From 9c6594b47c04fd17095dd9058d2b2792dce8de26 Mon Sep 17 00:00:00 2001
From: Sagar Vora <16315650+sagarvora@users.noreply.github.com>
Date: Fri, 21 Nov 2025 17:33:20 +0530
Subject: [PATCH 1/3] fix: restrict HTTP methods for some public methods

---
 frappe/handler.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/frappe/handler.py b/frappe/handler.py
index 3892aedaa2..67fde57c8c 100644
--- a/frappe/handler.py
+++ b/frappe/handler.py
@@ -105,13 +105,13 @@ def is_valid_http_method(method):
 		frappe.throw_permission_error()
 
 
-@frappe.whitelist(allow_guest=True)
+@frappe.whitelist(allow_guest=True, methods=["POST"])
 def logout():
 	frappe.local.login_manager.logout()
 	frappe.db.commit()
 
 
-@frappe.whitelist(allow_guest=True)
+@frappe.whitelist(allow_guest=True, methods=["POST"])
 def web_logout():
 	frappe.local.login_manager.logout()
 	frappe.db.commit()
@@ -120,7 +120,7 @@ def web_logout():
 	)
 
 
-@frappe.whitelist(allow_guest=True)
+@frappe.whitelist(allow_guest=True, methods=["POST"])
 def upload_file():
 	user = None
 	if frappe.session.user == "Guest":

From 35077703a009cf66c984926bf50ec557bea37279 Mon Sep 17 00:00:00 2001
From: Sagar Vora <16315650+sagarvora@users.noreply.github.com>
Date: Fri, 21 Nov 2025 17:46:21 +0530
Subject: [PATCH 2/3] fix: only allow POST in some api/v2/ methods

---
 frappe/api/v2.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/frappe/api/v2.py b/frappe/api/v2.py
index 09d403541d..e44e2b533e 100644
--- a/frappe/api/v2.py
+++ b/frappe/api/v2.py
@@ -271,9 +271,9 @@ def run_doc_method(method: str, document: dict[str, Any] | str, kwargs=None):
 url_rules = [
 	# RPC calls
 	Rule("/method/login", endpoint=login),
-	Rule("/method/logout", endpoint=logout),
+	Rule("/method/logout", endpoint=logout, methods=["POST"]),
 	Rule("/method/ping", endpoint=frappe.ping),
-	Rule("/method/upload_file", endpoint=upload_file),
+	Rule("/method/upload_file", endpoint=upload_file, methods=["POST"]),
 	Rule("/method/<method>", endpoint=handle_rpc_call),
 	Rule(
 		"/method/run_doc_method",

From 2c774a75a2e0d467fd17e63a9ebacfedc73d2cb2 Mon Sep 17 00:00:00 2001
From: Sagar Vora <16315650+sagarvora@users.noreply.github.com>
Date: Fri, 21 Nov 2025 18:11:50 +0530
Subject: [PATCH 3/3] fix: restrict `send_login_link` to POST method only

---
 frappe/www/login.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frappe/www/login.py b/frappe/www/login.py
index 4dfa9f2a4e..91aec1fb43 100644
--- a/frappe/www/login.py
+++ b/frappe/www/login.py
@@ -140,7 +140,7 @@ def get_login_with_email_link_ratelimit() -> int:
 	return frappe.get_system_settings("rate_limit_email_link_login") or 5
 
 
-@frappe.whitelist(allow_guest=True)
+@frappe.whitelist(allow_guest=True, methods=["POST"])
 @rate_limit(limit=get_login_with_email_link_ratelimit, seconds=60 * 60)
 def send_login_link(email: str):
 	if not frappe.get_system_settings("login_with_email_link"):