From 77bc16f52520efe50ea0664b11f235897239a482 Mon Sep 17 00:00:00 2001
From: Karl 'vollmerk' Vollmer <vollmer@ampache.org>
Date: Tue, 18 Dec 2007 15:16:02 +0000
Subject: fixed dbl negative on xml api and enabled the timestamp check as well
 as fixed a typo in the config file

---
 config/ampache.cfg.php.dist | 2 +-
 docs/CHANGELOG              | 3 +++
 lib/class/api.class.php     | 9 +++++----
 server/xml.server.php       | 4 +---
 4 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/config/ampache.cfg.php.dist b/config/ampache.cfg.php.dist
index ad6bb7c1..f301e594 100644
--- a/config/ampache.cfg.php.dist
+++ b/config/ampache.cfg.php.dist
@@ -96,7 +96,7 @@ catalog_file_pattern = "mp3|mpc|m4p|m4a|mp4|aac|ogg|rm|wma|asf|flac|spx|ra|ape|s
 ; Use Access List 
 ; Toggle this on if you want ampache to pay attention to the access list
 ; and only allow streaming/downloading/xml-rpc from known hosts by default
-; xml-rpc will not working without this on.
+; xml-rpc will not work without this on.
 ; DEFAULT: false
 ;access_control	= "false"
 
diff --git a/docs/CHANGELOG b/docs/CHANGELOG
index 08e47e3a..6029e406 100755
--- a/docs/CHANGELOG
+++ b/docs/CHANGELOG
@@ -4,6 +4,9 @@
 
 --------------------------------------------------------------------------
   v.3.4-Alpha4 
+	- Added check to make sure timestamp passed to API is less then
+		four hours old. Set to four hours to allow for some 
+		difference in server/client time
 	- Fixed basic XML-RPC functionality, using insecure / old 
 		authentication method needs more work
 	- Fixed it so that all errors should return an XML document when
diff --git a/lib/class/api.class.php b/lib/class/api.class.php
index 40cff61f..c7391837 100644
--- a/lib/class/api.class.php
+++ b/lib/class/api.class.php
@@ -48,12 +48,13 @@ class Api {
 	public static function handshake($timestamp,$passphrase,$ip,$username='') { 
 
 		// If the timestamp is over 2hr old sucks to be them
-//		if ($timestamp < (time() - 7200)) { 
-//			return 'Timestamp too old, try again'; 
-//		} 
+		if ($timestamp < (time() - 14400)) { 
+			debug_event('API','Login Failed, timestamp too old','1'); 
+			return false; 
+		} 
 
 		// First we'll filter by username and IP 
-		if (!$username) { 
+		if (!trim($username)) { 
 			$user_id = '-1'; 
 		} 
 		else { 
diff --git a/server/xml.server.php b/server/xml.server.php
index 83d10027..d1464dca 100644
--- a/server/xml.server.php
+++ b/server/xml.server.php
@@ -27,10 +27,8 @@
 define('NO_SESSION','1');
 require_once '../lib/init.php';
 
-
-
 // If it's not a handshake then we can allow it to take up lots of time
-if (!$_REQUEST['action'] != 'handshake') { 
+if ($_REQUEST['action'] != 'handshake') { 
 	set_time_limit(0); 
 } 
 
-- 
cgit