misc

Signed-off-by: Florian Pritz <bluewind@xinu.at>

1 files changed, 21 insertions, 7 deletions

diff --git a/application/controllers/api.php b/application/controllers/api.php
index 626e7b91a..a7bd09f34 100644
--- a/application/controllers/api.php
+++ b/application/controllers/api.php
@@ -19,20 +19,34 @@ class Api extends MY_Controller {
 
 	public function route() {
 		$requested_version = $this->uri->segment(2);
-		$function = $this->uri->segment(3);
+		$controller = $this->uri->segment(3);
+		$function = $this->uri->segment(4);
 		$major = intval(explode(".", $requested_version)[0]);
 
-		$class = "controllers\\api\\v".$major;
-
-		if (!class_exists($class) || version_compare($class::get_version(), $requested_version, "<")) {
-			return send_json_error_reply("Requested API version is not supported");
+		if (!preg_match("/^[a-zA-Z-_]+$/", $controller)) {
+			return send_json_error_reply("Invalid controller requested");
 		}
 
 		if (!preg_match("/^[a-zA-Z-_]+$/", $function)) {
 			return send_json_error_reply("Invalid function requested");
 		}
 
-		$controller = new $class;
-		return $controller->$function();
+		$namespace = "controllers\\api\\v".$major;
+		$class = $namespace."\\".$controller;
+		$class_info = $namespace."\\api_info";
+
+		if (!class_exists($class_info) || version_compare($class_info::get_version(), $requested_version, "<")) {
+			return send_json_error_reply("Requested API version is not supported");
+		}
+
+		if (!class_exists($class)) {
+			return send_json_error_reply("Unknown controller requested");
+		}
+
+		$c= new $class;
+		if (!method_exists($c, $function)) {
+			return send_json_error_reply("Unknown function requested");
+		}
+		return $c->$function();
 	}
 }