[SECURITY] Avoid remote execution

Avoid an unexpected function to be run by using a non existent HTTP
verb.

Author: Mateu Aguiló Bosch

restful.module

@@ -505,6 +505,11 @@ function restful_menu_process_callback($resource_name, $version = NULL) {
   $request = restful_parse_request();
 
   try {
+    if (!\RestfulBase::isValidMethod($method, FALSE)) {
+      throw new RestfulBadRequestException(format_string('Unsupported method @method.', array(
+        '@method' => $method,
+      )));
+    }
     return $handler->{$method}($path, $request);
   }
   catch (RestfulException $e) {

tests/RestfulHookMenuTestCase.test

@@ -67,6 +67,14 @@ class RestfulHookMenuTestCase extends RestfulCurlBaseTestCase {
 
     $node1 = node_load($node1->nid);
     $this->assertEqual($node1->title, 'new title', 'HTTP method was overriden.');
+
+    // Try to override with an invalid method.
+    $headers = array('X-HTTP-Method-Override' => 'MALICIOUS');
+    $body = array(
+      'label' => 'new title',
+    );
+    $result = $this->httpRequest('api/v1.0/articles/' . $node1->nid, \RestfulInterface::POST, $body, $headers);
+    $this->assertTrue($result['code'] > 399, 'Bad overridden method is caught.');
   }
 
   /**