From ba9418bca378a6759305e3b388926df4f5a0af9c Mon Sep 17 00:00:00 2001
From: Hakan Sandell <sandell.hakan@gmail.com>
Date: Sat, 13 Nov 2010 18:20:28 +0100
Subject: Added XMLRPC dokuwiki:appendPage

---
 lib/exe/xmlrpc.php | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

(limited to 'lib/exe/xmlrpc.php')

diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php
index f06792361..8c2bec6f9 100644
--- a/lib/exe/xmlrpc.php
+++ b/lib/exe/xmlrpc.php
@@ -7,7 +7,7 @@ if(isset($HTTP_RAW_POST_DATA)) $HTTP_RAW_POST_DATA = trim($HTTP_RAW_POST_DATA);
 /**
  * Increased whenever the API is changed
  */
-define('DOKU_XMLRPC_API_VERSION',4);
+define('DOKU_XMLRPC_API_VERSION',5);
 
 require_once(DOKU_INC.'inc/init.php');
 session_write_close();  //close session
@@ -143,6 +143,13 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
             true
         );
 
+        $this->addCallback(
+            'dokuwiki.appendPage',
+            'this:appendPage',
+            array('int', 'string', 'string', 'struct'),
+            'Append text to a wiki page.'
+        );
+
         /* Wiki API v2 http://www.jspwiki.org/wiki/WikiRPCInterface2 */
         $this->addCallback(
             'wiki.getRPCVersionSupported',
@@ -577,6 +584,17 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
         return 0;
     }
 
+    /**
+     * Appends text to a wiki page.
+     */
+    function appendPage($id, $text, $params) {
+        $currentpage = $this->rawPage($id);
+        if (!is_string($currentpage)) {
+            return $currentpage;
+        }
+        return $this->putPage($id, $currentpage.$text, $params);
+    }
+
     /**
      * Uploads a file to the wiki.
      *
-- 
cgit v1.2.3


From e3776c06c37cc197709dac60892604dfea894ac2 Mon Sep 17 00:00:00 2001
From: Michael Hamann <michael@content-space.de>
Date: Mon, 29 Nov 2010 01:34:36 +0100
Subject: Remove enc=utf-8 in VIM modeline as it is not allowed in VIM 7.3

As of VIM 7.3 it is no longer possible to specify the encoding in the
modeline. This gives an error message whenever such a file is opened,
thus this commit removes the enc setting from the modeline.
---
 lib/exe/xmlrpc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/exe/xmlrpc.php')

diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php
index 8c2bec6f9..d232930a3 100644
--- a/lib/exe/xmlrpc.php
+++ b/lib/exe/xmlrpc.php
@@ -968,4 +968,4 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
 
 $server = new dokuwiki_xmlrpc_server();
 
-// vim:ts=4:sw=4:et:enc=utf-8:
+// vim:ts=4:sw=4:et:
-- 
cgit v1.2.3


From eff795ac6482d5885761f6688ce183c66becd7e1 Mon Sep 17 00:00:00 2001
From: Michael Hamann <michael@content-space.de>
Date: Sun, 16 Jan 2011 13:30:49 +0100
Subject: Fix several security issues in the XML-RPC interface

For locks and getRevisions there hasn't been any acl check. In many
other cases the id hadn't been cleaned before the acl check was done
which means that many acl rules that should be applied weren't applied.
So e.g. when you have read permissions for the root namespace but not
for a subnamespace you could add a leading ":" and the permissions for
the root namespace will be used instead of the permissions for the
subnamespace. This did not apply to writing pages and reading media
files, but writing and deleting media files have been concerned as well
as reading both plain and html versions of pages.

This only concerns installations where XML-RPC is enabled (default is
disabled) and XML-RPC is allowed for all or untrusted users.
---
 lib/exe/xmlrpc.php | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

(limited to 'lib/exe/xmlrpc.php')

diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php
index d232930a3..d40e338b2 100644
--- a/lib/exe/xmlrpc.php
+++ b/lib/exe/xmlrpc.php
@@ -296,6 +296,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * Return a raw wiki page
      */
     function rawPage($id,$rev=''){
+        $id = cleanID($id);
         if(auth_quickaclcheck($id) < AUTH_READ){
             return new IXR_Error(1, 'You are not allowed to read this page');
         }
@@ -351,6 +352,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * Return a wiki page rendered to html
      */
     function htmlPage($id,$rev=''){
+        $id = cleanID($id);
         if(auth_quickaclcheck($id) < AUTH_READ){
             return new IXR_Error(1, 'You are not allowed to read this page');
         }
@@ -488,6 +490,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * Return some basic data about a page
      */
     function pageInfo($id,$rev=''){
+        $id = cleanID($id);
         if(auth_quickaclcheck($id) < AUTH_READ){
             return new IXR_Error(1, 'You are not allowed to read this page');
         }
@@ -601,6 +604,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * Michael Klier <chi@chimeric.de>
      */
     function putAttachment($id, $file, $params) {
+        $id = cleanID($id);
         global $conf;
         global $lang;
 
@@ -668,6 +672,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * @author Gina Haeussge <osd@foosel.net>
      */
     function deleteAttachment($id){
+        $id = cleanID($id);
         $auth = auth_quickaclcheck(getNS($id).':*');
         if($auth < AUTH_DELETE) return new IXR_ERROR(1, "You don't have permissions to delete files.");
         global $conf;
@@ -725,6 +730,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
     * Returns the permissions of a given wiki page
     */
     function aclCheck($id) {
+        $id = cleanID($id);
         return auth_quickaclcheck($id);
     }
 
@@ -734,13 +740,14 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * @author Michael Klier <chi@chimeric.de>
      */
     function listLinks($id) {
+        $id = cleanID($id);
         if(auth_quickaclcheck($id) < AUTH_READ){
             return new IXR_Error(1, 'You are not allowed to read this page');
         }
         $links = array();
 
         // resolve page instructions
-        $ins   = p_cached_instructions(wikiFN(cleanID($id)));
+        $ins   = p_cached_instructions(wikiFN($id));
 
         // instantiate new Renderer - needed for interwiki links
         include(DOKU_INC.'inc/parser/xhtml.php');
@@ -848,6 +855,10 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * @author Michael Klier <chi@chimeric.de>
      */
     function pageVersions($id, $first) {
+        $id = cleanID($id);
+        if(auth_quickaclcheck($id) < AUTH_READ){
+            return new IXR_Error(1, 'You are not allowed to read this page');
+        }
         global $conf;
 
         $versions = array();
@@ -923,7 +934,8 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
         $unlockfail = array();
 
         foreach((array) $set['lock'] as $id){
-            if(checklock($id)){
+            $id = cleanID($id);
+            if(auth_quickaclcheck($id) < AUTH_EDIT || checklock($id)){
                 $lockfail[] = $id;
             }else{
                 lock($id);
@@ -932,10 +944,11 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
         }
 
         foreach((array) $set['unlock'] as $id){
-            if(unlock($id)){
-                $unlocked[] = $id;
-            }else{
+            $id = cleanID($id);
+            if(auth_quickaclcheck($id) < AUTH_EDIT || !unlock($id)){
                 $unlockfail[] = $id;
+            }else{
+                $unlocked[] = $id;
             }
         }
 
-- 
cgit v1.2.3