Make API call permission checks more reliable

[friendica.git] / src / App.php

diff --git a/src/App.php b/src/App.php
index 30194af8e273e001b8ce72510c121b7f844f70af..a17fb3ec388cd64ab06175eb19b740279e308982 100644 (file)
--- a/src/App.php
+++ b/src/App.php
@@ -40,10 +40,10 @@ use Friendica\Model\Profile;
 use Friendica\Module\Special\HTTPException as ModuleHTTPException;
 use Friendica\Network\HTTPException;
 use Friendica\Util\DateTimeFormat;
+use Friendica\Util\HTTPInputData;
 use Friendica\Util\HTTPSignature;
 use Friendica\Util\Profiler;
 use Friendica\Util\Strings;
-use GuzzleHttp\Psr7\Response;
 use Psr\Log\LoggerInterface;
 
 /**
@@ -562,13 +562,15 @@ class App
         *
         * @param App\Router                  $router
         * @param IManagePersonalConfigValues $pconfig
-        * @param Authentication              $auth   The Authentication backend of the node
-        * @param App\Page                    $page   The Friendica page printing container
+        * @param Authentication              $auth       The Authentication backend of the node
+        * @param App\Page                    $page       The Friendica page printing container
+        * @param HTTPInputData               $httpInput  A library for processing PHP input streams
+        * @param float                       $start_time The start time of the overall script execution
         *
         * @throws HTTPException\InternalServerErrorException
         * @throws \ImagickException
         */
-       public function runFrontend(App\Router $router, IManagePersonalConfigValues $pconfig, Authentication $auth, App\Page $page, float $start_time)
+       public function runFrontend(App\Router $router, IManagePersonalConfigValues $pconfig, Authentication $auth, App\Page $page, HTTPInputData $httpInput, float $start_time)
        {
                $this->profiler->set($start_time, 'start');
                $this->profiler->set(microtime(true), 'classinit');
@@ -702,9 +704,13 @@ class App
                                $module = $router->getModule();
                        }
 
+                       // Processes data from GET requests
+                       $httpinput = $httpInput->process();
+                       $input     = array_merge($httpinput['variables'], $httpinput['files'], $request ?? $_REQUEST);
+
                        // Let the module run it's internal process (init, get, post, ...)
-                       $response = $module->run($_POST, $_REQUEST);
-                       if ($response->getHeaderLine('X-RESPONSE-TYPE') === ICanCreateResponses::TYPE_HTML) {
+                       $response = $module->run($input);
+                       if ($response->getHeaderLine(ICanCreateResponses::X_HEADER) === ICanCreateResponses::TYPE_HTML) {
                                $page->run($this, $this->baseURL, $this->args, $this->mode, $response, $this->l10n, $this->profiler, $this->config, $pconfig);
                        } else {
                                $page->exit($response);