From a50e0ea9981e385937566bcdf3d51a97181cffb4 Mon Sep 17 00:00:00 2001
From: Graham <gpe@openrs2.org>
Date: Wed, 26 May 2021 18:08:07 +0100
Subject: [PATCH] Restrict supported HTTP methods

Signed-off-by: Graham <gpe@openrs2.org>
---
 .../kotlin/org/openrs2/game/net/http/HttpChannelHandler.kt  | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/game/src/main/kotlin/org/openrs2/game/net/http/HttpChannelHandler.kt b/game/src/main/kotlin/org/openrs2/game/net/http/HttpChannelHandler.kt
index 7fbac7fa..462f5c1e 100644
--- a/game/src/main/kotlin/org/openrs2/game/net/http/HttpChannelHandler.kt
+++ b/game/src/main/kotlin/org/openrs2/game/net/http/HttpChannelHandler.kt
@@ -4,6 +4,7 @@ import io.netty.channel.ChannelHandler
 import io.netty.channel.ChannelHandlerContext
 import io.netty.channel.SimpleChannelInboundHandler
 import io.netty.handler.codec.http.HttpHeaderValues
+import io.netty.handler.codec.http.HttpMethod
 import io.netty.handler.codec.http.HttpRequest
 import io.netty.handler.codec.http.HttpResponseStatus
 import io.netty.handler.timeout.IdleStateEvent
@@ -28,6 +29,11 @@ public class HttpChannelHandler @Inject constructor(
             return
         }
 
+        if (msg.method() != HttpMethod.HEAD && msg.method() != HttpMethod.GET) {
+            Http.writeResponse(ctx, msg, HttpResponseStatus.METHOD_NOT_ALLOWED)
+            return
+        }
+
         fileProvider.get(uri.substring(1)).use { file ->
             if (file == null) {
                 Http.writeResponse(ctx, msg, HttpResponseStatus.NOT_FOUND)