From 87cd2a48dd7253909219f5f60d842f07a1a0e928 Mon Sep 17 00:00:00 2001
From: Miles Lott <milosch@alumni.egroupware.org>
Date: Tue, 25 Sep 2001 14:42:43 +0000
Subject: [PATCH] SECURITY UPDATE - merged from phpxmlrpc dist: All releases up
 to and including version 1.0 of XML-RPC for PHP have a serious security
 vulnerability, allowing hostile remote clients or servers to execute
 arbitrary code on your machine.

---
 phpgwapi/inc/xml_functions.inc.php | 19 ++++++-------------
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/phpgwapi/inc/xml_functions.inc.php b/phpgwapi/inc/xml_functions.inc.php
index a95dc7cb55..310804f201 100644
--- a/phpgwapi/inc/xml_functions.inc.php
+++ b/phpgwapi/inc/xml_functions.inc.php
@@ -363,18 +363,9 @@
 				// and say we've found a value
 				$GLOBALS['_xh'][$parser]['lv']=2; 
 			}
-			if (isset($GLOBALS['_xh'][$parser]['qt']) && $GLOBALS['_xh'][$parser]['qt'])
-			{
-				// quoted string: replace characters that eval would
-				// do special things with
-				$GLOBALS['_xh'][$parser]['ac'].=str_replace('$', '\$',
-					str_replace('"', '\"', 
-					str_replace(chr(92),$GLOBALS['xmlrpc_backslash'], $data)));
-			}
-			else 
-			{
-				$GLOBALS['_xh'][$parser]['ac'].=$data;
-			}
+			$GLOBALS['_xh'][$parser]['ac'].=str_replace('$', '\$',
+				str_replace('"', '\"', 
+				str_replace(chr(92),$GLOBALS['xmlrpc_backslash'], $data)));
 		}
 	}
 
@@ -387,7 +378,9 @@
 				$GLOBALS['_xh'][$parser]['qt']=1; 
 				$GLOBALS['_xh'][$parser]['lv']=2; 
 			}
-			$GLOBALS['_xh'][$parser]['ac'].=$data;
+			$GLOBALS['_xh'][$parser]['ac'].=str_replace('$', '\$',
+				str_replace('"', '\"', 
+				str_replace(chr(92),$GLOBALS['xmlrpc_backslash'], $data)));
 		}
 	}