Respond with HTTP status 405 to DELETE/PUT/PATCH request on a static resource

vedranmiletic · Marin Martuslović · bukka · commit 7065a222b777 · 2022-08-28T13:26:30.000+01:00
Co-authored-by: Marin Martuslović &lt;marin.martuslovic@student.uniri.hr&gt;
diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c
@@ -202,6 +202,7 @@ typedef struct php_cli_server_http_response_status_code_pair {
 static php_cli_server_http_response_status_code_pair template_map[] = {
 	{ 400, "<h1>%s</h1><p>Your browser sent a request that this server could not understand.</p>" },
 	{ 404, "<h1>%s</h1><p>The requested resource <code class=\"url\">%s</code> was not found on this server.</p>" },
+	{ 405, "<h1>%s</h1><p>Requested method not allowed.</p>" },
 	{ 500, "<h1>%s</h1><p>The server is temporarily unavailable.</p>" },
 	{ 501, "<h1>%s</h1><p>Request method not supported.</p>" }
 };
@@ -2040,6 +2041,15 @@ static zend_result php_cli_server_send_error_page(php_cli_server *server, php_cl
 		smart_str_appends_ex(&buffer, "Content-Length: ", 1);
 		smart_str_append_unsigned_ex(&buffer, php_cli_server_buffer_size(&client->content_sender.buffer), 1);
 		smart_str_appendl_ex(&buffer, "\r\n", 2, 1);
+		if (status == 405) {
+			smart_str_appends_ex(&buffer, "Allow: ", 1);
+			smart_str_appends_ex(&buffer, php_http_method_str(PHP_HTTP_GET), 1);
+			smart_str_appends_ex(&buffer, ", ", 1);
+			smart_str_appends_ex(&buffer, php_http_method_str(PHP_HTTP_HEAD), 1);
+			smart_str_appends_ex(&buffer, ", ", 1);
+			smart_str_appends_ex(&buffer, php_http_method_str(PHP_HTTP_POST), 1);
+			smart_str_appendl_ex(&buffer, "\r\n", 2, 1);
+		}
 		smart_str_appendl_ex(&buffer, "\r\n", 2, 1);
 
 		chunk = php_cli_server_chunk_heap_new(buffer.s, ZSTR_VAL(buffer.s), ZSTR_LEN(buffer.s));
@@ -2094,6 +2104,12 @@ static zend_result php_cli_server_begin_send_static(php_cli_server *server, php_
 	int fd;
 	int status = 200;
 
+	if (client->request.request_method == PHP_HTTP_DELETE
+		|| client->request.request_method == PHP_HTTP_PUT
+		|| client->request.request_method == PHP_HTTP_PATCH) {
+		return php_cli_server_send_error_page(server, client, 405);
+	}
+
 	if (client->request.path_translated && strlen(client->request.path_translated) != client->request.path_translated_len) {
 		/* can't handle paths that contain nul bytes */
 		return php_cli_server_send_error_page(server, client, 400);
diff --git a/sapi/cli/tests/php_cli_server_013.phpt b/sapi/cli/tests/php_cli_server_013.phpt
@@ -58,6 +58,60 @@ HEAD /main/foo/bar HTTP/1.1
 Host: {$host}
 
 
+HEADER
+)) {
+    while (!feof($fp)) {
+        $output .= fgets($fp);
+    }
+}
+
+echo preg_replace("/<style>(.*?)<\/style>/s", "<style>AAA</style>", $output), "\n";
+fclose($fp);
+
+$output = '';
+$fp = php_cli_server_connect();
+
+if(fwrite($fp, <<<HEADER
+DELETE / HTTP/1.1
+Host: {$host}
+
+
+HEADER
+)) {
+    while (!feof($fp)) {
+        $output .= fgets($fp);
+    }
+}
+
+echo preg_replace("/<style>(.*?)<\/style>/s", "<style>AAA</style>", $output), "\n";
+fclose($fp);
+
+$output = '';
+$fp = php_cli_server_connect();
+
+if(fwrite($fp, <<<HEADER
+PUT / HTTP/1.1
+Host: {$host}
+
+
+HEADER
+)) {
+    while (!feof($fp)) {
+        $output .= fgets($fp);
+    }
+}
+
+echo preg_replace("/<style>(.*?)<\/style>/s", "<style>AAA</style>", $output), "\n";
+fclose($fp);
+
+$output = '';
+$fp = php_cli_server_connect();
+
+if(fwrite($fp, <<<HEADER
+PATCH / HTTP/1.1
+Host: {$host}
+
+
 HEADER
 )) {
     while (!feof($fp)) {
@@ -93,3 +147,35 @@ Date: %s
 Connection: close
 Content-Type: text/html; charset=UTF-8
 Content-Length: %d
+
+
+HTTP/1.1 405 Method Not Allowed
+Host: %s
+Date: %s
+Connection: close
+Content-Type: text/html; charset=UTF-8
+Content-Length: %d
+Allow: GET, HEAD, POST
+
+<!doctype html><html><head><title>405 Method Not Allowed</title><style>AAA</style>
+</head><body><h1>Method Not Allowed</h1><p>Requested method not allowed.</p></body></html>
+HTTP/1.1 405 Method Not Allowed
+Host: %s
+Date: %s
+Connection: close
+Content-Type: text/html; charset=UTF-8
+Content-Length: %d
+Allow: GET, HEAD, POST
+
+<!doctype html><html><head><title>405 Method Not Allowed</title><style>AAA</style>
+</head><body><h1>Method Not Allowed</h1><p>Requested method not allowed.</p></body></html>
+HTTP/1.1 405 Method Not Allowed
+Host: %s
+Date: %s
+Connection: close
+Content-Type: text/html; charset=UTF-8
+Content-Length: %d
+Allow: GET, HEAD, POST
+
+<!doctype html><html><head><title>405 Method Not Allowed</title><style>AAA</style>
+</head><body><h1>Method Not Allowed</h1><p>Requested method not allowed.</p></body></html>
