svn commit: r991648 - in /incubator/vcl/trunk/web/.ht-inc: errors.php utils.php xmlrpcWrappers.php

Wed, 01 Sep 2010 11:51:56 -0700 

Author: jfthomps
Date: Wed Sep  1 18:50:17 2010
New Revision: 991648

URL: http://svn.apache.org/viewvc?rev=991648&view=rev
Log:
VCL-161
remove xmlrpcKey table from vcl.sql

utils.php:
-modified checkAccess - changed code for API v1 to give error that it is an 
unsupport API version - note that there was an attack vector here that got 
removed where X-Pass was not being escaped
-modified xmlRPChandler - removed elseif for API v1

xmlrpcWrappers.php: removed header comments on using API v1

errors.php: added 8 => 'Unsupported API version, cannot continue' to 
XMLRPCERRORS

Modified:
    incubator/vcl/trunk/web/.ht-inc/errors.php
    incubator/vcl/trunk/web/.ht-inc/utils.php
    incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php

Modified: incubator/vcl/trunk/web/.ht-inc/errors.php
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/errors.php?rev=991648&r1=991647&r2=991648&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/errors.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/errors.php Wed Sep  1 18:50:17 2010
@@ -208,6 +208,7 @@ $XMLRPCERRORS = array(
        5 => 'Failed to connect to authentication server',
        6 => 'Unable to authenticate passed in X-User',
        7 => 'Unknown API version, cannot continue',
+       8 => 'Unsupported API version, cannot continue',
        100 => 'overwrite this with a custom error message',
 );
 

Modified: incubator/vcl/trunk/web/.ht-inc/utils.php
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/utils.php?rev=991648&r1=991647&r2=991648&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/utils.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/utils.php Wed Sep  1 18:50:17 2010
@@ -344,23 +344,10 @@ function checkAccess() {
                if(get_magic_quotes_gpc())
                        $xmlpass = stripslashes($xmlpass);
                $apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], 
ARG_NUMERIC, 1);
-               /* code for version 1 should probably be removed in VCL 2.2 */
                if($apiver == 1) {
-                       $query = "SELECT x.id "
-                              . "FROM xmlrpcKey x, "
-                              .      "user u "
-                              . "WHERE x.ownerid = u.id AND "
-                              .       "u.unityid = '$xmluser' AND "
-                              .       "x.key = '$xmlpass' AND "
-                              .       "x.active = 1";
-                       $qh = doQuery($query, 101);
-                       if(! (mysql_num_rows($qh) == 1)) {
-                               printXMLRPCerror(3);   # access denied
-                               dbDisconnect();
-                               exit;
-                       }
-                       $row = mysql_fetch_assoc($qh);
-                       $user['xmlrpckeyid'] = $row['id'];
+                       printXMLRPCerror(8);   # unsupported API version
+                       dbDisconnect();
+                       exit;
                }
                elseif($apiver == 2) {
                        $authtype = "";
@@ -430,7 +417,12 @@ function checkAccess() {
                        exit;
                }
                $apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], 
ARG_NUMERIC, 1);
-               if($apiver != 1 && $apiver != 2) {
+               if($apiver == 1) {
+                       printXMLRPCerror(8);   # unsupported API version
+                       dbDisconnect();
+                       exit;
+               }
+               elseif($apiver != 2) {
                        printXMLRPCerror(7);    # unknown API version
                        dbDisconnect();
                        exit;
@@ -8317,11 +8309,8 @@ function xmlrpcgetaffiliations() {
 function xmlRPChandler($function, $args, $blah) {
        global $user, $remoteIP;
        header("Content-type: text/xml");
-       $apiversion = processInputData($_SERVER['HTTP_X_APIVERSION'], 
ARG_NUMERIC);
        if($function == 'XMLRPCaffiliations')
                $keyid = 0;
-       elseif($apiversion == 1)
-               $keyid = $user['xmlrpckeyid'];
        else
                $keyid = $user['id'];
        if(function_exists($function)) {

Modified: incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php?rev=991648&r1=991647&r2=991648&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php Wed Sep  1 18:50:17 2010
@@ -55,21 +55,6 @@
  * \b X-APIVERSION - set this to 2\n\n
  * The X-User and X-Pass HTTP headers do not need to be passed to call the
  * XMLRPCaffiliations() function.
- * 
- * <h2>API Version 1</h2>
- * \b NOTICE: API version 1 will probably be removed in VCL 2.2.  If you are
- * still using API version 1, you need to update your code to use version 
2.\n\n
- * This version is being phased out in favor of version 2. Documentation is
- * provided for those currently using version 1 who are not ready to switch
- * to using version 2.\n\n
- * 
- * Authentication is handled by 2 additional HTTP headers you will need to
- * send:\n
- * \b X-User - use the same id you would use to log in to the VCL site\n
- * \b X-Pass - the key mentioned above\n
- * \n
- * There is one other additional HTTP header you must send:\n
- * \b X-APIVERSION - set this to 1\n
  */
 
 /// \example xmlrpc_example.php

Reply via email to