From 192edda48e627a2d17a3990fac6473520fe907e6 Mon Sep 17 00:00:00 2001
From: Marlon Alkan <info@maluu.eu>
Date: Sun, 8 Jun 2025 16:47:00 +0200
Subject: [PATCH] apps: output: change body detection logic and add tests

---
 apps/output/tests.py | 23 +++++++++++++++++++++++
 apps/output/views.py |  5 +++--
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/apps/output/tests.py b/apps/output/tests.py
index e1e857ee..f87c8340 100644
--- a/apps/output/tests.py
+++ b/apps/output/tests.py
@@ -14,3 +14,26 @@ class OutputM3UTest(TestCase):
         self.assertEqual(response.status_code, 200)
         content = response.content.decode()
         self.assertIn("#EXTM3U", content)
+
+    def test_generate_m3u_response_post_empty_body(self):
+        """
+        Test that a POST request with an empty body returns 200 OK.
+        """
+        url = reverse('output:generate_m3u')
+
+        response = self.client.post(url, data=None, content_type='application/x-www-form-urlencoded')
+        content = response.content.decode()
+
+        self.assertEqual(response.status_code, 200, "POST with empty body should return 200 OK")
+        self.assertIn("#EXTM3U", content)
+
+    def test_generate_m3u_response_post_with_body(self):
+        """
+        Test that a POST request with a non-empty body returns 403 Forbidden.
+        """
+        url = reverse('output:generate_m3u')
+
+        response = self.client.post(url, data={'evilstring': 'muhahaha'})
+
+        self.assertEqual(response.status_code, 403, "POST with body should return 403 Forbidden")
+        self.assertIn("POST requests with body are not allowed, body is:", response.content.decode())
diff --git a/apps/output/views.py b/apps/output/views.py
index 2b18d185..ff02560c 100644
--- a/apps/output/views.py
+++ b/apps/output/views.py
@@ -18,9 +18,10 @@ def generate_m3u(request, profile_name=None):
     The stream URL now points to the new stream_view that uses StreamProfile.
     Supports both GET and POST methods for compatibility with IPTVSmarters.
     """
-    # Check if this is a POST request with data (which we don't want to allow)
+    # Check if this is a POST request and the body is not empty (which we don't want to allow)
     if request.method == "POST" and request.body:
-        return HttpResponseForbidden("POST requests with content are not allowed")
+        if request.body.decode() != '{}':
+            return HttpResponseForbidden("POST requests with body are not allowed, body is: {}".format(request.body.decode()))
 
     if profile_name is not None:
         channel_profile = ChannelProfile.objects.get(name=profile_name)