closes guest access security hole with register_globals on and improves error reporting on quarantine migration and adds xml.server.php file for remote information querys

author: Karl 'vollmerk' Vollmer <vollmer@ampache.org> 2006-10-17 05:07:16 +0000
committer: Karl 'vollmerk' Vollmer <vollmer@ampache.org> 2006-10-17 05:07:16 +0000
commit: 39e8556985b3242b75ccfde1c74e67fc4f006ded (patch)
tree: 3692ebc773e00a418e537375438cb2c2e6b8fab3
parent: 0dfcd88c1d39d3bac6eeb36d8964f6bf9a490635 (diff)
download: ampache-39e8556985b3242b75ccfde1c74e67fc4f006ded.tar.gz
ampache-39e8556985b3242b75ccfde1c74e67fc4f006ded.tar.bz2
ampache-39e8556985b3242b75ccfde1c74e67fc4f006ded.zip
6 files changed, 154 insertions, 24 deletions
diff --git a/bin/quarantine_migration.php.inc b/bin/quarantine_migration.php.inc
index 4dfcde6f..8780c3a0 100644
--- a/bin/quarantine_migration.php.inc
+++ b/bin/quarantine_migration.php.inc
@@ -111,7 +111,7 @@ foreach ($files['add'] as $data) {
 foreach ($files['delete'] as $data) { 
 
 	$results = unlink($data['file']);
-	if (!$results) { echo "Error: Unable to Delete File\n"; } 
+	if (!$results) { echo "Error: Unable to Delete File: " . $data['file'] . "\n"; } 
 	else { 
 		echo _('Deleted') . " " . $data['file'] . "\n"; 
 		$sql = "DELETE FROM upload WHERE id='" . $data['id'] . "'";
diff --git a/docs/CHANGELOG b/docs/CHANGELOG
index 750689b6..ada50c14 100755
--- a/docs/CHANGELOG
+++ b/docs/CHANGELOG
@@ -4,6 +4,10 @@
 
 --------------------------------------------------------------------------
   v.3.3.3-Alpha1
+	- Fixed security issue that allowed users to gain gues access to
+		ampache if register globals is enabled. 
+	- Added xml based query for artists,genre,albums and search see
+		/server/xml.server.php
 	- Fixed false positive error and PHP5 related error on archive
 		creation
 	- Added <image> tag for album art and ability to filter rss feed
diff --git a/lib/class/artist.class.php b/lib/class/artist.class.php
index 334472e3..10843086 100644
--- a/lib/class/artist.class.php
+++ b/lib/class/artist.class.php
@@ -40,37 +40,35 @@ class Artist {
 	 */
 	function Artist($artist_id = 0) {
 
-		
-		/* If we have passed an id then do something */
-		if ($artist_id) { 
-
-			/* Assign id for use in get_info() */
-			$this->id = intval($artist_id);
+		/* If they failed to pass in an id, just run for it */
+		if (!$artist_id) { return false; } 	
 
-			/* Get the information from the db */
-			if ($info = $this->get_info()) {
+		/* Assign id for use in get_info() */
+		$this->id = intval($artist_id);
 
-				/* Assign Vars */
-				$this->name = $info->name;
-				$this->prefix = $info->prefix;
-			} // if info
+		/* Get the information from the db */
+		$info = $this->_get_info();
+		if (count($info)) { 
+			/* Assign Vars */
+			$this->name = $info['name'];
+			$this->prefix = $info['prefix'];
+		} // if info
 
-		} // if artist_id
 
 	} //constructor
 
 	/*!
-		@function get_info
+		@function _get_info
 		@discussion get's the vars for $this out of the database 
 		@param $this->id	Taken from the object
 	*/
-	function get_info() {
+	function _get_info() {
 
 		/* Grab the basic information from the catalog and return it */
 		$sql = "SELECT * FROM artist WHERE id='" . sql_escape($this->id) . "'";
 		$db_results = mysql_query($sql, dbh());
 
-		$results = mysql_fetch_object($db_results);
+		$results = mysql_fetch_assoc($db_results);
 
 		return $results;
 
diff --git a/lib/init.php b/lib/init.php
index 96eef2c5..530e37e1 100644
--- a/lib/init.php
+++ b/lib/init.php
@@ -80,7 +80,7 @@ if (!$results['allow_stream_playback']) {
 
 
 /** This is the version.... fluf nothing more... **/
-$results['version']		= '3.3.3-Alpha1 (Build 002)';
+$results['version']		= '3.3.3-Alpha1 (Build 003)';
 
 $results['raw_web_path']	= $results['web_path'];
 $results['web_path']		= $http_type . $_SERVER['HTTP_HOST'] . $results['web_path'];
@@ -120,6 +120,8 @@ if (!is_array($results['auth_methods'])) {
 	$results['auth_methods'] = array($results['auth_methods']);
 }
 
+
+
 /* Variables needed for vauth Module */
 $results['cookie_path'] 	= $results['raw_web_path'];
 $results['cookie_domain']	= $_SERVER['SERVER_NAME'];
@@ -227,6 +229,13 @@ srand((double) microtime() * 1000003);
 
 /**** END Set PHP Vars ****/
 
+/* Check to see if they've tried to set no_session via get/post */
+if (isset($_POST['no_session']) || isset($_GET['no_session'])) { 
+	/* just incase of register globals */
+	unset($no_session);
+	debug_event('no_session','No Session passed as get/post','1');
+}
+
 // If we don't want a session
 if (!isset($no_session) AND conf('use_auth')) { 
 	if (!vauth_check_session()) { logout(); exit(); }
diff --git a/lib/ui.lib.php b/lib/ui.lib.php
index 1834dc35..e08cab14 100644
--- a/lib/ui.lib.php
+++ b/lib/ui.lib.php
@@ -1340,14 +1340,22 @@ function get_user_icon($name) {
  * creates a XML document form it for use 
  * primarly by the ajax mojo
  */
-function xml_from_array($array) { 
-
-	$string = "<root>\n";
+function xml_from_array($array,$callback=0) { 
+	
 	foreach ($array as $key=>$value) { 
-		/* We need to escape the value */
-		$string .= "\t<$key><![CDATA[$value]]></$key>\n";
+		if (is_array($value)) { 
+			$value = xml_from_array($value,1);
+			$string .= "\t<$key>$value</$key>\n";
+		}
+		else { 
+			/* We need to escape the value */
+			$string .= "\t<$key><![CDATA[$value]]></$key>\n";
+		}
+	} // end foreach elements
+
+	if (!$callback) { 
+		$string = "<root>\n" . $string . "</root>\n";
 	}
-	$string .= "</root>\n";
 
 	return $string;
 
diff --git a/server/xml.server.php b/server/xml.server.php
new file mode 100644
index 00000000..d7ca0249
--- /dev/null
+++ b/server/xml.server.php
@@ -0,0 +1,111 @@
+<?php
+/*
+
+ Copyright (c) 2001 - 2006 Ampache.org
+ All rights reserved.
+
+ This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License
+ as published by the Free Software Foundation; either version 2
+ of the License, or (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+
+*/
+
+/**
+ * This is accessed remotly to allow outside scripts access to ampache information 
+ * as such it needs to verify the session id that is passed 
+ */
+
+$no_session = true;
+require_once('../lib/init.php');
+
+/* Verify the existance of the Session they passed in */
+if (!session_exists($_REQUEST['sessid'])) { exit(); }
+
+$GLOBALS['user'] = new User($_REQUEST['user_id']);
+$action = scrub_in($_REQUEST['action']);
+
+/* Set the correct headers */
+header("Content-type: application/xhtml+xml");
+
+switch ($action) { 
+	/* Returns an array of artist information */
+	case 'get_artists': 
+		$sql = "SELECT id FROM artist ORDER BY name";
+		$db_results = mysql_query($sql,dbh());
+		
+		while ($r = mysql_fetch_assoc($db_results)) { 
+			$artist = new Artist($r['id']);
+			$artist->format_artist();
+			$artist_id = "id_" . $artist->id;
+			$results[$artist_id] = $artist->full_name;
+		} // end while results
+
+		$xml_doc = xml_from_array($results);
+		echo $xml_doc;
+	break;
+	case 'get_albums':
+		$sql = "SELECT id FROM album ORDER BY name";
+		$db_results = mysql_query($sql,dbh()); 
+
+		while ($r = mysql_fetch_assoc($db_results)) { 
+			$album = new Album($r['id']);
+			$album_id = "id_" . $album->id;
+			$results[$album_id] = array('year'=>$album->year,'name'=>$album->name);
+		} // end while results
+
+		$xml_doc = xml_from_array($results);
+		echo $xml_doc;
+	break;
+	case 'get_genres':
+		$sql = "SELECT id FROM genre ORDER BY name";
+		$db_results = mysql_query($sql,dbh());
+	
+		while ($r = mysql_fetch_assoc($db_results)) { 
+			$genre = new Genre($r['id']); 
+			$genre_id = "id_" . $genre->id;
+			$results[$genre_id] = $genre->name;
+		}
+		
+		$xml_doc = xml_from_array($results);
+		echo $xml_doc;
+	break;
+	/* Return results of a quick search */
+	case 'search': 
+		/* We need search string */
+		$_REQUEST['s_all'] = $_REQUEST['search_string'];	
+		if (strlen($_REQUEST['s_all']) < 1) { break; } 
+		$data = run_search($_REQUEST);
+
+		/* Unfortuantly these are song objects, which are not good for
+		 * xml.. turn it into an array 
+		 */
+		foreach ($data as $song) { 
+			$song_id 	= 'id_' . $song->id; 
+			$genre 		= $song->get_genre_name();
+			$artist 	= $song->get_artist_name();
+			$album		= $song->get_album_name();
+			$results[$song_id] = array('title'=>$song->title,
+						'genre'=>$genre,
+						'artist'=>$artist,
+						'album'=>$album);	
+		} // end foreach song	
+
+		$xml_doc = xml_from_array($results);
+		echo $xml_doc;
+
+	break;	
+	default:
+		// Rien a faire
+	break;
+} // end switch action
+?>
author	Karl 'vollmerk' Vollmer <vollmer@ampache.org>	2006-10-17 05:07:16 +0000
committer	Karl 'vollmerk' Vollmer <vollmer@ampache.org>	2006-10-17 05:07:16 +0000
commit	39e8556985b3242b75ccfde1c74e67fc4f006ded (patch)
tree	3692ebc773e00a418e537375438cb2c2e6b8fab3
parent	0dfcd88c1d39d3bac6eeb36d8964f6bf9a490635 (diff)
download	ampache-39e8556985b3242b75ccfde1c74e67fc4f006ded.tar.gz ampache-39e8556985b3242b75ccfde1c74e67fc4f006ded.tar.bz2 ampache-39e8556985b3242b75ccfde1c74e67fc4f006ded.zip