CRITICAL: Implement security fixes from latest release of php-xmlrpc

This commit is contained in:
Miles Lott 2005-06-30 13:36:47 +00:00
parent 0589aacb9e
commit ff4a0d24cc
3 changed files with 45 additions and 17 deletions

View File

@ -46,7 +46,7 @@
var $resp_struct = array();
var $debug = False;
var $method_requested;
var $log = False; //'/tmp/xmlrpc.log';
var $log = '/tmp/xmlrpc.log';
function xmlrpc_server($dispMap='', $serviceNow=0)
{
@ -291,11 +291,16 @@
$plist = '';
for($i=0; $i<sizeof($GLOBALS['_xh'][$parser]['params']); $i++)
{
//print "<!-- " . $GLOBALS['_xh'][$parser]['params'][$i]. "-->\n";
// print "<!-- " . $GLOBALS['_xh'][$parser]['params'][$i]. "-->\n");
$plist .= "$i - " . $GLOBALS['_xh'][$parser]['params'][$i]. " \n";
$code = '$m->addParam(' . $GLOBALS['_xh'][$parser]['params'][$i] . ');';
$code = str_replace(',,',",'',",$code);
eval($code);
$allok = 0;
@eval($code . '; $allok = 1;');
if(!$allok)
{
break;
}
}
// uncomment this to really see what the server's getting!
// xmlrpc_debugmsg($plist);
@ -380,7 +385,12 @@
{
$code = '$r=' . $dmap[$methName]['function'] . '($this, $m);';
$code = str_replace(',,',",'',",$code);
eval($code);
$allok = 0;
@eval($code . '; $allok = 1;');
if(!$allok)
{
return CreateObject('phpgwapi.xmlrpcresp','', $GLOBALS['xmlrpcerr']['invalid_return'], $GLOBALS['xmlrpcstr']['invalid_return']);
}
}
else
{
@ -388,16 +398,26 @@
{
$code = '$r =' . $dmap[$methName]['function'] . '($m);';
$code = str_replace(',,',",'',",$code);
eval($code);
$allok = 0;
@eval($code . '; $allok = 1;');
if(!$allok)
{
return CreateObject('phpgwapi.xmlrpcresp','', $GLOBALS['xmlrpcerr']['invalid_return'], $GLOBALS['xmlrpcstr']['invalid_return']);
}
}
else
{
/* phpgw mod - finally, execute the function call and return the values */
$params = $GLOBALS['_xh'][$parser]['params'][0];
$code = '$p = ' . $params . ';';
if (count($params) != 0)
if(count($params) != 0)
{
eval($code);
$allok = 0;
@eval($code . '; $allok = 1;');
if(!$allok)
{
return CreateObject('phpgwapi.xmlrpcresp','', $GLOBALS['xmlrpcerr']['invalid_return'], $GLOBALS['xmlrpcstr']['invalid_return']);
}
$params = $p->getval();
}
@ -420,7 +440,7 @@
//$r = CreateObject('phpgwapi.xmlrpcresp',CreateObject('phpgwapi.xmlrpcval',$this->resp_struct,'struct'));
// this fixes the unnecessary (and not standard-conform) array/xmlrpc struct around everything
$r = CreateObject('phpgwapi.xmlrpcresp',$this->build_resp($res,True));
/* _debug_array($r); */
// _debug_array($r);
}
}
}

View File

@ -221,7 +221,14 @@
{
$code = '$v=' . $GLOBALS['_xh'][$parser]['st'] . '; $allOK=1;';
$code = str_replace(',,',",'',",$code);
eval($code);
$allok = 0;
@eval($code);
if(!$allok)
{
$r = CreateObject('phpgwapi.xmlrpcresp','', $GLOBALS['xmlrpcerr']['invalid_return'], $GLOBALS['xmlrpcstr']['invalid_return']);
}
else
{
if ($GLOBALS['_xh'][$parser]['isf'])
{
$f = $v->structmem('faultCode');
@ -233,6 +240,7 @@
$r = CreateObject('phpgwapi.xmlrpcresp',$v);
}
}
}
$r->hdrs = $GLOBALS['_xh'][$parser]['ha']; //split("\r?\n", $GLOBALS['_xh'][$parser]['ha'][1]);
return $r;
}

View File

@ -189,7 +189,7 @@
$GLOBALS['_xh'][$parser]['qt']=0;
break;
case 'NAME':
$GLOBALS['_xh'][$parser]['st'] .= "'";
$GLOBALS['_xh'][$parser]['st'] .= '"';
$GLOBALS['_xh'][$parser]['ac'] = '';
break;
case 'FAULT':
@ -265,7 +265,7 @@
$GLOBALS['_xh'][$parser]['cm']--;
break;
case 'NAME':
$GLOBALS['_xh'][$parser]['st'].= $GLOBALS['_xh'][$parser]['ac'] . "' => ";
$GLOBALS['_xh'][$parser]['st'].= $GLOBALS['_xh'][$parser]['ac'] . '" => ';
break;
case 'BOOLEAN':
// special case here: we translate boolean 1 or 0 into PHP
@ -293,7 +293,7 @@
}
elseif ($GLOBALS['_xh'][$parser]['qt']==2)
{
$GLOBALS['_xh'][$parser]['st'].="base64_decode('". $GLOBALS['_xh'][$parser]['ac'] . "')";
$GLOBALS['_xh'][$parser]['st'].= 'base64_decode("' . $GLOBALS['_xh'][$parser]['ac'] . '")';
}
elseif ($name=='BOOLEAN')
{