From 3122bc42eb59b005bc5e5036480e1116c0b59a49 Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xinu.at>
Date: Wed, 7 Oct 2020 14:03:34 +0200
Subject: API: Only consider public methods as API endpoints

We are not only interested in checking if a method exists here, but
really also if it can be called (e.g. if it is public). Private methods
should not be considered as potential API endpoints. Before this,
private methods could be called, leading to a 500 error due to a call to
the private method.

Signed-off-by: Florian Pritz <bluewind@xinu.at>
---
 application/controllers/Api.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/application/controllers/Api.php b/application/controllers/Api.php
index 4f32ad427..b41f090dd 100644
--- a/application/controllers/Api.php
+++ b/application/controllers/Api.php
@@ -52,7 +52,7 @@ class Api extends MY_Controller {
 			}
 
 			$c= new $class;
-			if (!method_exists($c, $function)) {
+			if (!method_exists($c, $function) || !is_callable([$c, $function])) {
 				throw new \exceptions\UserInputException("api/unknown-endpoint", "Unknown endpoint requested");
 			}
 			return $this->send_json_reply($c->$function());
-- 
cgit v1.2.3-24-g4f1b