[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Phpgroupware-cvs] phpgwapi/inc xml_functions.inc.php, 1.22.2.1.2.5 clas
|
From: |
skwashd |
|
Subject: |
[Phpgroupware-cvs] phpgwapi/inc xml_functions.inc.php, 1.22.2.1.2.5 class.xmlrpc_server.inc.php, 1.22.4.6 class.xmlrpcmsg.inc.php, 1.11.4.3 |
|
Date: |
Tue, 5 Jul 2005 02:14:00 +0200 |
Update of phpgwapi/inc
Modified Files:
Branch: Version-0_9_16-branch
xml_functions.inc.php lines: +3 -3
class.xmlrpc_server.inc.php lines: +16 -4
class.xmlrpcmsg.inc.php lines: +6 -1
Log Message:
xmlrpc security fixes
====================================================
Index: phpgwapi/inc/xml_functions.inc.php
diff -u phpgwapi/inc/xml_functions.inc.php:1.22.2.1.2.4
phpgwapi/inc/xml_functions.inc.php:1.22.2.1.2.5
--- phpgwapi/inc/xml_functions.inc.php:1.22.2.1.2.4 Sat Nov 6 15:34:26 2004
+++ phpgwapi/inc/xml_functions.inc.php Tue Jul 5 00:14:29 2005
@@ -195,7 +195,7 @@
$GLOBALS['_xh'][$parser]['qt']=0;
break;
case 'NAME':
- $GLOBALS['_xh'][$parser]['st'] .= "'";
+ $GLOBALS['_xh'][$parser]['st'] .= '"';
$GLOBALS['_xh'][$parser]['ac'] = '';
break;
case 'FAULT':
@@ -271,7 +271,7 @@
$GLOBALS['_xh'][$parser]['cm']--;
break;
case 'NAME':
- $GLOBALS['_xh'][$parser]['st'].=
$GLOBALS['_xh'][$parser]['ac'] . "' => ";
+ $GLOBALS['_xh'][$parser]['st'].=
$GLOBALS['_xh'][$parser]['ac'] . '" => ';
break;
case 'BOOLEAN':
// special case here: we translate boolean 1 or
0 into PHP
====================================================
Index: phpgwapi/inc/class.xmlrpc_server.inc.php
diff -u phpgwapi/inc/class.xmlrpc_server.inc.php:1.22.4.5
phpgwapi/inc/class.xmlrpc_server.inc.php:1.22.4.6
--- phpgwapi/inc/class.xmlrpc_server.inc.php:1.22.4.5 Tue Feb 10 13:51:19 2004
+++ phpgwapi/inc/class.xmlrpc_server.inc.php Tue Jul 5 00:14:29 2005
@@ -281,11 +281,17 @@
$m =
CreateObject('phpgwapi.xmlrpcmsg',$GLOBALS['_xh'][$parser]['method']);
// now add parameters in
$plist = '';
+ $allOK = 1;
for($i=0;
$i<sizeof($GLOBALS['_xh'][$parser]['params']); $i++)
{
//print "<!-- " .
$GLOBALS['_xh'][$parser]['params'][$i]. "-->\n";
$plist .= "$i - " .
$GLOBALS['_xh'][$parser]['params'][$i]. " \n";
- $code = '$m->addParam(' .
$GLOBALS['_xh'][$parser]['params'][$i] . ');';
+ $allOK = 0;
+ $code = '$m->addParam(' .
$GLOBALS['_xh'][$parser]['params'][$i] . '); $allOK=1;';
+ if (!$allOK)
+ {
+ break;
+ }
$code = ereg_replace(',,',",'',",$code);
eval($code);
}
@@ -306,7 +312,7 @@
$sysCall=0;
}
- if (!isset($dmap[$methName]['function']))
+ if ($allOK &&
!isset($dmap[$methName]['function']))
{
if($sysCall && $this->authed)
{
@@ -356,8 +362,14 @@
/*
_debug_array($this->dmap);exit; */
}
}
+ else
+ {
+ return $r =
CreateObject('phpgwapi.xmlrpcresp', '',
+ $xmlrpcerr['incorrect_params'],
+ $xmlrpcstr['incorrect_params']
. ": xml error in param " . $i);
+ }
- if (isset($dmap[$methName]['function']))
+ if ($allOK &&
isset($dmap[$methName]['function']))
{
// dispatch if exists
if
(isset($dmap[$methName]['signature']))
====================================================
Index: phpgwapi/inc/class.xmlrpcmsg.inc.php
diff -u phpgwapi/inc/class.xmlrpcmsg.inc.php:1.11.4.2
phpgwapi/inc/class.xmlrpcmsg.inc.php:1.11.4.3
--- phpgwapi/inc/class.xmlrpcmsg.inc.php:1.11.4.2 Tue Feb 10 13:51:19 2004
+++ phpgwapi/inc/class.xmlrpcmsg.inc.php Tue Jul 5 00:14:29 2005
@@ -230,9 +230,14 @@
}
else
{
+ $allOK = 0;
$code = '$v=' . $GLOBALS['_xh'][$parser]['st']
. '; $allOK=1;';
$code = ereg_replace(',,',",'',",$code);
eval($code);
+ if (!$allOK)
+ {
+ $return =
CreateObject('phpgwapi.xmlrpcresp', '', $xmlrpcerr['invalid_return'],
$xmlrpcstr['invalid_return']);
+ }
if ($GLOBALS['_xh'][$parser]['isf'])
{
$f = $v->structmem('faultCode');
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Phpgroupware-cvs] phpgwapi/inc xml_functions.inc.php, 1.22.2.1.2.5 class.xmlrpc_server.inc.php, 1.22.4.6 class.xmlrpcmsg.inc.php, 1.11.4.3,
skwashd <=