Empty parameter logic missing and allow parameter check is wrong

Just a toe for myself and not tested yet but I think this is the solution:

instead of

            if ($this_keys == []) {

use this:

            if ($this_keys == []) {
              if ($this_mode == 'deny') {
                // No need to check Parameter.
                $this_method_param_match = TRUE;
              }
              else {
                // Allow GET with empty get parameter.
                if ($params_sent == []) {
                  $this_method_param_match = TRUE;
                }
              }
            }
            else {

Example config should also be improved for this.

I was thinking about this situation and came to the result that it is already possible to to "to only allow GET without any parameter" when using additional deny rule. But this should be easier like it is with the suggested change above.

When testing this part I found some other logic problems on parameter allow check which is hard to explain. But it's easier for me to fix both things at once.

Code is fixed and will be committed first to company gitlab and will soon be merged here.

C-Logemann → changed the visibility of the branch 1.0.x to hidden.

I think I also created a goof example of a situation where a code change can bring an problematic error. This shows that this module needs tests especially for the allow deny logic. But the development of this module was just started by one single developer. That means there is also a need of peer review and already asked for this in the security discussion channel on community slack.

Automatically closed - issue fixed for 2 weeks with no activity.