From ff4a0d24ccde3c152c4ec8da50b7d467accc1736 Mon Sep 17 00:00:00 2001
From: Miles Lott <milosch@alumni.egroupware.org>
Date: Thu, 30 Jun 2005 13:36:47 +0000
Subject: [PATCH] CRITICAL: Implement security fixes from latest release of
 php-xmlrpc

---
 phpgwapi/inc/class.xmlrpc_server_php.inc.php | 36 +++++++++++++++-----
 phpgwapi/inc/class.xmlrpcmsg.inc.php         | 20 +++++++----
 phpgwapi/inc/xml_functions.inc.php           |  6 ++--
 3 files changed, 45 insertions(+), 17 deletions(-)

diff --git a/phpgwapi/inc/class.xmlrpc_server_php.inc.php b/phpgwapi/inc/class.xmlrpc_server_php.inc.php
index 5ffa630ea8..5ee26e70c7 100644
--- a/phpgwapi/inc/class.xmlrpc_server_php.inc.php
+++ b/phpgwapi/inc/class.xmlrpc_server_php.inc.php
@@ -46,7 +46,7 @@
 		var $resp_struct = array();
 		var $debug = False;
 		var $method_requested;
-		var $log = False;	//'/tmp/xmlrpc.log';
+		var $log = '/tmp/xmlrpc.log';
 
 		function xmlrpc_server($dispMap='', $serviceNow=0)
 		{
@@ -291,11 +291,16 @@
 				$plist = '';
 				for($i=0; $i<sizeof($GLOBALS['_xh'][$parser]['params']); $i++)
 				{
-					//print "<!-- " . $GLOBALS['_xh'][$parser]['params'][$i]. "-->\n";
+					// print "<!-- " . $GLOBALS['_xh'][$parser]['params'][$i]. "-->\n");
 					$plist .= "$i - " . $GLOBALS['_xh'][$parser]['params'][$i]. " \n";
 					$code = '$m->addParam(' . $GLOBALS['_xh'][$parser]['params'][$i] . ');';
 					$code = str_replace(',,',",'',",$code);
-					eval($code);
+					$allok = 0;
+					@eval($code . '; $allok = 1;');
+					if(!$allok)
+					{
+						break;
+					}
 				}
 				// uncomment this to really see what the server's getting!
 				// xmlrpc_debugmsg($plist);
@@ -380,7 +385,12 @@
 						{
 							$code = '$r=' . $dmap[$methName]['function'] . '($this, $m);';
 							$code = str_replace(',,',",'',",$code);
-							eval($code);
+							$allok = 0;
+							@eval($code . '; $allok = 1;');
+							if(!$allok)
+							{
+								return CreateObject('phpgwapi.xmlrpcresp','', $GLOBALS['xmlrpcerr']['invalid_return'], $GLOBALS['xmlrpcstr']['invalid_return']);							
+							}
 						}
 						else
 						{
@@ -388,16 +398,26 @@
 							{
 								$code = '$r =' . $dmap[$methName]['function'] . '($m);';
 								$code = str_replace(',,',",'',",$code);
-								eval($code);
+								$allok = 0;
+								@eval($code . '; $allok = 1;');
+								if(!$allok)
+								{
+									return CreateObject('phpgwapi.xmlrpcresp','', $GLOBALS['xmlrpcerr']['invalid_return'], $GLOBALS['xmlrpcstr']['invalid_return']);							
+								}
 							}
 							else
 							{
 								/* phpgw mod - finally, execute the function call and return the values */
 								$params = $GLOBALS['_xh'][$parser]['params'][0];
 								$code = '$p = '  . $params . ';';
-								if (count($params) != 0)
+								if(count($params) != 0)
 								{
-									eval($code);
+									$allok = 0;
+									@eval($code . '; $allok = 1;');
+									if(!$allok)
+									{
+										return CreateObject('phpgwapi.xmlrpcresp','', $GLOBALS['xmlrpcerr']['invalid_return'], $GLOBALS['xmlrpcstr']['invalid_return']);							
+									}
 									$params = $p->getval();
 								}
 
@@ -420,7 +440,7 @@
 								//$r = CreateObject('phpgwapi.xmlrpcresp',CreateObject('phpgwapi.xmlrpcval',$this->resp_struct,'struct'));
 								// this fixes the unnecessary (and not standard-conform) array/xmlrpc struct around everything
 								$r = CreateObject('phpgwapi.xmlrpcresp',$this->build_resp($res,True));
-								/* _debug_array($r); */
+								// _debug_array($r);
 							}
 						}
 					}
diff --git a/phpgwapi/inc/class.xmlrpcmsg.inc.php b/phpgwapi/inc/class.xmlrpcmsg.inc.php
index 36e9ddafab..a9d5f397aa 100644
--- a/phpgwapi/inc/class.xmlrpcmsg.inc.php
+++ b/phpgwapi/inc/class.xmlrpcmsg.inc.php
@@ -221,16 +221,24 @@
 			{
 				$code = '$v=' . $GLOBALS['_xh'][$parser]['st'] . '; $allOK=1;';
 				$code = str_replace(',,',",'',",$code);
-				eval($code);
-				if ($GLOBALS['_xh'][$parser]['isf'])
+				$allok = 0;
+				@eval($code);
+				if(!$allok)
 				{
-					$f  = $v->structmem('faultCode');
-					$fs = $v->structmem('faultString');
-					$r  = CreateObject('phpgwapi.xmlrpcresp',$v, $f->scalarval(), $fs->scalarval());
+					$r = CreateObject('phpgwapi.xmlrpcresp','', $GLOBALS['xmlrpcerr']['invalid_return'], $GLOBALS['xmlrpcstr']['invalid_return']);
 				}
 				else
 				{
-					$r = CreateObject('phpgwapi.xmlrpcresp',$v);
+					if ($GLOBALS['_xh'][$parser]['isf'])
+					{
+						$f  = $v->structmem('faultCode');
+						$fs = $v->structmem('faultString');
+						$r  = CreateObject('phpgwapi.xmlrpcresp',$v, $f->scalarval(), $fs->scalarval());
+					}
+					else
+					{
+						$r = CreateObject('phpgwapi.xmlrpcresp',$v);
+					}
 				}
 			}
 			$r->hdrs = $GLOBALS['_xh'][$parser]['ha']; //split("\r?\n", $GLOBALS['_xh'][$parser]['ha'][1]);
diff --git a/phpgwapi/inc/xml_functions.inc.php b/phpgwapi/inc/xml_functions.inc.php
index 8eaa0ae9fe..43a9a92c6f 100644
--- a/phpgwapi/inc/xml_functions.inc.php
+++ b/phpgwapi/inc/xml_functions.inc.php
@@ -189,7 +189,7 @@
 				$GLOBALS['_xh'][$parser]['qt']=0;
 				break;
 			case 'NAME':
-				$GLOBALS['_xh'][$parser]['st'] .= "'";
+				$GLOBALS['_xh'][$parser]['st'] .= '"';
 				$GLOBALS['_xh'][$parser]['ac'] = '';
 				break;
 			case 'FAULT':
@@ -265,7 +265,7 @@
 				$GLOBALS['_xh'][$parser]['cm']--;
 				break;
 			case 'NAME':
-				$GLOBALS['_xh'][$parser]['st'].= $GLOBALS['_xh'][$parser]['ac'] . "' => ";
+				$GLOBALS['_xh'][$parser]['st'].= $GLOBALS['_xh'][$parser]['ac'] . '" => ';
 				break;
 			case 'BOOLEAN':
 				// special case here: we translate boolean 1 or 0 into PHP
@@ -293,7 +293,7 @@
 				}
 				elseif ($GLOBALS['_xh'][$parser]['qt']==2)
 				{
-					$GLOBALS['_xh'][$parser]['st'].="base64_decode('". $GLOBALS['_xh'][$parser]['ac'] . "')"; 
+					$GLOBALS['_xh'][$parser]['st'].= 'base64_decode("' . $GLOBALS['_xh'][$parser]['ac'] . '")'; 
 				}
 				elseif ($name=='BOOLEAN')
 				{