Author: jfthomps Date: Wed Sep 1 18:50:17 2010 New Revision: 991648 URL: http://svn.apache.org/viewvc?rev=991648&view=rev Log: VCL-161 remove xmlrpcKey table from vcl.sql
utils.php: -modified checkAccess - changed code for API v1 to give error that it is an unsupport API version - note that there was an attack vector here that got removed where X-Pass was not being escaped -modified xmlRPChandler - removed elseif for API v1 xmlrpcWrappers.php: removed header comments on using API v1 errors.php: added 8 => 'Unsupported API version, cannot continue' to XMLRPCERRORS Modified: incubator/vcl/trunk/web/.ht-inc/errors.php incubator/vcl/trunk/web/.ht-inc/utils.php incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php Modified: incubator/vcl/trunk/web/.ht-inc/errors.php URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/errors.php?rev=991648&r1=991647&r2=991648&view=diff ============================================================================== --- incubator/vcl/trunk/web/.ht-inc/errors.php (original) +++ incubator/vcl/trunk/web/.ht-inc/errors.php Wed Sep 1 18:50:17 2010 @@ -208,6 +208,7 @@ $XMLRPCERRORS = array( 5 => 'Failed to connect to authentication server', 6 => 'Unable to authenticate passed in X-User', 7 => 'Unknown API version, cannot continue', + 8 => 'Unsupported API version, cannot continue', 100 => 'overwrite this with a custom error message', ); Modified: incubator/vcl/trunk/web/.ht-inc/utils.php URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/utils.php?rev=991648&r1=991647&r2=991648&view=diff ============================================================================== --- incubator/vcl/trunk/web/.ht-inc/utils.php (original) +++ incubator/vcl/trunk/web/.ht-inc/utils.php Wed Sep 1 18:50:17 2010 @@ -344,23 +344,10 @@ function checkAccess() { if(get_magic_quotes_gpc()) $xmlpass = stripslashes($xmlpass); $apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1); - /* code for version 1 should probably be removed in VCL 2.2 */ if($apiver == 1) { - $query = "SELECT x.id " - . "FROM xmlrpcKey x, " - . "user u " - . "WHERE x.ownerid = u.id AND " - . "u.unityid = '$xmluser' AND " - . "x.key = '$xmlpass' AND " - . "x.active = 1"; - $qh = doQuery($query, 101); - if(! (mysql_num_rows($qh) == 1)) { - printXMLRPCerror(3); # access denied - dbDisconnect(); - exit; - } - $row = mysql_fetch_assoc($qh); - $user['xmlrpckeyid'] = $row['id']; + printXMLRPCerror(8); # unsupported API version + dbDisconnect(); + exit; } elseif($apiver == 2) { $authtype = ""; @@ -430,7 +417,12 @@ function checkAccess() { exit; } $apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1); - if($apiver != 1 && $apiver != 2) { + if($apiver == 1) { + printXMLRPCerror(8); # unsupported API version + dbDisconnect(); + exit; + } + elseif($apiver != 2) { printXMLRPCerror(7); # unknown API version dbDisconnect(); exit; @@ -8317,11 +8309,8 @@ function xmlrpcgetaffiliations() { function xmlRPChandler($function, $args, $blah) { global $user, $remoteIP; header("Content-type: text/xml"); - $apiversion = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC); if($function == 'XMLRPCaffiliations') $keyid = 0; - elseif($apiversion == 1) - $keyid = $user['xmlrpckeyid']; else $keyid = $user['id']; if(function_exists($function)) { Modified: incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php?rev=991648&r1=991647&r2=991648&view=diff ============================================================================== --- incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php (original) +++ incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php Wed Sep 1 18:50:17 2010 @@ -55,21 +55,6 @@ * \b X-APIVERSION - set this to 2\n\n * The X-User and X-Pass HTTP headers do not need to be passed to call the * XMLRPCaffiliations() function. - * - * <h2>API Version 1</h2> - * \b NOTICE: API version 1 will probably be removed in VCL 2.2. If you are - * still using API version 1, you need to update your code to use version 2.\n\n - * This version is being phased out in favor of version 2. Documentation is - * provided for those currently using version 1 who are not ready to switch - * to using version 2.\n\n - * - * Authentication is handled by 2 additional HTTP headers you will need to - * send:\n - * \b X-User - use the same id you would use to log in to the VCL site\n - * \b X-Pass - the key mentioned above\n - * \n - * There is one other additional HTTP header you must send:\n - * \b X-APIVERSION - set this to 1\n */ /// \example xmlrpc_example.php