From b952506c1038e419753d00e46138f21a27cbad96 Mon Sep 17 00:00:00 2001
From: Armon Dadgar <armon.dadgar@gmail.com>
Date: Tue, 19 Aug 2014 14:28:34 -0700
Subject: [PATCH] agent: Strict PUT for modifying ACLs

---
 command/agent/acl_endpoint.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/command/agent/acl_endpoint.go b/command/agent/acl_endpoint.go
index 52db96fec2..4871307991 100644
--- a/command/agent/acl_endpoint.go
+++ b/command/agent/acl_endpoint.go
@@ -20,6 +20,12 @@ func aclDisabled(resp http.ResponseWriter, req *http.Request) (interface{}, erro
 }
 
 func (s *HTTPServer) ACLDestroy(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
+	// Mandate a PUT request
+	if req.Method != "PUT" {
+		resp.WriteHeader(405)
+		return nil, nil
+	}
+
 	args := structs.ACLRequest{
 		Datacenter: s.agent.config.ACLDatacenter,
 		Op:         structs.ACLDelete,
@@ -99,6 +105,12 @@ func (s *HTTPServer) aclSet(resp http.ResponseWriter, req *http.Request, update
 }
 
 func (s *HTTPServer) ACLClone(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
+	// Mandate a PUT request
+	if req.Method != "PUT" {
+		resp.WriteHeader(405)
+		return nil, nil
+	}
+
 	args := structs.ACLSpecificRequest{
 		Datacenter: s.agent.config.ACLDatacenter,
 	}