From a954f43cdf4b6935444c2f4d163c87709c72dccc Mon Sep 17 00:00:00 2001
From: "Hahn Axel (hahn)" <axel.hahn@unibe.ch>
Date: Fri, 11 Oct 2024 14:42:55 +0200
Subject: [PATCH] valuestore: disallow GET for action=update

---
 public_html/valuestore/index.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/public_html/valuestore/index.php b/public_html/valuestore/index.php
index f554bdbf..c493407e 100644
--- a/public_html/valuestore/index.php
+++ b/public_html/valuestore/index.php
@@ -87,6 +87,12 @@ function getParam(string $sKey, string $sRegex4Cleanup = ''): bool|int|string
  */
 function disallowGet(string $sVar, string $sValue): void
 {
+    if (isset($_POST[$sVar]) && $_POST[$sVar] == $sValue) {
+        // the value was found in the POST scope
+        // then we don't need to check the GET scope
+        return;
+    } 
+
     if (isset($_GET[$sVar]) && $_GET[$sVar] == $sValue) {
         quit("ERROR: $sVar = $sValue is not allowed with GET.");
     }
@@ -108,9 +114,7 @@ if (
 }
 disallowGet('action', 'cleanup');
 disallowGet('action', 'delete');
-
-// used by Anasible to update the value ... I disable it for now to fix it in the near future
-// disallowGet('action', 'update');
+disallowGet('action', 'update');
 
 $sProject = getParam('project', '/[^a-z\-\_0-9]/');
 $sPackage = getParam('package', '/[^a-z\-\_0-9]/');
-- 
GitLab