* @param array $params An array with the request parameters
*/
protected function setupExternalResponse( $module, $params ) {
+ $validMethods = [ 'GET', 'HEAD', 'POST', 'OPTIONS' ];
$request = $this->getRequest();
+
+ if ( !in_array( $request->getMethod(), $validMethods ) ) {
+ $this->dieWithError( 'apierror-invalidmethod', null, null, 405 );
+ }
+
if ( !$request->wasPosted() && $module->mustBePosted() ) {
// Module requires POST. GET request might still be allowed
// if $wgDebugApi is true, otherwise fail.
"apierror-invalidexpiry": "Invalid expiry time \"$1\".",
"apierror-invalid-file-key": "Not a valid file key.",
"apierror-invalidlang": "Invalid language code for parameter <var>$1</var>.",
+ "apierror-invalidmethod": "Invalid HTTP method. Consider using GET or POST.",
"apierror-invalidoldimage": "The <var>oldimage</var> parameter has an invalid format.",
"apierror-invalidparammix-cannotusewith": "The <kbd>$1</kbd> parameter cannot be used with <kbd>$2</kbd>.",
"apierror-invalidparammix-mustusewith": "The <kbd>$1</kbd> parameter may only be used with <kbd>$2</kbd>.",
"apierror-invalidexpiry": "{{doc-apierror}}\n\nParameters:\n* $1 - Value provided.",
"apierror-invalid-file-key": "{{doc-apierror}}",
"apierror-invalidlang": "{{doc-apierror}}\n\nParameters:\n* $1 - Parameter name.",
+ "apierror-invalidmethod": "{{doc-apierror}}\n\nShown when a user tries to access the API using an HTTP method that is not supported",
"apierror-invalidoldimage": "{{doc-apierror}}",
"apierror-invalidparammix-cannotusewith": "{{doc-apierror}}\n\nParameters:\n* $1 - Parameter name or \"parameter=value\" text.\n* $2 - Parameter name or \"parameter=value\" text.",
"apierror-invalidparammix-mustusewith": "{{doc-apierror}}\n\nParameters:\n* $1 - Parameter name or \"parameter=value\" text.\n* $2 - Parameter name or \"parameter=value\" text.",