From b82b772c6afac73f09c948eb4bb224b844cb280b Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Mon, 1 Jun 2026 13:55:49 +0200
Subject: [PATCH 1/2] Don't blocklist GET requests, instead allowlist POST
 requests

There are many more request types than GET and POST, and there is no
reason to accept them.
---
 cgi-bin/pgstatus.pl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cgi-bin/pgstatus.pl b/cgi-bin/pgstatus.pl
index 08f3477..9efd0b7 100755
--- a/cgi-bin/pgstatus.pl
+++ b/cgi-bin/pgstatus.pl
@@ -60,9 +60,9 @@
 
 my $query = CGI->new;
 
-# don't let people play games with GET requests - this should be called via POST
+# don't let people play games with GET (or other) requests - this should be called via POST
 # the URL should only contain the signature
-if ($query->request_method eq 'GET')
+if ($query->request_method ne 'POST')
 {
 	print
 	  "Status: 496 wrong request method\nContent-Type: text/plain\n\n",

From ca2124620bba04c23294e547435a46522cc635f0 Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Mon, 1 Jun 2026 13:58:46 +0200
Subject: [PATCH 2/2] Fix http status code for method not allowed

HTTP has a standard status code when using the wrong method, so use
that.
---
 cgi-bin/pgstatus.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cgi-bin/pgstatus.pl b/cgi-bin/pgstatus.pl
index 9efd0b7..6adde66 100755
--- a/cgi-bin/pgstatus.pl
+++ b/cgi-bin/pgstatus.pl
@@ -65,7 +65,7 @@
 if ($query->request_method ne 'POST')
 {
 	print
-	  "Status: 496 wrong request method\nContent-Type: text/plain\n\n",
+	  "Status: 405 Method Not Allowed\nContent-Type: text/plain\n\n",
 	  "wrong request method\n";
 	exit;
 }