diff options
| -rw-r--r-- | inc/IXR_Library.php | 7 | ||||
| -rw-r--r-- | inc/httputils.php | 8 | ||||
| -rw-r--r-- | lib/exe/xmlrpc.php | 3 | ||||
| -rw-r--r-- | lib/plugins/acl/ajax.php | 11 |
4 files changed, 18 insertions, 11 deletions
diff --git a/inc/IXR_Library.php b/inc/IXR_Library.php index c8255e6d9..ce5a4d914 100644 --- a/inc/IXR_Library.php +++ b/inc/IXR_Library.php @@ -302,11 +302,12 @@ class IXR_Server { } function serve($data = false) { if (!$data) { - global $HTTP_RAW_POST_DATA; - if (!$HTTP_RAW_POST_DATA) { + + $postData = trim(http_get_raw_post_data()); + if (!$postData) { die('XML-RPC server accepts POST requests only.'); } - $data = $HTTP_RAW_POST_DATA; + $data = $postData; } $this->message = new IXR_Message($data); if (!$this->message->parse()) { diff --git a/inc/httputils.php b/inc/httputils.php index 0ad97a9a1..b815f3ca6 100644 --- a/inc/httputils.php +++ b/inc/httputils.php @@ -249,3 +249,11 @@ function http_cached_finish($file, $content) { print $content; } } + +function http_get_raw_post_data() { + static $postData = null; + if ($postData === null) { + $postData = file_get_contents('php://input'); + } + return $postData; +} diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php index 93086e891..cbec90bff 100644 --- a/lib/exe/xmlrpc.php +++ b/lib/exe/xmlrpc.php @@ -1,9 +1,6 @@ <?php if(!defined('DOKU_INC')) define('DOKU_INC',dirname(__FILE__).'/../../'); -// fix when '< ?xml' isn't on the very first line -if(isset($HTTP_RAW_POST_DATA)) $HTTP_RAW_POST_DATA = trim($HTTP_RAW_POST_DATA); - require_once(DOKU_INC.'inc/init.php'); require_once(DOKU_INC.'inc/remote.php'); session_write_close(); //close session diff --git a/lib/plugins/acl/ajax.php b/lib/plugins/acl/ajax.php index 71a2eb03a..3a5d89c08 100644 --- a/lib/plugins/acl/ajax.php +++ b/lib/plugins/acl/ajax.php @@ -6,16 +6,17 @@ * @author Andreas Gohr <andi@splitbrain.org> */ -//fix for Opera XMLHttpRequests -if(!count($_POST) && !empty($HTTP_RAW_POST_DATA)){ - parse_str($HTTP_RAW_POST_DATA, $_POST); -} - if(!defined('DOKU_INC')) define('DOKU_INC',dirname(__FILE__).'/../../../'); require_once(DOKU_INC.'inc/init.php'); //close session session_write_close(); +//fix for Opera XMLHttpRequests +$postData = http_get_raw_post_data(); +if(!count($_POST) && !empty($postData)){ + parse_str($postData, $_POST); +} + if(!auth_isadmin()) die('for admins only'); if(!checkSecurityToken()) die('CRSF Attack'); |