From d6c92704a107f669ba51475c9af4578b7377be5d Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Mon, 15 Aug 2022 14:53:51 +0800
Subject: [PATCH 1/2] Restrict more WebAPI endpoints to POST method only

---
 src/webui/webapplication.h | 56 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 54 insertions(+), 2 deletions(-)

diff --git a/src/webui/webapplication.h b/src/webui/webapplication.h
index 2eb8f12f6..02a8d576b 100644
--- a/src/webui/webapplication.h
+++ b/src/webui/webapplication.h
@@ -141,16 +141,68 @@ private:
     const QHash<std::pair<QString, QString>, QString> m_allowedMethod =
     {
         // <<controller name, action name>, HTTP method>
-        // TODO: this list is incomplete
         {{u"app"_qs, u"setPreferences"_qs}, Http::METHOD_POST},
         {{u"app"_qs, u"shutdown"_qs}, Http::METHOD_POST},
         {{u"auth"_qs, u"login"_qs}, Http::METHOD_POST},
         {{u"auth"_qs, u"logout"_qs}, Http::METHOD_POST},
         {{u"rss"_qs, u"addFeed"_qs}, Http::METHOD_POST},
+        {{u"rss"_qs, u"addFolder"_qs}, Http::METHOD_POST},
+        {{u"rss"_qs, u"markAsRead"_qs}, Http::METHOD_POST},
+        {{u"rss"_qs, u"moveItem"_qs}, Http::METHOD_POST},
+        {{u"rss"_qs, u"refreshItem"_qs}, Http::METHOD_POST},
+        {{u"rss"_qs, u"removeItem"_qs}, Http::METHOD_POST},
+        {{u"rss"_qs, u"removeRule"_qs}, Http::METHOD_POST},
+        {{u"rss"_qs, u"renameRule"_qs}, Http::METHOD_POST},
+        {{u"rss"_qs, u"setRule"_qs}, Http::METHOD_POST},
+        {{u"search"_qs, u"delete"_qs}, Http::METHOD_POST},
+        {{u"search"_qs, u"enablePlugin"_qs}, Http::METHOD_POST},
         {{u"search"_qs, u"installPlugin"_qs}, Http::METHOD_POST},
+        {{u"search"_qs, u"start"_qs}, Http::METHOD_POST},
+        {{u"search"_qs, u"stop"_qs}, Http::METHOD_POST},
+        {{u"search"_qs, u"uninstallPlugin"_qs}, Http::METHOD_POST},
+        {{u"search"_qs, u"updatePlugins"_qs}, Http::METHOD_POST},
         {{u"torrents"_qs, u"add"_qs}, Http::METHOD_POST},
         {{u"torrents"_qs, u"addPeers"_qs}, Http::METHOD_POST},
-        {{u"torrents"_qs, u"addTrackers"_qs}, Http::METHOD_POST}
+        {{u"torrents"_qs, u"addTags"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"addTrackers"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"bottomPrio"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"createCategory"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"createTags"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"decreasePrio"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"delete"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"deleteTags"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"editCategory"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"editTracker"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"filePrio"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"increasePrio"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"pause"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"reannounce"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"recheck"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"removeCategories"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"removeTags"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"removeTrackers"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"rename"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"renameFile"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"renameFolder"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"resume"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"setAutoManagement"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"setCategory"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"setDownloadLimit"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"setDownloadPath"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"setForceStart"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"setLocation"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"setSavePath"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"setShareLimits"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"setSuperSeeding"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"setUploadLimit"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"toggleFirstLastPiecePrio"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"toggleSequentialDownload"_qs}, Http::METHOD_POST},
+        {{u"torrents"_qs, u"topPrio"_qs}, Http::METHOD_POST},
+        {{u"transfer"_qs, u"banPeers"_qs}, Http::METHOD_POST},
+        {{u"transfer"_qs, u"setDownloadLimit"_qs}, Http::METHOD_POST},
+        {{u"transfer"_qs, u"setSpeedLimitsMode"_qs}, Http::METHOD_POST},
+        {{u"transfer"_qs, u"setUploadLimit"_qs}, Http::METHOD_POST},
+        {{u"transfer"_qs, u"toggleSpeedLimitsMode"_qs}, Http::METHOD_POST},
     };
     bool m_isAltUIUsed = false;
     Path m_rootFolder;

From 72941b10bba9d0c5a343a36fc5529e4c594e1a8a Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Mon, 15 Aug 2022 14:53:59 +0800
Subject: [PATCH 2/2] Use proper request method

---
 src/webui/www/private/scripts/mocha-init.js    | 1 +
 src/webui/www/private/scripts/speedslider.js   | 4 ++--
 src/webui/www/private/views/rss.html           | 2 +-
 src/webui/www/private/views/rssDownloader.html | 4 ++--
 src/webui/www/private/views/search.html        | 2 +-
 5 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/webui/www/private/scripts/mocha-init.js b/src/webui/www/private/scripts/mocha-init.js
index 4f8a0e3ba..6e0c9a85f 100644
--- a/src/webui/www/private/scripts/mocha-init.js
+++ b/src/webui/www/private/scripts/mocha-init.js
@@ -1071,6 +1071,7 @@ const initializeWindows = function() {
         if (confirm('QBT_TR(Are you sure you want to quit qBittorrent?)QBT_TR[CONTEXT=MainWindow]')) {
             new Request({
                 url: 'api/v2/app/shutdown',
+                method: 'post',
                 onSuccess: function() {
                     document.write('<!doctype html><html lang="${LANG}"><head> <meta charset="UTF-8"> <title>QBT_TR(qBittorrent has been shutdown)QBT_TR[CONTEXT=HttpServer]</title></head><body> <h1 style="text-align: center;">QBT_TR(qBittorrent has been shutdown)QBT_TR[CONTEXT=HttpServer]</h1></body></html>');
                     document.close();
diff --git a/src/webui/www/private/scripts/speedslider.js b/src/webui/www/private/scripts/speedslider.js
index ae30ed8e0..be27c8f53 100644
--- a/src/webui/www/private/scripts/speedslider.js
+++ b/src/webui/www/private/scripts/speedslider.js
@@ -35,7 +35,7 @@ MochaUI.extend({
             let maximum = 500;
             new Request({
                 url: 'api/v2/transfer/uploadLimit',
-                method: 'post',
+                method: 'get',
                 data: {},
                 onSuccess: function(data) {
                     if (data) {
@@ -139,7 +139,7 @@ MochaUI.extend({
             let maximum = 500;
             new Request({
                 url: 'api/v2/transfer/downloadLimit',
-                method: 'post',
+                method: 'get',
                 data: {},
                 onSuccess: function(data) {
                     if (data) {
diff --git a/src/webui/www/private/views/rss.html b/src/webui/www/private/views/rss.html
index 83a29d448..e4b47ba53 100644
--- a/src/webui/www/private/views/rss.html
+++ b/src/webui/www/private/views/rss.html
@@ -447,7 +447,7 @@
             new Request.JSON({
                 url: 'api/v2/rss/items',
                 noCache: true,
-                method: 'post',
+                method: 'get',
                 data: {
                     withData: true
                 },
diff --git a/src/webui/www/private/views/rssDownloader.html b/src/webui/www/private/views/rssDownloader.html
index a1ec0de4a..1bbd1d841 100644
--- a/src/webui/www/private/views/rssDownloader.html
+++ b/src/webui/www/private/views/rssDownloader.html
@@ -442,7 +442,7 @@ Supports the formats: S01E01, 1x1, 2017.12.31 and 31.12.2017 (Date formats also
             new Request.JSON({
                 url: 'api/v2/rss/items',
                 noCache: true,
-                method: 'post',
+                method: 'get',
                 data: {
                     withData: false
                 },
@@ -630,7 +630,7 @@ Supports the formats: S01E01, 1x1, 2017.12.31 and 31.12.2017 (Date formats also
             new Request.JSON({
                 url: 'api/v2/rss/matchingArticles',
                 noCache: true,
-                method: 'post',
+                method: 'get',
                 data: {
                     ruleName: ruleName
                 },
diff --git a/src/webui/www/private/views/search.html b/src/webui/www/private/views/search.html
index 14a296ccd..690f0fd7e 100644
--- a/src/webui/www/private/views/search.html
+++ b/src/webui/www/private/views/search.html
@@ -647,7 +647,7 @@
             new Request.JSON({
                 url: url,
                 noCache: true,
-                method: 'post',
+                method: 'get',
                 data: {
                     id: activeSearchId,
                     limit: maxResults,