|
1
|
|
|
<?php |
|
|
|
|
|
|
2
|
|
|
/** |
|
3
|
|
|
* @author Gaetano Giunta |
|
4
|
|
|
* @copyright (C) 2005-2015 G. Giunta |
|
5
|
|
|
* @license code licensed under the BSD License: see file license.txt |
|
6
|
|
|
* |
|
7
|
|
|
* Parses GET/POST variables |
|
8
|
|
|
* |
|
9
|
|
|
* @todo switch params for http compression from 0,1,2 to values to be used directly |
|
10
|
|
|
* @todo do some more sanitization of received parameters |
|
11
|
|
|
*/ |
|
12
|
|
|
|
|
13
|
|
|
// work around magic quotes |
|
14
|
|
|
if (get_magic_quotes_gpc()) { |
|
15
|
|
|
function stripslashes_deep($value) |
|
16
|
|
|
{ |
|
17
|
|
|
$value = is_array($value) ? |
|
18
|
|
|
array_map('stripslashes_deep', $value) : |
|
19
|
|
|
stripslashes($value); |
|
20
|
|
|
|
|
21
|
|
|
return $value; |
|
22
|
|
|
} |
|
23
|
|
|
|
|
24
|
|
|
$_GET = array_map('stripslashes_deep', $_GET); |
|
25
|
|
|
} |
|
26
|
|
|
|
|
27
|
|
|
$preferredEncodings = 'UTF-8, ASCII, ISO-8859-1, UTF-7, EUC-JP, SJIS, eucJP-win, SJIS-win, JIS, ISO-2022-JP'; |
|
28
|
|
|
$inputcharset = mb_detect_encoding(urldecode($_SERVER['REQUEST_URI']), $preferredEncodings); |
|
29
|
|
|
if (isset($_GET['usepost']) && $_GET['usepost'] === 'true') { |
|
30
|
|
|
$_GET = $_POST; |
|
31
|
|
|
$inputcharset = mb_detect_encoding(implode('', $_GET), $preferredEncodings); |
|
32
|
|
|
} |
|
33
|
|
|
|
|
34
|
|
|
/// @todo if $inputcharset is not UTF8, we should probably re-encode $_GET to make it UTF-8 |
|
35
|
|
|
|
|
36
|
|
|
// recover input parameters |
|
37
|
|
|
$debug = false; |
|
38
|
|
|
$protocol = 0; |
|
39
|
|
|
$run = false; |
|
40
|
|
|
$wstype = 0; |
|
41
|
|
|
$id = ''; |
|
42
|
|
|
if (isset($_GET['action'])) { |
|
43
|
|
|
if (isset($_GET['wstype']) && $_GET['wstype'] == '1') { |
|
44
|
|
|
$wstype = 1; |
|
45
|
|
|
if (isset($_GET['id'])) { |
|
46
|
|
|
$id = $_GET['id']; |
|
47
|
|
|
} |
|
48
|
|
|
} |
|
49
|
|
|
$host = isset($_GET['host']) ? $_GET['host'] : 'localhost'; // using '' will trigger an xmlrpc error... |
|
50
|
|
|
if (isset($_GET['protocol']) && ($_GET['protocol'] == '1' || $_GET['protocol'] == '2')) { |
|
51
|
|
|
$protocol = $_GET['protocol']; |
|
52
|
|
|
} |
|
53
|
|
|
if (strpos($host, 'http://') === 0) { |
|
54
|
|
|
$host = substr($host, 7); |
|
55
|
|
|
} elseif (strpos($host, 'https://') === 0) { |
|
56
|
|
|
$host = substr($host, 8); |
|
57
|
|
|
$protocol = 2; |
|
58
|
|
|
} |
|
59
|
|
|
$port = isset($_GET['port']) ? $_GET['port'] : ''; |
|
60
|
|
|
$path = isset($_GET['path']) ? $_GET['path'] : ''; |
|
61
|
|
|
// in case user forgot initial '/' in xmlrpc server path, add it back |
|
62
|
|
|
if ($path && ($path[0]) != '/') { |
|
63
|
|
|
$path = '/' . $path; |
|
64
|
|
|
} |
|
65
|
|
|
|
|
66
|
|
|
if (isset($_GET['debug']) && ($_GET['debug'] == '1' || $_GET['debug'] == '2')) { |
|
67
|
|
|
$debug = $_GET['debug']; |
|
68
|
|
|
} |
|
69
|
|
|
|
|
70
|
|
|
$verifyhost = (isset($_GET['verifyhost']) && ($_GET['verifyhost'] == '1' || $_GET['verifyhost'] == '2')) ? $_GET['verifyhost'] : 0; |
|
71
|
|
|
if (isset($_GET['verifypeer']) && $_GET['verifypeer'] == '1') { |
|
72
|
|
|
$verifypeer = true; |
|
73
|
|
|
} else { |
|
74
|
|
|
$verifypeer = false; |
|
75
|
|
|
} |
|
76
|
|
|
$cainfo = isset($_GET['cainfo']) ? $_GET['cainfo'] : ''; |
|
77
|
|
|
$proxy = isset($_GET['proxy']) ? $_GET['proxy'] : 0; |
|
78
|
|
|
if (strpos($proxy, 'http://') === 0) { |
|
79
|
|
|
$proxy = substr($proxy, 7); |
|
80
|
|
|
} |
|
81
|
|
|
$proxyuser = isset($_GET['proxyuser']) ? $_GET['proxyuser'] : ''; |
|
82
|
|
|
$proxypwd = isset($_GET['proxypwd']) ? $_GET['proxypwd'] : ''; |
|
83
|
|
|
$timeout = isset($_GET['timeout']) ? $_GET['timeout'] : 0; |
|
84
|
|
|
if (!is_numeric($timeout)) { |
|
85
|
|
|
$timeout = 0; |
|
86
|
|
|
} |
|
87
|
|
|
$action = $_GET['action']; |
|
88
|
|
|
|
|
89
|
|
|
$method = isset($_GET['method']) ? $_GET['method'] : ''; |
|
90
|
|
|
$methodsig = isset($_GET['methodsig']) ? $_GET['methodsig'] : 0; |
|
91
|
|
|
$payload = isset($_GET['methodpayload']) ? $_GET['methodpayload'] : ''; |
|
92
|
|
|
$alt_payload = isset($_GET['altmethodpayload']) ? $_GET['altmethodpayload'] : ''; |
|
93
|
|
|
|
|
94
|
|
|
if (isset($_GET['run']) && $_GET['run'] == 'now') { |
|
95
|
|
|
$run = true; |
|
96
|
|
|
} |
|
97
|
|
|
|
|
98
|
|
|
$username = isset($_GET['username']) ? $_GET['username'] : ''; |
|
99
|
|
|
$password = isset($_GET['password']) ? $_GET['password'] : ''; |
|
100
|
|
|
|
|
101
|
|
|
$authtype = (isset($_GET['authtype']) && ($_GET['authtype'] == '2' || $_GET['authtype'] == '8')) ? $_GET['authtype'] : 1; |
|
102
|
|
|
|
|
103
|
|
View Code Duplication |
if (isset($_GET['requestcompression']) && ($_GET['requestcompression'] == '1' || $_GET['requestcompression'] == '2')) { |
|
|
|
|
|
|
104
|
|
|
$requestcompression = $_GET['requestcompression']; |
|
105
|
|
|
} else { |
|
106
|
|
|
$requestcompression = 0; |
|
107
|
|
|
} |
|
108
|
|
View Code Duplication |
if (isset($_GET['responsecompression']) && ($_GET['responsecompression'] == '1' || $_GET['responsecompression'] == '2' || $_GET['responsecompression'] == '3')) { |
|
|
|
|
|
|
109
|
|
|
$responsecompression = $_GET['responsecompression']; |
|
110
|
|
|
} else { |
|
111
|
|
|
$responsecompression = 0; |
|
112
|
|
|
} |
|
113
|
|
|
|
|
114
|
|
|
$clientcookies = isset($_GET['clientcookies']) ? $_GET['clientcookies'] : ''; |
|
115
|
|
|
} else { |
|
116
|
|
|
$host = ''; |
|
117
|
|
|
$port = ''; |
|
118
|
|
|
$path = ''; |
|
119
|
|
|
$action = ''; |
|
120
|
|
|
$method = ''; |
|
121
|
|
|
$methodsig = 0; |
|
122
|
|
|
$payload = ''; |
|
123
|
|
|
$alt_payload = ''; |
|
124
|
|
|
$username = ''; |
|
125
|
|
|
$password = ''; |
|
126
|
|
|
$authtype = 1; |
|
127
|
|
|
$verifyhost = 0; |
|
128
|
|
|
$verifypeer = false; |
|
129
|
|
|
$cainfo = ''; |
|
130
|
|
|
$proxy = ''; |
|
131
|
|
|
$proxyuser = ''; |
|
132
|
|
|
$proxypwd = ''; |
|
133
|
|
|
$timeout = 0; |
|
134
|
|
|
$requestcompression = 0; |
|
135
|
|
|
$responsecompression = 0; |
|
136
|
|
|
$clientcookies = ''; |
|
137
|
|
|
} |
|
138
|
|
|
|
|
139
|
|
|
// check input for known XMLRPC attacks against this or other libs |
|
140
|
|
|
function payload_is_safe($input) |
|
|
|
|
|
|
141
|
|
|
{ |
|
142
|
|
|
return true; |
|
143
|
|
|
} |
|
144
|
|
|
|
gggeek /
phpxmlrpc
Loading history...
The PSR-1: Basic Coding Standard recommends that a file should either introduce new symbols, that is classes, functions, constants or similar, or have side effects. Side effects are anything that executes logic, like for example printing output, changing ini settings or writing to a file.
The idea behind this recommendation is that merely auto-loading a class should not change the state of an application. It also promotes a cleaner style of programming and makes your code less prone to errors, because the logic is not spread out all over the place.
To learn more about the PSR-1, please see the PHP-FIG site on the PSR-1.