From ddb5c35ccd24a7d02ad165fc85374842d3e0853d Mon Sep 17 00:00:00 2001
From: Markus Birth <mbirth@gmail.com>
Date: Sun, 5 Nov 2017 01:36:18 +0100
Subject: [PATCH] Added incoming data validation.

---
 index.php | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/index.php b/index.php
index a921b4c..25e6a3e 100644
--- a/index.php
+++ b/index.php
@@ -2,6 +2,25 @@
 
 if ($_SERVER['REQUEST_METHOD'] == 'POST') {
     $input_xml = file_get_contents('php://input', false, NULL, -1, 8192);   // read max 8 KiB
+    if (strlen($input_xml) >= 8192) {
+        // Max length, probably even longer, definitely no XML
+        http_response_code(413);   // "Payload too large"
+        exit;
+    }
+    $dom = new DOMDocument();
+    $load_ok = $dom->loadXML($input_xml, LIBXML_NOENT);
+    if (!$load_ok || $dom->childNodes->length < 1) {
+        // XML could not be parsed - invalid or no XML
+        http_response_code(406);   // "Not acceptable"
+        exit;
+    }
+    $root_node = $dom->childNodes->item(0);
+    if ($root_node->nodeName != 'GOTU') {
+        // Root node isn't <GOTU>, so no update XML
+        http_response_code(412);   // "Precondition failed"
+        exit;
+    }
+    // ### At this point we can be relatively sure to have the XML we want
     echo "Input length is " . strlen($input_xml) . " Bytes." . PHP_EOL;
     echo $input_xml . PHP_EOL;
     // TODO: Check if it's XML
@@ -10,7 +29,7 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
     exit;
 }
 
-echo "Here is the normal page.";
+echo "Here is the normal page. " . $_SERVER['REQUEST_METHOD'];
 
 
 // TODO: Show statistics from database