From 45efb781eaa8f7d9ce4459e29e94cfcadfcef397 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Mon, 12 Apr 2021 20:43:40 +0900
Subject: [PATCH] Fix REQUEST_METHOD checking not working for class types that
 aren't controller
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

controller 타입이 아닌 액션에서는 method를 제한하더라도 적용되지 않는 문제 수정
---
 classes/module/ModuleHandler.class.php | 48 +++++++-------------------
 1 file changed, 12 insertions(+), 36 deletions(-)

diff --git a/classes/module/ModuleHandler.class.php b/classes/module/ModuleHandler.class.php
index b58d2b628..983dd87b7 100644
--- a/classes/module/ModuleHandler.class.php
+++ b/classes/module/ModuleHandler.class.php
@@ -350,26 +350,16 @@ class ModuleHandler extends Handler
 			$kind = 'admin';
 		}
 
-		// check REQUEST_METHOD in controller
-		if($type == 'controller')
+		// check REQUEST_METHOD
+		if(isset($xml_info->action->{$this->act}))
 		{
-			$allowedMethod = $xml_info->action->{$this->act}->method;
-
-			if(!$allowedMethod)
-			{
-				$allowedMethodList[0] = 'POST';
-			}
-			else
-			{
-				$allowedMethodList = explode('|', strtoupper($allowedMethod));
-			}
-
-			if(!in_array(strtoupper($_SERVER['REQUEST_METHOD']), $allowedMethodList))
+			$allowedMethodList = explode('|', $xml_info->action->{$this->act}->method);
+			if(!in_array($_SERVER['REQUEST_METHOD'], $allowedMethodList))
 			{
 				return self::_createErrorMessage(-1, 'msg_method_not_allowed', 405);
 			}
 		}
-		
+
 		// check CSRF for non-GET (POST, PUT, etc.) actions
 		if(Context::getRequestMethod() !== 'GET' && Context::isInstalled())
 		{
@@ -430,9 +420,9 @@ class ModuleHandler extends Handler
 			}
 			
 			// 1. Look for the module with action name
-			if(preg_match('/^([a-z]+)([A-Z])([a-z0-9\_]+)(.*)$/', $this->act, $matches))
+			if(preg_match('/^[a-z]+([A-Z][a-z0-9\_]+).*$/', $this->act, $matches))
 			{
-				$module = strtolower($matches[2] . $matches[3]);
+				$module = strtolower($matches[1]);
 				$xml_info = ModuleModel::getModuleActionXml($module);
 
 				if($xml_info->action->{$this->act} && ($this->module == 'admin' || $xml_info->action->{$this->act}->standalone != 'false'))
@@ -478,27 +468,13 @@ class ModuleHandler extends Handler
 					}
 				}
 				
-				// SECISSUE also check foward act method
-				// check REQUEST_METHOD in controller
-				if($type == 'controller')
+				// SECISSUE also check REQUEST_METHOD for forwarded actions
+				$allowedMethodList = explode('|', $xml_info->action->{$this->act}->method);
+				if(!in_array($_SERVER['REQUEST_METHOD'], $allowedMethodList))
 				{
-					$allowedMethod = $xml_info->action->{$forward->act}->method;
-
-					if(!$allowedMethod)
-					{
-						$allowedMethodList[0] = 'POST';
-					}
-					else
-					{
-						$allowedMethodList = explode('|', strtoupper($allowedMethod));
-					}
-
-					if(!in_array(strtoupper($_SERVER['REQUEST_METHOD']), $allowedMethodList))
-					{
-						return self::_createErrorMessage(-1, 'msg_method_not_allowed', 405);
-					}
+					return self::_createErrorMessage(-1, 'msg_method_not_allowed', 405);
 				}
-				
+
 				// check CSRF for non-GET (POST, PUT, etc.) actions
 				if(Context::getRequestMethod() !== 'GET' && Context::isInstalled())
 				{