(JSON.stringify(jsonData)); xhr.send(JSON.stringify(jsonData));
}; };
@ -184,7 +184,7 @@ Grocy.Api.UploadFile = function(file, group, fileName, success, error)
}; };
xhr.open('PUT', url, true); xhr.open('PUT', url, true);
xhr.setRequestHeader('Content-type', 'application/octet-stream'); xhr.setRequestHeader('Content-Type', 'application/octet-stream');
xhr.send(file); xhr.send(file);
}; };
@ -222,7 +222,7 @@ Grocy.Api.DeleteFile = function(fileName, group, success, error)
}; };
xhr.open('DELETE', url, true); xhr.open('DELETE', url, true);
xhr.setRequestHeader('Content-type', 'application/json'); xhr.setRequestHeader('Content-Type', 'application/json');
xhr.send(); xhr.send();
}; };