From 3ffcd6dd971c295cce258f484e292f625bcb4d88 Mon Sep 17 00:00:00 2001 From: "J. King" Date: Thu, 30 Nov 2017 17:54:56 -0500 Subject: [PATCH] Make TTRSS handler reject erroneous paths --- lib/REST/TinyTinyRSS/API.php | 4 ++++ tests/REST/TinyTinyRSS/TestTinyTinyAPI.php | 9 +++++++++ 2 files changed, 13 insertions(+) diff --git a/lib/REST/TinyTinyRSS/API.php b/lib/REST/TinyTinyRSS/API.php index 107c54a..6d27ad0 100644 --- a/lib/REST/TinyTinyRSS/API.php +++ b/lib/REST/TinyTinyRSS/API.php @@ -115,6 +115,10 @@ class API extends \JKingWeb\Arsse\REST\AbstractHandler { } public function dispatch(\JKingWeb\Arsse\REST\Request $req): Response { + if (!preg_match("<^(?:/(?:index\.php)?)?$>", $req->path)) { + // reject paths other than the index + return new Response(404); + } if ($req->method=="OPTIONS") { // respond to OPTIONS rquests; the response is a fib, as we technically accept any type or method return new Response(204, "", "", [ diff --git a/tests/REST/TinyTinyRSS/TestTinyTinyAPI.php b/tests/REST/TinyTinyRSS/TestTinyTinyAPI.php index 78e1afb..ee71d77 100644 --- a/tests/REST/TinyTinyRSS/TestTinyTinyAPI.php +++ b/tests/REST/TinyTinyRSS/TestTinyTinyAPI.php @@ -168,6 +168,15 @@ LONG_STRING; $this->clearData(); } + public function testHandleInvalidPaths() { + $exp = $this->respErr("MALFORMED_INPUT", [], null); + $this->assertResponse($exp, $this->h->dispatch(new Request("POST", "", ""))); + $this->assertResponse($exp, $this->h->dispatch(new Request("POST", "/", ""))); + $this->assertResponse($exp, $this->h->dispatch(new Request("POST", "/index.php", ""))); + $exp = new Response(404); + $this->assertResponse($exp, $this->h->dispatch(new Request("POST", "/bad/path", ""))); + } + public function testHandleOptionsRequest() { $exp = new Response(204, "", "", [ "Allow: POST",