From 2ff7b66e73e77cb8ce573bfb26298b6f65f85edb Mon Sep 17 00:00:00 2001
From: Shreyas Minocha <shreyasminocha@protonmail.com>
Date: Sat, 17 Nov 2018 13:17:16 +0530
Subject: [PATCH] Send a 405 on unsupported HTTP methods in API

Bug: T209228
Change-Id: I24af3bfea1ff4b37a72ef5e83b12a8f1c59ca497
---
 includes/api/ApiMain.php   | 6 ++++++
 includes/api/i18n/en.json  | 1 +
 includes/api/i18n/qqq.json | 1 +
 3 files changed, 8 insertions(+)

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index d2a7db2bea..22232dd753 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -1512,7 +1512,13 @@ class ApiMain extends ApiBase {
 	 * @param array $params An array with the request parameters
 	 */
 	protected function setupExternalResponse( $module, $params ) {
+		$validMethods = [ 'GET', 'HEAD', 'POST', 'OPTIONS' ];
 		$request = $this->getRequest();
+
+		if ( !in_array( $request->getMethod(), $validMethods ) ) {
+			$this->dieWithError( 'apierror-invalidmethod', null, null, 405 );
+		}
+
 		if ( !$request->wasPosted() && $module->mustBePosted() ) {
 			// Module requires POST. GET request might still be allowed
 			// if $wgDebugApi is true, otherwise fail.
diff --git a/includes/api/i18n/en.json b/includes/api/i18n/en.json
index a9f92aaef7..384878658d 100644
--- a/includes/api/i18n/en.json
+++ b/includes/api/i18n/en.json
@@ -1758,6 +1758,7 @@
 	"apierror-invalidexpiry": "Invalid expiry time \"$1\".",
 	"apierror-invalid-file-key": "Not a valid file key.",
 	"apierror-invalidlang": "Invalid language code for parameter <var>$1</var>.",
+	"apierror-invalidmethod": "Invalid HTTP method. Consider using GET or POST.",
 	"apierror-invalidoldimage": "The <var>oldimage</var> parameter has an invalid format.",
 	"apierror-invalidparammix-cannotusewith": "The <kbd>$1</kbd> parameter cannot be used with <kbd>$2</kbd>.",
 	"apierror-invalidparammix-mustusewith": "The <kbd>$1</kbd> parameter may only be used with <kbd>$2</kbd>.",
diff --git a/includes/api/i18n/qqq.json b/includes/api/i18n/qqq.json
index 83427bafd8..9786053f00 100644
--- a/includes/api/i18n/qqq.json
+++ b/includes/api/i18n/qqq.json
@@ -1646,6 +1646,7 @@
 	"apierror-invalidexpiry": "{{doc-apierror}}\n\nParameters:\n* $1 - Value provided.",
 	"apierror-invalid-file-key": "{{doc-apierror}}",
 	"apierror-invalidlang": "{{doc-apierror}}\n\nParameters:\n* $1 - Parameter name.",
+	"apierror-invalidmethod": "{{doc-apierror}}\n\nShown when a user tries to access the API using an HTTP method that is not supported",
 	"apierror-invalidoldimage": "{{doc-apierror}}",
 	"apierror-invalidparammix-cannotusewith": "{{doc-apierror}}\n\nParameters:\n* $1 - Parameter name or \"parameter=value\" text.\n* $2 - Parameter name or \"parameter=value\" text.",
 	"apierror-invalidparammix-mustusewith": "{{doc-apierror}}\n\nParameters:\n* $1 - Parameter name or \"parameter=value\" text.\n* $2 - Parameter name or \"parameter=value\" text.",
-- 
2.20.1