diff options
| author | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2006-09-30 20:32:11 +0000 |
|---|---|---|
| committer | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2006-09-30 20:32:11 +0000 |
| commit | 8eab507038dc3d844229051cf3f7dbcaee4897d4 (patch) | |
| tree | 045dbc09132129a2d13da0a2a51d66cf982eeb68 /lib | |
| parent | 6eeea6fbcdd9a8a40bbcb94c767572e12a845551 (diff) | |
| download | ampache-8eab507038dc3d844229051cf3f7dbcaee4897d4.tar.gz ampache-8eab507038dc3d844229051cf3f7dbcaee4897d4.tar.bz2 ampache-8eab507038dc3d844229051cf3f7dbcaee4897d4.zip | |
slight format fix on now playing and xmlrpc key fixes
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/class/access.class.php | 4 | ||||
| -rw-r--r-- | lib/general.lib.php | 11 | ||||
| -rw-r--r-- | lib/log.lib.php | 7 | ||||
| -rw-r--r-- | lib/xmlrpc.php | 27 |
4 files changed, 29 insertions, 20 deletions
diff --git a/lib/class/access.class.php b/lib/class/access.class.php index 5ad5a219..95fc0b26 100644 --- a/lib/class/access.class.php +++ b/lib/class/access.class.php @@ -158,7 +158,7 @@ class Access { } // Clean incomming variables - $ip = ip2int(intval($ip)); + $ip = ip2int($ip); $user = sql_escape($user); $key = sql_escape($key); $level = sql_escape($level); @@ -187,7 +187,7 @@ class Access { else { $sql .= " AND `user` = '-1'"; } break; } // end switch on type - + $db_results = mysql_query($sql, dbh()); // Yah they have access they can use the mojo diff --git a/lib/general.lib.php b/lib/general.lib.php index 13951642..ab28eebb 100644 --- a/lib/general.lib.php +++ b/lib/general.lib.php @@ -299,11 +299,16 @@ function session_exists($sid,$xml_rpc=0) { $path = str_replace("//","/",$path); + /* Create the XMLRPC client */ $client = new xmlrpc_client($path,$server,$port); - $query = new xmlrpcmsg('remote_session_verify',array(new xmlrpcval($sid,"string")) ); - - if (conf('debug')) { log_event($_SESSION['userdata']['username'],' xmlrpc-client ',"Checking for Valid Remote Session:$sid"); } + /* Encode the SID of the incomming client */ + $encoded_sid = new xmlrpcval($sid,"string"); + + $query = new xmlrpcmsg('remote_session_verify',array($encoded_sid) ); + + /* Log this event */ + debug_event('xmlrpc-client',"Checking for Valid Remote Session:$sid",'3'); $response = $client->send($query,30); diff --git a/lib/log.lib.php b/lib/log.lib.php index ed19984c..01a56be1 100644 --- a/lib/log.lib.php +++ b/lib/log.lib.php @@ -89,6 +89,13 @@ function ampache_error_handler($errno, $errstr, $errfile, $errline) { return false; } + /* The XML-RPC lib is broken, well kind of + * shut your pie hole + */ + if (strstr($errstr,"used as offset, casting to integer")) { + return false; + } + $log_line = "[$error_name] $errstr on line $errline in $errfile"; debug_event('error',$log_line,$level); diff --git a/lib/xmlrpc.php b/lib/xmlrpc.php index 7dc09f01..5c47c377 100644 --- a/lib/xmlrpc.php +++ b/lib/xmlrpc.php @@ -37,6 +37,7 @@ * @catagory Server */ function remote_catalog_query($m) { + $var = $m->getParam(0); $key = $var->scalarval(); @@ -79,7 +80,7 @@ function remote_catalog_query($m) { */ function remote_song_query($params) { - $var = $parms->getParam(0); + $var = $params->getParam(0); $key = $var->scalarval(); /* Verify the KEY */ @@ -90,6 +91,7 @@ function remote_song_query($params) { $start = $params->params['1']->me['int']; $step = $params->params['2']->me['int']; + // Get me a list of all local catalogs $sql = "SELECT catalog.id FROM catalog WHERE catalog_type='local'"; $db_results = mysql_query($sql, dbh()); @@ -133,7 +135,9 @@ function remote_song_query($params) { set_time_limit(0); $encoded_array = php_xmlrpc_encode($results); - if (conf('debug')) { log_event($_SESSION['userdata']['username'],' xmlrpc-server ',"Encoded Song Query Results ($start,$step) : " . count($results)); } + + debug_event('xmlrpc-server',"Encoded Song Query Results ($start,$step):" . count($results),'3'); + return new xmlrpcresp($encoded_array); } // remote_song_query @@ -141,23 +145,16 @@ function remote_song_query($params) { /** * remote_session_verify * This checks the session on THIS server and returns a true false + * The problem with this funcion is that we don't have the key from + * the other server... this needs to be fixed potential security flaw + * Other server still needs read xml-rpc permissions, but no key * @package XMLRPC * @catagory Server - * @todo Public/Private Key handshake? */ function remote_session_verify($params) { - $var = $parms->getParam(0); - $key = $var->scalarval(); - - /* Verify the KEY */ - if (!remote_key_verify($key,$_SERVER['REMOTE_ADDR'],'5')) { - return new xmlrpcresp(0,'503','Key/IP Mis-match Access Denied'); - } - - /* We may need to do this correctly.. :S */ - $var = $params->getParam(1); + $var = $params->getParam(0); $sid = $var->scalarval(); if (session_exists($sid)) { @@ -201,10 +198,10 @@ function remote_server_denied() { * passed key and makes sure the IP+KEY+LEVEL * matches in the local ACL */ -function remote_key_verify($ip,$key,$level) { +function remote_key_verify($key,$ip,$level) { $access = new Access(); - if ($access->check('xml-rpc',$ip,'',$key,$level)) { + if ($access->check('xml-rpc',$ip,'',$level,$key)) { return true; } |