From 9e574017f801c1bb4b5d4856e988b892d90246a2 Mon Sep 17 00:00:00 2001
Message-Id: <9e574017f801c1bb4b5d4856e988b892d90246a2.1714030643.git.mdw@distorted.org.uk>
From: Mark Wooding <mdw@chiark.greenend.org.uk>
Date: Sat, 13 Jul 2013 16:34:40 +0100
Subject: [PATCH] {cgi,cmd-cgi,httpauth}.py: Check request methods on CGI
 commands.
Organization: Straylight/Edgeware

From: Mark Wooding <mdw@distorted.org.uk>

Mainly as a sanity check.
---
 cgi.py      | 11 +++++++++++
 cmd-cgi.py  |  6 +++++-
 httpauth.py |  1 +
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/cgi.py b/cgi.py
index 6006062..cfa26f7 100644
--- a/cgi.py
+++ b/cgi.py
@@ -453,6 +453,11 @@ class Subcommand (SC.Subcommand):
   CGI parameters.
   """
 
+  def __init__(me, name, contexts, desc, func,
+               methods = ['GET', 'POST'], *args, **kw):
+    super(Subcommand, me).__init__(name, contexts, desc, func, *args, **kw)
+    me.methods = set(methods)
+
   def cgi(me, param, path):
     """
     Invoke the subcommand given a collection of CGI parameters.
@@ -484,6 +489,12 @@ class Subcommand (SC.Subcommand):
     want = {}
     kw = {}
 
+    ## Check the request method against the permitted list.
+    meth = METHOD
+    if meth == 'HEAD': meth = 'GET'
+    if meth not in me.methods:
+      raise U.ExpectedError, (500, "Unexpected request method `%s'" % METHOD)
+
     def set_value(k, v):
       """Set a simple value: we shouldn't see multiple values."""
       if k in kw:
diff --git a/cmd-cgi.py b/cmd-cgi.py
index 63253b7..104dd6a 100644
--- a/cmd-cgi.py
+++ b/cmd-cgi.py
@@ -65,6 +65,7 @@ def cmd_list_cgi():
 
 @CGI.subcommand(
   'set', ['cgi'], 'Set password for a collection of services.',
+  methods = ['POST'],
   params = [SC.Arg('first'), SC.Arg('second')],
   rparam = SC.Arg('services'))
 def cmd_set_cgi(first, second, services = []):
@@ -74,6 +75,7 @@ def cmd_set_cgi(first, second, services = []):
 @CGI.subcommand(
   'reset', ['cgi'],
   'Reset passwords for a collection of services.',
+  methods = ['POST'],
   rparam = SC.Arg('services'))
 def cmd_reset_cgi(services = []):
   operate('reset passwords', 'reset', services)
@@ -81,13 +83,15 @@ def cmd_reset_cgi(services = []):
 @CGI.subcommand(
   'clear', ['cgi'],
   'Clear passwords for a collection of services.',
+  methods = ['POST'],
   rparam = SC.Arg('services'))
 def cmd_clear_cgi(services = []):
   operate('clear passwords', 'clear', services)
 
 @CGI.subcommand(
   'logout', ['cgi'],
-  'Log out of the web interface.')
+  'Log out of the web interface.',
+  methods = ['POST'])
 def cmd_logout_cgi():
   CGI.redirect(CGI.action('login', why = 'LOGOUT'),
                set_cookie = HA.bake_cookie('logged-out'))
diff --git a/httpauth.py b/httpauth.py
index 383bdb1..7fdc687 100644
--- a/httpauth.py
+++ b/httpauth.py
@@ -332,6 +332,7 @@ def cmd_login(why = None):
 @CGI.subcommand(
   'auth', ['cgi-noauth'],
   'Verify a user name and password',
+  methods = ['POST'],
   params = [SC.Arg('u'), SC.Arg('pw')])
 def cmd_auth(u, pw):
   svc = S.SERVICES['master']
-- 
[mdw]