In the recent pentest, it was pointed out as a low severity issue that the action api can suffer from "verb tampering"
Verb tampering ( https://web.archive.org/web/20170517030540/http://cdn2.hubspot.net/hub/315719/file-1344244110-pdf/download-files/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf ) is when you restrict access to an endpoint via a WAF rule or other access control means, but only restrict a specific blacklist of http methods. The attacker evades the access control by using an HTTP method like `DELETE`, which our api would treat like a GET.
I don't really think this is in our threat model. But I think the fact that DELETE and PUT act like GET is potentially confusing to users. To that end, I would like to propose the action api responds with a 405 status code for any http method other then GET, HEAD, POST or OPTIONS
Instructions on how to complete task (for gci students)
---------
The goal of this task is to respond with a 405 status code, when people use unsupported HTTP methods with the ActionAPI.
For example, the following command:
```lang="sh"
curl -X DELETE 'https://en.wikipedia.org/w/api.php?action=query&prop=info&titles=Main_Page&format=json'
```
responds as if the user specified GET instead of DELETE. This is confusing.
To change this:
* Open up includes/api/ApiMain.php Locate the `setupExternalResponse` method
* Near where the check is for POST, add another check. This check should check if the method is one of GET, HEAD, POST or OPTIONS (perhaps using an `if ( !in_array(...` check). See also https://doc.wikimedia.org/mediawiki-core/master/php/classWebRequest.html#a62d0b77ab586b36143f8f2af38b6e101
* In the event the method is one other than the allowed method, you should call [[ https://doc.wikimedia.org/mediawiki-core/master/php/classApiBase.html#a1cfc6cf9a16ada2827a13724e44090f6 | $this->dieWithError(...) ]]. The fourth argument should be 405 to return a 405 HTTP status code
* Add the message (starting with `apierror-`) you used in the call to dieWithError() to i18n/en.json and i18n/qqq.json Do not worry about other translations, they are handled by translatewiki)
* Test your change to make sure it works properly.