diff options
| author | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2007-12-18 15:16:02 +0000 |
|---|---|---|
| committer | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2007-12-18 15:16:02 +0000 |
| commit | 77bc16f52520efe50ea0664b11f235897239a482 (patch) | |
| tree | d970ed863bec575a335c98e4457879218f864d46 | |
| parent | 698f05d14f880eb4ec7866ec3a8416ee4d1f838f (diff) | |
| download | ampache-77bc16f52520efe50ea0664b11f235897239a482.tar.gz ampache-77bc16f52520efe50ea0664b11f235897239a482.tar.bz2 ampache-77bc16f52520efe50ea0664b11f235897239a482.zip | |
fixed dbl negative on xml api and enabled the timestamp check as well as fixed a typo in the config file
| -rw-r--r-- | config/ampache.cfg.php.dist | 2 | ||||
| -rwxr-xr-x | docs/CHANGELOG | 3 | ||||
| -rw-r--r-- | lib/class/api.class.php | 9 | ||||
| -rw-r--r-- | server/xml.server.php | 4 |
4 files changed, 10 insertions, 8 deletions
diff --git a/config/ampache.cfg.php.dist b/config/ampache.cfg.php.dist index ad6bb7c1..f301e594 100644 --- a/config/ampache.cfg.php.dist +++ b/config/ampache.cfg.php.dist @@ -96,7 +96,7 @@ catalog_file_pattern = "mp3|mpc|m4p|m4a|mp4|aac|ogg|rm|wma|asf|flac|spx|ra|ape|s ; Use Access List ; Toggle this on if you want ampache to pay attention to the access list ; and only allow streaming/downloading/xml-rpc from known hosts by default -; xml-rpc will not working without this on. +; xml-rpc will not work without this on. ; DEFAULT: false ;access_control = "false" diff --git a/docs/CHANGELOG b/docs/CHANGELOG index 08e47e3a..6029e406 100755 --- a/docs/CHANGELOG +++ b/docs/CHANGELOG @@ -4,6 +4,9 @@ -------------------------------------------------------------------------- v.3.4-Alpha4 + - Added check to make sure timestamp passed to API is less then + four hours old. Set to four hours to allow for some + difference in server/client time - Fixed basic XML-RPC functionality, using insecure / old authentication method needs more work - Fixed it so that all errors should return an XML document when diff --git a/lib/class/api.class.php b/lib/class/api.class.php index 40cff61f..c7391837 100644 --- a/lib/class/api.class.php +++ b/lib/class/api.class.php @@ -48,12 +48,13 @@ class Api { public static function handshake($timestamp,$passphrase,$ip,$username='') { // If the timestamp is over 2hr old sucks to be them -// if ($timestamp < (time() - 7200)) { -// return 'Timestamp too old, try again'; -// } + if ($timestamp < (time() - 14400)) { + debug_event('API','Login Failed, timestamp too old','1'); + return false; + } // First we'll filter by username and IP - if (!$username) { + if (!trim($username)) { $user_id = '-1'; } else { diff --git a/server/xml.server.php b/server/xml.server.php index 83d10027..d1464dca 100644 --- a/server/xml.server.php +++ b/server/xml.server.php @@ -27,10 +27,8 @@ define('NO_SESSION','1'); require_once '../lib/init.php'; - - // If it's not a handshake then we can allow it to take up lots of time -if (!$_REQUEST['action'] != 'handshake') { +if ($_REQUEST['action'] != 'handshake') { set_time_limit(0); } |