You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@vcl.apache.org by jf...@apache.org on 2010/09/01 20:50:18 UTC
svn commit: r991648 - in /incubator/vcl/trunk/web/.ht-inc: errors.php
utils.php xmlrpcWrappers.php
Author: jfthomps
Date: Wed Sep 1 18:50:17 2010
New Revision: 991648
URL: http://svn.apache.org/viewvc?rev=991648&view=rev
Log:
VCL-161
remove xmlrpcKey table from vcl.sql
utils.php:
-modified checkAccess - changed code for API v1 to give error that it is an unsupport API version - note that there was an attack vector here that got removed where X-Pass was not being escaped
-modified xmlRPChandler - removed elseif for API v1
xmlrpcWrappers.php: removed header comments on using API v1
errors.php: added 8 => 'Unsupported API version, cannot continue' to XMLRPCERRORS
Modified:
incubator/vcl/trunk/web/.ht-inc/errors.php
incubator/vcl/trunk/web/.ht-inc/utils.php
incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php
Modified: incubator/vcl/trunk/web/.ht-inc/errors.php
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/errors.php?rev=991648&r1=991647&r2=991648&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/errors.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/errors.php Wed Sep 1 18:50:17 2010
@@ -208,6 +208,7 @@ $XMLRPCERRORS = array(
5 => 'Failed to connect to authentication server',
6 => 'Unable to authenticate passed in X-User',
7 => 'Unknown API version, cannot continue',
+ 8 => 'Unsupported API version, cannot continue',
100 => 'overwrite this with a custom error message',
);
Modified: incubator/vcl/trunk/web/.ht-inc/utils.php
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/utils.php?rev=991648&r1=991647&r2=991648&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/utils.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/utils.php Wed Sep 1 18:50:17 2010
@@ -344,23 +344,10 @@ function checkAccess() {
if(get_magic_quotes_gpc())
$xmlpass = stripslashes($xmlpass);
$apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1);
- /* code for version 1 should probably be removed in VCL 2.2 */
if($apiver == 1) {
- $query = "SELECT x.id "
- . "FROM xmlrpcKey x, "
- . "user u "
- . "WHERE x.ownerid = u.id AND "
- . "u.unityid = '$xmluser' AND "
- . "x.key = '$xmlpass' AND "
- . "x.active = 1";
- $qh = doQuery($query, 101);
- if(! (mysql_num_rows($qh) == 1)) {
- printXMLRPCerror(3); # access denied
- dbDisconnect();
- exit;
- }
- $row = mysql_fetch_assoc($qh);
- $user['xmlrpckeyid'] = $row['id'];
+ printXMLRPCerror(8); # unsupported API version
+ dbDisconnect();
+ exit;
}
elseif($apiver == 2) {
$authtype = "";
@@ -430,7 +417,12 @@ function checkAccess() {
exit;
}
$apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1);
- if($apiver != 1 && $apiver != 2) {
+ if($apiver == 1) {
+ printXMLRPCerror(8); # unsupported API version
+ dbDisconnect();
+ exit;
+ }
+ elseif($apiver != 2) {
printXMLRPCerror(7); # unknown API version
dbDisconnect();
exit;
@@ -8317,11 +8309,8 @@ function xmlrpcgetaffiliations() {
function xmlRPChandler($function, $args, $blah) {
global $user, $remoteIP;
header("Content-type: text/xml");
- $apiversion = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC);
if($function == 'XMLRPCaffiliations')
$keyid = 0;
- elseif($apiversion == 1)
- $keyid = $user['xmlrpckeyid'];
else
$keyid = $user['id'];
if(function_exists($function)) {
Modified: incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php?rev=991648&r1=991647&r2=991648&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php Wed Sep 1 18:50:17 2010
@@ -55,21 +55,6 @@
* \b X-APIVERSION - set this to 2\n\n
* The X-User and X-Pass HTTP headers do not need to be passed to call the
* XMLRPCaffiliations() function.
- *
- * <h2>API Version 1</h2>
- * \b NOTICE: API version 1 will probably be removed in VCL 2.2. If you are
- * still using API version 1, you need to update your code to use version 2.\n\n
- * This version is being phased out in favor of version 2. Documentation is
- * provided for those currently using version 1 who are not ready to switch
- * to using version 2.\n\n
- *
- * Authentication is handled by 2 additional HTTP headers you will need to
- * send:\n
- * \b X-User - use the same id you would use to log in to the VCL site\n
- * \b X-Pass - the key mentioned above\n
- * \n
- * There is one other additional HTTP header you must send:\n
- * \b X-APIVERSION - set this to 1\n
*/
/// \example xmlrpc_example.php