From a0f34d3d96dd54f40548ad8d8d46edb2cb18fa60 Mon Sep 17 00:00:00 2001
From: "Lukas Rieger (Blue)" <TBlueF@users.noreply.github.com>
Date: Wed, 15 Feb 2023 21:10:23 +0100
Subject: [PATCH] Prevent the integrated webserver from sending raw php files

---
 .../bluemap/common/web/FileRequestHandler.java        | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/BlueMapCommon/src/main/java/de/bluecolored/bluemap/common/web/FileRequestHandler.java b/BlueMapCommon/src/main/java/de/bluecolored/bluemap/common/web/FileRequestHandler.java
index a2d36fa2..8fd771f5 100644
--- a/BlueMapCommon/src/main/java/de/bluecolored/bluemap/common/web/FileRequestHandler.java
+++ b/BlueMapCommon/src/main/java/de/bluecolored/bluemap/common/web/FileRequestHandler.java
@@ -51,13 +51,11 @@ public FileRequestHandler(Path webRoot) {
     @Override
     public HttpResponse handle(HttpRequest request) {
         if (
-            !request.getMethod().equalsIgnoreCase("GET") &&
-            !request.getMethod().equalsIgnoreCase("POST")
-        ) return new HttpResponse(HttpStatusCode.NOT_IMPLEMENTED);
+            !request.getMethod().equalsIgnoreCase("GET")
+        ) return new HttpResponse(HttpStatusCode.BAD_REQUEST);
 
         HttpResponse response = generateResponse(request);
 
-
         return response;
     }
 
@@ -103,6 +101,11 @@ private HttpResponse generateResponse(HttpRequest request) {
             return new HttpResponse(HttpStatusCode.NOT_FOUND);
         }
 
+        // don't send php files
+        if (file.getName().endsWith(".php")) {
+            return new HttpResponse(HttpStatusCode.FORBIDDEN);
+        }
+
         // check if file is still in web-root and is not a directory
         if (!file.toPath().normalize().startsWith(webRoot) || file.isDirectory()){
             return new HttpResponse(HttpStatusCode.FORBIDDEN);