server: clean up scripts, require POST for non-idempotent requests

2022-08-16 21:16:22 +02:00 · 2022-08-16 21:16:22 +02:00 · 096c7ac168
parent c7f08a80e9
commit 096c7ac168
4 changed files with 52 additions and 39 deletions
--- a/server/ping-get.php
+++ b/server/ping-get.php
@ -1,16 +1,22 @@
 <?php
 require_once('config.inc.php');
 require_once('config.inc.php');
 $apikeys = $config['ping-get'];
 header('Content-type: text/plain');
-if(isset($_GET['apikey']) && in_array($_GET['apikey'], $apikeys, true)) {
+
-    $str=file_get_contents('pinged.txt');
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
-    echo $str;
+	echo "Must use POST request method\n";
-    file_put_contents ( 'pinged.txt' , 'false' );
+	return;
 } else {
    $str=file_get_contents('pinged.txt');
    echo "API Key Missing!\n";
    echo $str;
 }
 if (!isset($_GET['apikey']) || !in_array($_GET['apikey'], $apikeys, true)) {
 	echo "Invalid API key\n";
 	return;
 }
 $str=file_get_contents('pinged.txt');
 echo $str;
 file_put_contents('pinged.txt', 'false');
 ?>
--- a/server/ping.php
+++ b/server/ping.php
@ -1,17 +1,20 @@
 <?php
 require_once('config.inc.php');
 require_once('config.inc.php');
 $apikeys = $config['ping'];
 header('Content-type: text/plain');
-if ($_SERVER['REQUEST_METHOD'] == 'POST' &&
+
-    isset($_GET['apikey']) && in_array($_GET['apikey'], $apikeys, true))
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
-{
+	echo "Must use POST request method\n";
-    file_put_contents ( 'pinged.txt' , 'true' );
+	return;
    echo $str;
 } else {
    $str=file_get_contents('pinged.txt');
    echo "API Key Missing (must be POST method)!\n";
    echo $str;
 }
 if (!isset($_GET['apikey']) || !in_array($_GET['apikey'], $apikeys, true)) {
 	echo "Invalid API key\n";
 	return;
 }
 file_put_contents('pinged.txt', 'true');
 ?>
--- a/server/status.txt
+++ b/server/status.txt
--- a/server/update.php
+++ b/server/update.php
@ -1,30 +1,34 @@
 <?php
 require_once('config.inc.php');
 $apikeys = $config['update'];
 header('Content-type: text/plain');
-if( isset($_GET['apikey']) && in_array($_GET['apikey'], $apikeys, true) ) {
+
-    if(isset($_GET['open']) && $_GET['open']=='true')
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
-    {
+	echo "Must use POST request method\n";
-        file_put_contents ( 'status.txt' , 'true,'.time() );
+	return;
-        exec("./open.sh");
+}
-        echo "true";
+
-    } else if(isset($_GET['open']) && $_GET['open'] =='false') {
+if (!isset($_GET['apikey']) || !in_array($_GET['apikey'], $apikeys, true)) {
-        file_put_contents ( 'status.txt' , 'false,'.time() );
+	echo "Invalid API key\n";
-        exec("./close.sh");
+	return;
-        echo "false";
+}
-    }else{
+
-        echo "you are too stupid to use the api!\n";
+if (!isset($_GET['open'])) {
-    }
+	echo "Missing 'open' request parameter\n";
 	return;
 }
 if ($_GET['open'] === 'true') {
 	file_put_contents('status.txt', 'true,'.time());
 	echo "true";
 } else if ($_GET['open'] === 'false') {
 	file_put_contents('status.txt', 'false,'.time());
 	echo "false";
 } else {
-    $str=file_get_contents('status.txt');
+	echo "Invalid 'open' parameter value\n";
-    $arr=explode(',',$str);
+	return;
    $open=$arr[0];
    $date=$arr[1]; //lastchange: upadate via file see explode/implode
    echo "API Key Missing!\n";
    echo $open;
 }
 ?>