From fd3b2efa3de0013755fea5a7cea39cafa0118a70 Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Wed, 28 Aug 2019 11:31:15 -0700
Subject: [PATCH] Don't unserialize until we know the user is allowed to make
 calls

---
 rpc.cgi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rpc.cgi b/rpc.cgi
index eb7cf3f1a..e90abe196 100755
--- a/rpc.cgi
+++ b/rpc.cgi
@@ -23,7 +23,6 @@ if ($ENV{'REQUEST_METHOD'} eq 'POST') {
 else {
 	$rawarg = $ENV{'QUERY_STRING'};
 	}
-$arg = &unserialise_variable($rawarg);
 $| = 1;
 print "Content-type: text/plain\n\n";
 
@@ -35,6 +34,7 @@ if ($access{'rpc'} == 0 || $access{'rpc'} == 2 &&
 	print &serialise_variable( { 'status' => 0 } );
 	exit;
 	}
+$arg = &unserialise_variable($rawarg);
 
 if ($arg->{'newsession'}) {
 	# Need to fork a new session-handler process