diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2011-11-27 10:50:03 +0100 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2011-11-27 10:50:03 +0100 |
| commit | 560f6ea3cdac2767863c3be3a9e7933b6e37e88f (patch) | |
| tree | 6f51d4b3402458e4de1a596b93ec752c8ac747b2 /lib/exe/xmlrpc.php | |
| parent | e0dd04a6493f1b7f7133f75c08f9ea55ee8bd50a (diff) | |
| parent | c66c7229a0dfc4f9f06dadda98408679fa7a18d6 (diff) | |
| download | rpg-560f6ea3cdac2767863c3be3a9e7933b6e37e88f.tar.gz rpg-560f6ea3cdac2767863c3be3a9e7933b6e37e88f.tar.bz2 | |
Merge branch 'master' into bcrypt
Diffstat (limited to 'lib/exe/xmlrpc.php')
| -rw-r--r-- | lib/exe/xmlrpc.php | 30 |
1 files changed, 25 insertions, 5 deletions
diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php index 8b572d213..e5e3298ae 100644 --- a/lib/exe/xmlrpc.php +++ b/lib/exe/xmlrpc.php @@ -7,7 +7,7 @@ if(isset($HTTP_RAW_POST_DATA)) $HTTP_RAW_POST_DATA = trim($HTTP_RAW_POST_DATA); /** * Increased whenever the API is changed */ -define('DOKU_XMLRPC_API_VERSION',5); +define('DOKU_XMLRPC_API_VERSION', 6); require_once(DOKU_INC.'inc/init.php'); session_write_close(); //close session @@ -53,6 +53,11 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { */ function call($methodname, $args){ if(!in_array($methodname,$this->public_methods) && !$this->checkAuth()){ + if (!isset($_SERVER['REMOTE_USER'])) { + header('HTTP/1.1 401 Unauthorized'); + } else { + header('HTTP/1.1 403 Forbidden'); + } return new IXR_Error(-32603, 'server error. not authorized to call method "'.$methodname.'".'); } return parent::call($methodname, $args); @@ -579,8 +584,12 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { // save temporary file @unlink($ftmp); - $buff = base64_decode($file); - io_saveFile($ftmp, $buff); + if (preg_match('/^[A-Za-z0-9\+\/]*={0,2}$/', $file) === 1) { + // DEPRECATED: Double-decode file if it still looks like base64 + // after first decoding (which is done by the library) + $file = base64_decode($file); + } + io_saveFile($ftmp, $file); $res = media_save(array('name' => $ftmp), $id, $params['ow'], $auth, 'rename'); if (is_array($res)) { @@ -853,11 +862,22 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { global $auth; if(!$conf['useacl']) return 0; if(!$auth) return 0; + + @session_start(); // reopen session for login if($auth->canDo('external')){ - return $auth->trustExternal($user,$pass,false); + $ok = $auth->trustExternal($user,$pass,false); }else{ - return auth_login($user,$pass,false,true); + $evdata = array( + 'user' => $user, + 'password' => $pass, + 'sticky' => false, + 'silent' => true, + ); + $ok = trigger_event('AUTH_LOGIN_CHECK', $evdata, 'auth_login_wrapper'); } + session_write_close(); // we're done with the session + + return $ok; } |