Fixed: forgot session check

2 files changed, 15 insertions, 1 deletions

diff --git a/lib/class/catalog.class.php b/lib/class/catalog.class.php
index cbfe30cf..e3f51822 100644
--- a/lib/class/catalog.class.php
+++ b/lib/class/catalog.class.php
@@ -2308,8 +2308,12 @@ class Catalog extends database_object {
 
 		$client = new XML_RPC_Client($full_url,$server,$port,$proxy_host,$proxy_port,$proxy_user,$proxy_pass);
 
+		/* encode the variables we need to send over */
+		$encoded_key    = new XML_RPC_Value($token,'string');
+		$encoded_path   = new XML_RPC_Value(Config::get('web_path'),'string');
 		$song_id   = new XML_RPC_Value($value,'int');
-		$xmlrpc_message = new XML_RPC_Message('xmlrpcserver.check_song', array($song_id));
+
+		$xmlrpc_message = new XML_RPC_Message('xmlrpcserver.check_song', array($song_id,$encoded_key,$encoded_path));
 		$response = $client->send($xmlrpc_message,30);
 
 		if ($response->faultCode() ) {
diff --git a/lib/class/xmlrpcserver.class.php b/lib/class/xmlrpcserver.class.php
index 91fb78ec..06c6effd 100644
--- a/lib/class/xmlrpcserver.class.php
+++ b/lib/class/xmlrpcserver.class.php
@@ -196,6 +196,16 @@ class xmlRpcServer {
 	 */
 	public static function check_song($xmlrpc_object) {
 
+		// Pull out the key
+		$variable = $xmlrpc_object->getParam(1);
+		$key = $variable->scalarval();
+
+		// Check it and make sure we're super green
+		if (!vauth::session_exists('xml-rpc',$key)) {
+			debug_event('XMLSERVER','Error ' . $_SERVER['REMOTE_ADDR'] . ' with key ' . $key . ' does not match any ACLs','1');
+			return new XML_RPC_Response(0,'503','Key/IP Mis-match Access Denied');
+		}
+
 		$var = $xmlrpc_object->params['0']->me['int'];
 		$sql = "SELECT `song`.`id` FROM `song` WHERE `id`='" . Dba::escape($var) ."'";
 		$db_results = Dba::read($sql);