From 27fa9c3c124d63f56bad252b5702191e5d7f7049 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 4 Jun 2016 17:55:48 +0900
Subject: [PATCH] nghttpx: Only allow POST and PUT for API request

---
 src/shrpx_api_downstream_connection.cc | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/shrpx_api_downstream_connection.cc b/src/shrpx_api_downstream_connection.cc
index ee1eb985..12cee7c7 100644
--- a/src/shrpx_api_downstream_connection.cc
+++ b/src/shrpx_api_downstream_connection.cc
@@ -73,6 +73,7 @@ int APIDownstreamConnection::send_reply(unsigned int http_status,
 
   switch (http_status) {
   case 400:
+  case 405:
   case 413:
     resp.fs.add_header_token(StringRef::from_lit("connection"),
                              StringRef::from_lit("close"), false,
@@ -89,6 +90,7 @@ int APIDownstreamConnection::send_reply(unsigned int http_status,
 
 int APIDownstreamConnection::push_request_headers() {
   auto &req = downstream_->request();
+  auto &resp = downstream_->response();
 
   if (req.path != StringRef::from_lit("/api/v1alpha1/backend/replace")) {
     send_reply(404, StringRef::from_lit("404 Not Found"));
@@ -96,6 +98,15 @@ int APIDownstreamConnection::push_request_headers() {
     return 0;
   }
 
+  if (req.method != HTTP_POST && req.method != HTTP_PUT) {
+    resp.fs.add_header_token(StringRef::from_lit("allow"),
+                             StringRef::from_lit("POST, PUT"), false, -1);
+    send_reply(
+        405, http2::get_status_string(downstream_->get_block_allocator(), 405));
+
+    return 0;
+  }
+
   // This works with req.fs.content_length == -1
   if (req.fs.content_length >
       static_cast<int64_t>(get_config()->api.max_request_body)) {