AJAX requests can only use the POST method

2015-06-20 20:18:58 +10:00 · 2015-06-20 20:18:58 +10:00 · cd1d62d8d7
parent 37e5b2328f
commit cd1d62d8d7
2 changed files with 8 additions and 10 deletions
--- a/modules/backend/classes/Controller.php
+++ b/modules/backend/classes/Controller.php
@ -349,6 +349,10 @@ class Controller extends Extendable
     */
    protected function execAjaxHandlers()
    {
+        if (Request::method() != 'POST') {
+            return null;
+        }
+
        if ($handler = trim(Request::header('X_OCTOBER_REQUEST_HANDLER'))) {
            try {
                /*
@ -363,16 +367,6 @@ class Controller extends Extendable
                 */
                if ($partialList = trim(Request::header('X_OCTOBER_REQUEST_PARTIALS'))) {
                    $partialList = explode('&', $partialList);
-
-                    // @todo Do we need to validate backend partials?
-                    // foreach ($partialList as $partial) {
-                    //     if (!preg_match('/^(?:\w+\:{2}|@)?[a-z0-9\_\-\.\/]+$/i', $partial)) {
-                    //         throw new SystemException(Lang::get(
-                    //             'cms::lang.partial.invalid_name',
-                    //             ['name' => $partial]
-                    //         ));
-                    //     }
-                    // }
                }
                else {
                    $partialList = [];
--- a/modules/cms/classes/Controller.php
+++ b/modules/cms/classes/Controller.php
@ -572,6 +572,10 @@ class Controller
     */
    protected function execAjaxHandlers()
    {
+        if (Request::method() != 'POST') {
+            return null;
+        }
+
        if ($handler = trim(Request::header('X_OCTOBER_REQUEST_HANDLER'))) {
            try {
                /*