You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@vcl.apache.org by jf...@apache.org on 2010/09/01 20:50:18 UTC
svn commit: r991648 - in /incubator/vcl/trunk/web/.ht-inc: errors.php utils.php xmlrpcWrappers.php

Author: jfthomps
Date: Wed Sep  1 18:50:17 2010
New Revision: 991648

URL: http://svn.apache.org/viewvc?rev=991648&view=rev
Log:
VCL-161
remove xmlrpcKey table from vcl.sql

utils.php:
-modified checkAccess - changed code for API v1 to give error that it is an unsupport API version - note that there was an attack vector here that got removed where X-Pass was not being escaped
-modified xmlRPChandler - removed elseif for API v1

xmlrpcWrappers.php: removed header comments on using API v1

errors.php: added 8 => 'Unsupported API version, cannot continue' to XMLRPCERRORS

Modified:
    incubator/vcl/trunk/web/.ht-inc/errors.php
    incubator/vcl/trunk/web/.ht-inc/utils.php
    incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php

Modified: incubator/vcl/trunk/web/.ht-inc/errors.php
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/errors.php?rev=991648&r1=991647&r2=991648&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/errors.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/errors.php Wed Sep  1 18:50:17 2010
@@ -208,6 +208,7 @@ $XMLRPCERRORS = array(
 	5 => 'Failed to connect to authentication server',
 	6 => 'Unable to authenticate passed in X-User',
 	7 => 'Unknown API version, cannot continue',
+	8 => 'Unsupported API version, cannot continue',
 	100 => 'overwrite this with a custom error message',
 );
 

Modified: incubator/vcl/trunk/web/.ht-inc/utils.php
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/utils.php?rev=991648&r1=991647&r2=991648&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/utils.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/utils.php Wed Sep  1 18:50:17 2010
@@ -344,23 +344,10 @@ function checkAccess() {
 		if(get_magic_quotes_gpc())
 			$xmlpass = stripslashes($xmlpass);
 		$apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1);
-		/* code for version 1 should probably be removed in VCL 2.2 */
 		if($apiver == 1) {
-			$query = "SELECT x.id "
-			       . "FROM xmlrpcKey x, "
-			       .      "user u "
-			       . "WHERE x.ownerid = u.id AND "
-			       .       "u.unityid = '$xmluser' AND "
-			       .       "x.key = '$xmlpass' AND "
-			       .       "x.active = 1";
-			$qh = doQuery($query, 101);
-			if(! (mysql_num_rows($qh) == 1)) {
-				printXMLRPCerror(3);   # access denied
-				dbDisconnect();
-				exit;
-			}
-			$row = mysql_fetch_assoc($qh);
-			$user['xmlrpckeyid'] = $row['id'];
+			printXMLRPCerror(8);   # unsupported API version
+			dbDisconnect();
+			exit;
 		}
 		elseif($apiver == 2) {
 			$authtype = "";
@@ -430,7 +417,12 @@ function checkAccess() {
 			exit;
 		}
 		$apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1);
-		if($apiver != 1 && $apiver != 2) {
+		if($apiver == 1) {
+			printXMLRPCerror(8);   # unsupported API version
+			dbDisconnect();
+			exit;
+		}
+		elseif($apiver != 2) {
 			printXMLRPCerror(7);    # unknown API version
 			dbDisconnect();
 			exit;
@@ -8317,11 +8309,8 @@ function xmlrpcgetaffiliations() {
 function xmlRPChandler($function, $args, $blah) {
 	global $user, $remoteIP;
 	header("Content-type: text/xml");
-	$apiversion = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC);
 	if($function == 'XMLRPCaffiliations')
 		$keyid = 0;
-	elseif($apiversion == 1)
-		$keyid = $user['xmlrpckeyid'];
 	else
 		$keyid = $user['id'];
 	if(function_exists($function)) {

Modified: incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php?rev=991648&r1=991647&r2=991648&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php Wed Sep  1 18:50:17 2010
@@ -55,21 +55,6 @@
  * \b X-APIVERSION - set this to 2\n\n
  * The X-User and X-Pass HTTP headers do not need to be passed to call the
  * XMLRPCaffiliations() function.
- * 
- * <h2>API Version 1</h2>
- * \b NOTICE: API version 1 will probably be removed in VCL 2.2.  If you are
- * still using API version 1, you need to update your code to use version 2.\n\n
- * This version is being phased out in favor of version 2. Documentation is
- * provided for those currently using version 1 who are not ready to switch
- * to using version 2.\n\n
- * 
- * Authentication is handled by 2 additional HTTP headers you will need to
- * send:\n
- * \b X-User - use the same id you would use to log in to the VCL site\n
- * \b X-Pass - the key mentioned above\n
- * \n
- * There is one other additional HTTP header you must send:\n
- * \b X-APIVERSION - set this to 1\n
  */
 
 /// \example xmlrpc_example.php