From 1f2c1c18ef8ff67ac7e2034bcdb7f7a22482390b Mon Sep 17 00:00:00 2001
From: anonymoususer72041
 <247563575+anonymoususer72041@users.noreply.github.com>
Date: Fri, 30 Jan 2026 14:07:56 +0100
Subject: [PATCH] Restrict ajax.php to installer actions when INSTALL_BLOCK is
 missing

---
 ajax.php | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/ajax.php b/ajax.php
index b4a02ce7..2fa9f7a7 100644
--- a/ajax.php
+++ b/ajax.php
@@ -106,6 +106,31 @@
     die();
 }
 
+$installerActive = (!file_exists('INSTALL_BLOCK'));
+if ($installerActive)
+{
+    $module = '';
+    if (strpos($_REQUEST['f'], ':') !== false)
+    {
+        $parameters = explode(':', $_REQUEST['f']);
+        $module = preg_replace("/[^A-Za-z0-9]/", "", $parameters[0]);
+    }
+
+    if ($module !== 'install')
+    {
+        header('Content-type: text/xml');
+        echo '<?xml version="1.0" encoding="', AJAX_ENCODING, '"?>', "\n";
+        echo(
+            "<data>\n" .
+            "    <errorcode>-1</errorcode>\n" .
+            "    <errormessage>Installer is active. Only installer AJAX actions are allowed.</errormessage>\n" .
+            "</data>\n"
+        );
+
+        die();
+    }
+}
+
 if (strpos($_REQUEST['f'], ':') === false)
 {
     $function = preg_replace("/[^A-Za-z0-9]/", "", $_REQUEST['f']);