16212: Disallow overriding HTTP method on GET requests.

Removes an opportunity to circumvent CORS restrictions.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@tomclegg.ca>

diff --git a/lib/controller/router/router.go b/lib/controller/router/router.go
index 59205788dddd94f0ca6a25086c41bb5f973d5f7e..c347e2f795517f74c9f67ec0311ba41d3250dafb 100644 (file)
--- a/lib/controller/router/router.go
+++ b/lib/controller/router/router.go
@@ -399,15 +399,17 @@ func (rtr *router) ServeHTTP(w http.ResponseWriter, r *http.Request) {
        if r.Method == "OPTIONS" {
                return
        }
-       r.ParseForm()
-       if m := r.FormValue("_method"); m != "" {
-               r2 := *r
-               r = &r2
-               r.Method = m
-       } else if m = r.Header.Get("X-Http-Method-Override"); m != "" {
-               r2 := *r
-               r = &r2
-               r.Method = m
+       if r.Method == "POST" {
+               r.ParseForm()
+               if m := r.FormValue("_method"); m != "" {
+                       r2 := *r
+                       r = &r2
+                       r.Method = m
+               } else if m = r.Header.Get("X-Http-Method-Override"); m != "" {
+                       r2 := *r
+                       r = &r2
+                       r.Method = m
+               }
        }
        rtr.mux.ServeHTTP(w, r)
 }