fix: only allows PUT, PATCH, DELETE when Method Spoofing

Author: kenjis

system/CodeIgniter.php

@@ -983,7 +983,10 @@ public function spoofRequestMethod()
             return;
         }
 
-        $this->request = $this->request->setMethod($method);
+        // Only allows PUT, PATCH, DELETE
+        if (in_array(strtoupper($method), ['PUT', 'PATCH', 'DELETE'], true)) {
+            $this->request = $this->request->setMethod($method);
+        }
     }
 
     /**

tests/system/CodeIgniterTest.php

@@ -444,4 +444,40 @@ public function testRunCLIRoute()
 
         $this->assertStringContainsString('Method Not Allowed', $output);
     }
+
+    public function testSpoofRequestMethodCanUsePUT()
+    {
+        $_SERVER['argv'] = ['index.php'];
+        $_SERVER['argc'] = 1;
+
+        $_SERVER['REQUEST_URI']     = '/';
+        $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1';
+        $_SERVER['REQUEST_METHOD']  = 'POST';
+
+        $_POST['_method'] = 'PUT';
+
+        ob_start();
+        $this->codeigniter->useSafeOutput(true)->run();
+        ob_get_clean();
+
+        $this->assertSame('put', Services::request()->getMethod());
+    }
+
+    public function testSpoofRequestMethodCannotUseGET()
+    {
+        $_SERVER['argv'] = ['index.php'];
+        $_SERVER['argc'] = 1;
+
+        $_SERVER['REQUEST_URI']     = '/';
+        $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1';
+        $_SERVER['REQUEST_METHOD']  = 'POST';
+
+        $_POST['_method'] = 'GET';
+
+        ob_start();
+        $this->codeigniter->useSafeOutput(true)->run();
+        ob_get_clean();
+
+        $this->assertSame('post', Services::request()->getMethod());
+    }
 }