From cd1d62d8d782bd7267c1b4ac625dcdbde8b49bfc Mon Sep 17 00:00:00 2001
From: Samuel Georges <sam@daftspunk.com>
Date: Sat, 20 Jun 2015 20:18:58 +1000
Subject: [PATCH] AJAX requests can only use the POST method

---
 modules/backend/classes/Controller.php | 14 ++++----------
 modules/cms/classes/Controller.php     |  4 ++++
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/modules/backend/classes/Controller.php b/modules/backend/classes/Controller.php
index 1ba0d4d21..66f732180 100644
--- a/modules/backend/classes/Controller.php
+++ b/modules/backend/classes/Controller.php
@@ -349,6 +349,10 @@ class Controller extends Extendable
      */
     protected function execAjaxHandlers()
     {
+        if (Request::method() != 'POST') {
+            return null;
+        }
+
         if ($handler = trim(Request::header('X_OCTOBER_REQUEST_HANDLER'))) {
             try {
                 /*
@@ -363,16 +367,6 @@ class Controller extends Extendable
                  */
                 if ($partialList = trim(Request::header('X_OCTOBER_REQUEST_PARTIALS'))) {
                     $partialList = explode('&', $partialList);
-
-                    // @todo Do we need to validate backend partials?
-                    // foreach ($partialList as $partial) {
-                    //     if (!preg_match('/^(?:\w+\:{2}|@)?[a-z0-9\_\-\.\/]+$/i', $partial)) {
-                    //         throw new SystemException(Lang::get(
-                    //             'cms::lang.partial.invalid_name',
-                    //             ['name' => $partial]
-                    //         ));
-                    //     }
-                    // }
                 }
                 else {
                     $partialList = [];
diff --git a/modules/cms/classes/Controller.php b/modules/cms/classes/Controller.php
index 4f7e0e274..a4a8a5977 100644
--- a/modules/cms/classes/Controller.php
+++ b/modules/cms/classes/Controller.php
@@ -572,6 +572,10 @@ class Controller
      */
     protected function execAjaxHandlers()
     {
+        if (Request::method() != 'POST') {
+            return null;
+        }
+
         if ($handler = trim(Request::header('X_OCTOBER_REQUEST_HANDLER'))) {
             try {
                 /*