sync PEAR::XML_RPC to version 1.3.2

diff --git a/bundled-libs/XML/RPC.php b/bundled-libs/XML/RPC.php
index 493db1ef804c897a4a772676cb64ace0f220e630..01c91a07c8b69fe542bd7eeeaf9f9a93d18a9ce3 100644 (file)
--- a/bundled-libs/XML/RPC.php
+++ b/bundled-libs/XML/RPC.php
@@ -32,7 +32,7 @@
  * @author     Martin Jansen <mj@php.net>
  * @author     Daniel Convissor <danielc@php.net>
  * @copyright  1999-2001 Edd Dumbill, 2001-2005 The PHP Group
- * @version    CVS: $Id: RPC.php,v 1.76 2005/06/29 12:22:29 toby Exp $
+ * @version    CVS: $Id: RPC.php,v 1.79 2005/07/07 01:08:28 danielc Exp $
  * @link       http://pear.php.net/package/XML_RPC
  */
 
@@ -456,7 +456,7 @@ function XML_RPC_cd($parser_resource, $data)
  * @author     Martin Jansen <mj@php.net>
  * @author     Daniel Convissor <danielc@php.net>
  * @copyright  1999-2001 Edd Dumbill, 2001-2005 The PHP Group
- * @version    Release: @package_version@
+ * @version    Release: 1.3.2
  * @link       http://pear.php.net/package/XML_RPC
  */
 class XML_RPC_Base {
@@ -501,7 +501,7 @@ class XML_RPC_Base {
  * @author     Martin Jansen <mj@php.net>
  * @author     Daniel Convissor <danielc@php.net>
  * @copyright  1999-2001 Edd Dumbill, 2001-2005 The PHP Group
- * @version    Release: @package_version@
+ * @version    Release: 1.3.2
  * @link       http://pear.php.net/package/XML_RPC
  */
 class XML_RPC_Client extends XML_RPC_Base {
@@ -919,7 +919,7 @@ class XML_RPC_Client extends XML_RPC_Base {
  * @author     Martin Jansen <mj@php.net>
  * @author     Daniel Convissor <danielc@php.net>
  * @copyright  1999-2001 Edd Dumbill, 2001-2005 The PHP Group
- * @version    Release: @package_version@
+ * @version    Release: 1.3.2
  * @link       http://pear.php.net/package/XML_RPC
  */
 class XML_RPC_Response extends XML_RPC_Base
@@ -1010,7 +1010,7 @@ class XML_RPC_Response extends XML_RPC_Base
  * @author     Martin Jansen <mj@php.net>
  * @author     Daniel Convissor <danielc@php.net>
  * @copyright  1999-2001 Edd Dumbill, 2001-2005 The PHP Group
- * @version    Release: @package_version@
+ * @version    Release: 1.3.2
  * @link       http://pear.php.net/package/XML_RPC
  */
 class XML_RPC_Message extends XML_RPC_Base
@@ -1323,7 +1323,7 @@ class XML_RPC_Message extends XML_RPC_Base
             $r = new XML_RPC_Response(0, $XML_RPC_err['invalid_return'],
                                       $XML_RPC_str['invalid_return']);
         } else {
-            eval('$v=' . $XML_RPC_xh[$parser]['st'] . '; $allOK=1;');
+            @eval('$v=' . $XML_RPC_xh[$parser]['st'] . '; $allOK=1;');
             if ($XML_RPC_xh[$parser]['isf']) {
                 $f = $v->structmem('faultCode');
                 $fs = $v->structmem('faultString');
@@ -1348,7 +1348,7 @@ class XML_RPC_Message extends XML_RPC_Base
  * @author     Martin Jansen <mj@php.net>
  * @author     Daniel Convissor <danielc@php.net>
  * @copyright  1999-2001 Edd Dumbill, 2001-2005 The PHP Group
- * @version    Release: @package_version@
+ * @version    Release: 1.3.2
  * @link       http://pear.php.net/package/XML_RPC
  */
 class XML_RPC_Value extends XML_RPC_Base
@@ -1559,14 +1559,13 @@ class XML_RPC_Value extends XML_RPC_Base
      */
     function serializeval($o)
     {
-        $rs = '';
+        if (!is_object($o) || empty($o->me) || !is_array($o->me)) {
+            return '';
+        }
         $ar = $o->me;
         reset($ar);
         list($typ, $val) = each($ar);
-        $rs .= '<value>';
-        $rs .= $this->serializedata($typ, $val);
-        $rs .= "</value>\n";
-        return $rs;
+        return '<value>' .  $this->serializedata($typ, $val) .  "</value>\n";
     }
 
     /**
@@ -1622,7 +1621,7 @@ class XML_RPC_Value extends XML_RPC_Base
                 $t[$id] = $cont->scalarval();
             }
             foreach ($t as $id => $cont) {
-                eval('$b->'.$id.' = $cont;');
+                @eval('$b->'.$id.' = $cont;');
             }
         }
 

diff --git a/bundled-libs/XML/RPC/Dump.php b/bundled-libs/XML/RPC/Dump.php
index 366307c1b1f88149c66315935437b92d6a2bc4a5..6813ad362659d2afc2f208be856420d933a272e0 100644 (file)
--- a/bundled-libs/XML/RPC/Dump.php
+++ b/bundled-libs/XML/RPC/Dump.php
@@ -42,7 +42,7 @@ function XML_RPC_Dump($value)
  * @category   Web Services
  * @package    XML_RPC
  * @author     Christian Weiske <cweiske@php.net>
- * @version    Release: @package_version@
+ * @version    Release: 1.3.2
  * @link       http://pear.php.net/package/XML_RPC
  */
 class XML_RPC_Dump

diff --git a/bundled-libs/XML/RPC/Server.php b/bundled-libs/XML/RPC/Server.php
index 579411dd97b15dbad0a037e12acf4bbce63dc635..1b909e94c23459235da0a0c8bd6b5e11a8517bdd 100644 (file)
--- a/bundled-libs/XML/RPC/Server.php
+++ b/bundled-libs/XML/RPC/Server.php
@@ -32,7 +32,7 @@
  * @author     Martin Jansen <mj@php.net>
  * @author     Daniel Convissor <danielc@php.net>
  * @copyright  1999-2001 Edd Dumbill, 2001-2005 The PHP Group
- * @version    CVS: $Id: Server.php,v 1.26 2005/05/09 21:39:47 danielc Exp $
+ * @version    CVS: $Id: Server.php,v 1.28 2005/07/07 01:21:29 danielc Exp $
  * @link       http://pear.php.net/package/XML_RPC
  */
 
@@ -40,7 +40,7 @@
 /**
  * Pull in the XML_RPC class
  */
-require_once dirname(__FILE__) . '/../RPC.php';
+require_once 'XML/RPC.php';
 
 
 /**
@@ -270,7 +270,7 @@ function XML_RPC_Server_debugmsg($m)
  * @author     Martin Jansen <mj@php.net>
  * @author     Daniel Convissor <danielc@php.net>
  * @copyright  1999-2001 Edd Dumbill, 2001-2005 The PHP Group
- * @version    Release: @package_version@
+ * @version    Release: 1.3.2
  * @link       http://pear.php.net/package/XML_RPC
  */
 class XML_RPC_Server
@@ -385,8 +385,12 @@ class XML_RPC_Server
      */
     function service()
     {
-        $this->createServerPayload();
-        $this->createServerHeaders();
+        if (!$this->server_payload) {
+            $this->createServerPayload();
+        }
+        if (!$this->server_headers) {
+            $this->createServerHeaders();
+        }
         header($this->server_headers);
         print $this->server_payload;
     }
@@ -529,7 +533,7 @@ class XML_RPC_Server
             for ($i = 0; $i < sizeof($XML_RPC_xh[$parser]['params']); $i++) {
                 // print '<!-- ' . $XML_RPC_xh[$parser]['params'][$i]. "-->\n";
                 $plist .= "$i - " . $XML_RPC_xh[$parser]['params'][$i] . " \n";
-                eval('$m->addParam(' . $XML_RPC_xh[$parser]['params'][$i] . ');');
+                @eval('$m->addParam(' . $XML_RPC_xh[$parser]['params'][$i] . ');');
             }
             XML_RPC_Server_debugmsg($plist);
 

diff --git a/docs/NEWS b/docs/NEWS
index 787fb1e37b907076351dac88b02a3b05d2574722..5701e1c371987a7b1ba18f02a52238b7e987ce2c 100644 (file)
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -3,6 +3,12 @@
 Version 0.8.3 ()
 ------------------------------------------------------------------------
 
+   * XML_RPC: Eliminate path disclosure vulnerabilities by suppressing
+     error messages when eval()'ing. Eliminate path disclosure
+     vulnerability by catching bogus parameters submitted
+     to XML_RPC_Value::serializeval(). (nohn)
+
+
 Version 0.8.2 (June 29th, 2005)
 ------------------------------------------------------------------------