summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--lib/class/access.class.php4
-rw-r--r--lib/general.lib.php11
-rw-r--r--lib/log.lib.php7
-rw-r--r--lib/xmlrpc.php27
-rw-r--r--play/index.php6
-rw-r--r--server/xmlrpc.server.php2
-rw-r--r--templates/default.css1
-rw-r--r--templates/show_now_playing_row.inc.php20
8 files changed, 46 insertions, 32 deletions
diff --git a/lib/class/access.class.php b/lib/class/access.class.php
index 5ad5a219..95fc0b26 100644
--- a/lib/class/access.class.php
+++ b/lib/class/access.class.php
@@ -158,7 +158,7 @@ class Access {
}
// Clean incomming variables
- $ip = ip2int(intval($ip));
+ $ip = ip2int($ip);
$user = sql_escape($user);
$key = sql_escape($key);
$level = sql_escape($level);
@@ -187,7 +187,7 @@ class Access {
else { $sql .= " AND `user` = '-1'"; }
break;
} // end switch on type
-
+
$db_results = mysql_query($sql, dbh());
// Yah they have access they can use the mojo
diff --git a/lib/general.lib.php b/lib/general.lib.php
index 13951642..ab28eebb 100644
--- a/lib/general.lib.php
+++ b/lib/general.lib.php
@@ -299,11 +299,16 @@ function session_exists($sid,$xml_rpc=0) {
$path = str_replace("//","/",$path);
+ /* Create the XMLRPC client */
$client = new xmlrpc_client($path,$server,$port);
- $query = new xmlrpcmsg('remote_session_verify',array(new xmlrpcval($sid,"string")) );
-
- if (conf('debug')) { log_event($_SESSION['userdata']['username'],' xmlrpc-client ',"Checking for Valid Remote Session:$sid"); }
+ /* Encode the SID of the incomming client */
+ $encoded_sid = new xmlrpcval($sid,"string");
+
+ $query = new xmlrpcmsg('remote_session_verify',array($encoded_sid) );
+
+ /* Log this event */
+ debug_event('xmlrpc-client',"Checking for Valid Remote Session:$sid",'3');
$response = $client->send($query,30);
diff --git a/lib/log.lib.php b/lib/log.lib.php
index ed19984c..01a56be1 100644
--- a/lib/log.lib.php
+++ b/lib/log.lib.php
@@ -89,6 +89,13 @@ function ampache_error_handler($errno, $errstr, $errfile, $errline) {
return false;
}
+ /* The XML-RPC lib is broken, well kind of
+ * shut your pie hole
+ */
+ if (strstr($errstr,"used as offset, casting to integer")) {
+ return false;
+ }
+
$log_line = "[$error_name] $errstr on line $errline in $errfile";
debug_event('error',$log_line,$level);
diff --git a/lib/xmlrpc.php b/lib/xmlrpc.php
index 7dc09f01..5c47c377 100644
--- a/lib/xmlrpc.php
+++ b/lib/xmlrpc.php
@@ -37,6 +37,7 @@
* @catagory Server
*/
function remote_catalog_query($m) {
+
$var = $m->getParam(0);
$key = $var->scalarval();
@@ -79,7 +80,7 @@ function remote_catalog_query($m) {
*/
function remote_song_query($params) {
- $var = $parms->getParam(0);
+ $var = $params->getParam(0);
$key = $var->scalarval();
/* Verify the KEY */
@@ -90,6 +91,7 @@ function remote_song_query($params) {
$start = $params->params['1']->me['int'];
$step = $params->params['2']->me['int'];
+
// Get me a list of all local catalogs
$sql = "SELECT catalog.id FROM catalog WHERE catalog_type='local'";
$db_results = mysql_query($sql, dbh());
@@ -133,7 +135,9 @@ function remote_song_query($params) {
set_time_limit(0);
$encoded_array = php_xmlrpc_encode($results);
- if (conf('debug')) { log_event($_SESSION['userdata']['username'],' xmlrpc-server ',"Encoded Song Query Results ($start,$step) : " . count($results)); }
+
+ debug_event('xmlrpc-server',"Encoded Song Query Results ($start,$step):" . count($results),'3');
+
return new xmlrpcresp($encoded_array);
} // remote_song_query
@@ -141,23 +145,16 @@ function remote_song_query($params) {
/**
* remote_session_verify
* This checks the session on THIS server and returns a true false
+ * The problem with this funcion is that we don't have the key from
+ * the other server... this needs to be fixed potential security flaw
+ * Other server still needs read xml-rpc permissions, but no key
* @package XMLRPC
* @catagory Server
- * @todo Public/Private Key handshake?
*/
function remote_session_verify($params) {
- $var = $parms->getParam(0);
- $key = $var->scalarval();
-
- /* Verify the KEY */
- if (!remote_key_verify($key,$_SERVER['REMOTE_ADDR'],'5')) {
- return new xmlrpcresp(0,'503','Key/IP Mis-match Access Denied');
- }
-
-
/* We may need to do this correctly.. :S */
- $var = $params->getParam(1);
+ $var = $params->getParam(0);
$sid = $var->scalarval();
if (session_exists($sid)) {
@@ -201,10 +198,10 @@ function remote_server_denied() {
* passed key and makes sure the IP+KEY+LEVEL
* matches in the local ACL
*/
-function remote_key_verify($ip,$key,$level) {
+function remote_key_verify($key,$ip,$level) {
$access = new Access();
- if ($access->check('xml-rpc',$ip,'',$key,$level)) {
+ if ($access->check('xml-rpc',$ip,'',$level,$key)) {
return true;
}
diff --git a/play/index.php b/play/index.php
index c84545b1..9878af0b 100644
--- a/play/index.php
+++ b/play/index.php
@@ -129,8 +129,12 @@ if ($catalog->catalog_type == 'remote') {
preg_match("/http:\/\/([^\/]+)\/*(.*)/", conf('web_path'), $match);
$server = rawurlencode($match[1]);
$path = rawurlencode($match[2]);
+ $port = $_SERVER['SERVER_PORT'];
+ if ($_SERVER['HTTPS'] == 'on') { $ssl='1'; }
+ else { $ssl = '0'; }
+ $catalog = $catalog->id;
- $extra_info = "&xml_rpc=1&xml_path=$path&xml_server=$server&xml_port=80&sid=$sid";
+ $extra_info = "&xml_rpc=1&xml_path=$path&xml_server=$server&xml_port=$port&ssl=$ssl&catalog=$catalog&sid=$sid";
header("Location: " . $song->file . $extra_info);
debug_event('xmlrpc-stream',"Start XML-RPC Stream - " . $song->file . $extra_info,'5');
exit;
diff --git a/server/xmlrpc.server.php b/server/xmlrpc.server.php
index ebf5416b..99226262 100644
--- a/server/xmlrpc.server.php
+++ b/server/xmlrpc.server.php
@@ -34,7 +34,7 @@ else { exit(); }
$access = new Access();
// ** check that the remote server has access to this catalog
-if ($access->check('init-xml-rpc',$_SERVER['REMOTE_ADDR'],'','','5')) {
+if ($access->check('init-xml-rpc',$_SERVER['REMOTE_ADDR'],'','5','')) {
/* Setup Possible Actions */
$methods['remote_catalog_query'] = array('function' => 'remote_catalog_query');
diff --git a/templates/default.css b/templates/default.css
index 9bcac5a1..cb013347 100644
--- a/templates/default.css
+++ b/templates/default.css
@@ -594,7 +594,6 @@ li.current-rating{
display: block;
}
.np_cell {
- display: inline;
margin: 10px;
}
#tablist {
diff --git a/templates/show_now_playing_row.inc.php b/templates/show_now_playing_row.inc.php
index bedca730..9046b719 100644
--- a/templates/show_now_playing_row.inc.php
+++ b/templates/show_now_playing_row.inc.php
@@ -20,24 +20,26 @@ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
?>
-<span class="np_row">
- <span class="np_cell"><?php echo scrub_out($np_user->fullname); ?></span>
- <span class="np_cell">
+<table class="np_row">
+<tr>
+ <td class="np_cell"><?php echo scrub_out($np_user->fullname); ?></td>
+ <td class="np_cell">
<a title="<?php echo scrub_out($song->f_title); ?>" href="<?php echo $web_path; ?>/song.php?action=single_song&amp;song_id=<?php echo $song->id; ?>">
<?php echo scrub_out($song->f_title); ?>
</a>
- </span>
- <span class="np_cell">
+ </td>
+ <td class="np_cell">
<a title="<?php echo scrub_out($song->f_album); ?>" href="<?php echo $web_path; ?>/albums.php?action=show&amp;album=<?php echo $song->album; ?>">
<?php echo scrub_out($song->f_album); ?></a> /
<a title="<?php echo scrub_out($song->f_artist); ?>" href="<?php echo $web_path; ?>/artists.php?action=show&amp;artist=<?php echo $song->artist; ?>">
<?php echo scrub_out($song->f_artist); ?>
</a>
- </span>
+ </td>
<?php if (conf('play_album_art')) { ?>
- <span class="np_cell">
+ <td class="np_cell">
<a target="_blank" href="<?php echo $web_path; ?>/albumart.php?id=<?php echo $song->album; ?>&amp;type=popup" onclick="popup_art('<?php echo $web_path; ?>/albumart.php?id=<?php echo $song->album; ?>&amp;type=popup'); return false;">
<img align="middle" border="0" src="<?php echo $web_path; ?>/albumart.php?id=<?php echo $song->album; ?>&amp;fast=1&amp;thumb=1" alt="Album Art" height="75" /></a>
- </span>
+ </td>
<?php } // end play album art ?>
-</span>
+</tr>
+</table>
generated by cgit (git 2.34.1) at 2025-08-14 02:04:38 +0000