Don't unserialize until we know the user is allowed to make calls

2026-03-20 16:50:24 +00:00 · 2019-08-28 11:31:15 -07:00
parent 33f1b66d8d
commit fd3b2efa3d
1 changed files with 1 additions and 1 deletions
--- a/rpc.cgi
+++ b/rpc.cgi
@@ -23,7 +23,6 @@ if ($ENV{'REQUEST_METHOD'} eq 'POST') {
 else {
 	$rawarg = $ENV{'QUERY_STRING'};
 	}
-$arg = &unserialise_variable($rawarg);
 $| = 1;
 print "Content-type: text/plain\n\n";

@@ -35,6 +34,7 @@ if ($access{'rpc'} == 0 || $access{'rpc'} == 2 &&
 	print &serialise_variable( { 'status' => 0 } );
 	exit;
 	}
+$arg = &unserialise_variable($rawarg);

 if ($arg->{'newsession'}) {
 	# Need to fork a new session-handler process