From 09ffaa3f5fc6a5ef832794af8ae4332a6d8b10f1 Mon Sep 17 00:00:00 2001 From: nohn Date: Mon, 11 Jul 2005 07:07:15 +0000 Subject: [PATCH] sync PEAR::XML_RPC to version 1.3.2 --- bundled-libs/XML/RPC.php | 25 ++++++++++++------------- bundled-libs/XML/RPC/Dump.php | 2 +- bundled-libs/XML/RPC/Server.php | 16 ++++++++++------ docs/NEWS | 7 +++++++ 4 files changed, 30 insertions(+), 20 deletions(-) diff --git a/bundled-libs/XML/RPC.php b/bundled-libs/XML/RPC.php index 493db1e..01c91a0 100644 --- a/bundled-libs/XML/RPC.php +++ b/bundled-libs/XML/RPC.php @@ -32,7 +32,7 @@ * @author Martin Jansen * @author Daniel Convissor * @copyright 1999-2001 Edd Dumbill, 2001-2005 The PHP Group - * @version CVS: $Id: RPC.php,v 1.76 2005/06/29 12:22:29 toby Exp $ + * @version CVS: $Id: RPC.php,v 1.79 2005/07/07 01:08:28 danielc Exp $ * @link http://pear.php.net/package/XML_RPC */ @@ -456,7 +456,7 @@ function XML_RPC_cd($parser_resource, $data) * @author Martin Jansen * @author Daniel Convissor * @copyright 1999-2001 Edd Dumbill, 2001-2005 The PHP Group - * @version Release: @package_version@ + * @version Release: 1.3.2 * @link http://pear.php.net/package/XML_RPC */ class XML_RPC_Base { @@ -501,7 +501,7 @@ class XML_RPC_Base { * @author Martin Jansen * @author Daniel Convissor * @copyright 1999-2001 Edd Dumbill, 2001-2005 The PHP Group - * @version Release: @package_version@ + * @version Release: 1.3.2 * @link http://pear.php.net/package/XML_RPC */ class XML_RPC_Client extends XML_RPC_Base { @@ -919,7 +919,7 @@ class XML_RPC_Client extends XML_RPC_Base { * @author Martin Jansen * @author Daniel Convissor * @copyright 1999-2001 Edd Dumbill, 2001-2005 The PHP Group - * @version Release: @package_version@ + * @version Release: 1.3.2 * @link http://pear.php.net/package/XML_RPC */ class XML_RPC_Response extends XML_RPC_Base @@ -1010,7 +1010,7 @@ class XML_RPC_Response extends XML_RPC_Base * @author Martin Jansen * @author Daniel Convissor * @copyright 1999-2001 Edd Dumbill, 2001-2005 The PHP Group - * @version Release: @package_version@ + * @version Release: 1.3.2 * @link http://pear.php.net/package/XML_RPC */ class XML_RPC_Message extends XML_RPC_Base @@ -1323,7 +1323,7 @@ class XML_RPC_Message extends XML_RPC_Base $r = new XML_RPC_Response(0, $XML_RPC_err['invalid_return'], $XML_RPC_str['invalid_return']); } else { - eval('$v=' . $XML_RPC_xh[$parser]['st'] . '; $allOK=1;'); + @eval('$v=' . $XML_RPC_xh[$parser]['st'] . '; $allOK=1;'); if ($XML_RPC_xh[$parser]['isf']) { $f = $v->structmem('faultCode'); $fs = $v->structmem('faultString'); @@ -1348,7 +1348,7 @@ class XML_RPC_Message extends XML_RPC_Base * @author Martin Jansen * @author Daniel Convissor * @copyright 1999-2001 Edd Dumbill, 2001-2005 The PHP Group - * @version Release: @package_version@ + * @version Release: 1.3.2 * @link http://pear.php.net/package/XML_RPC */ class XML_RPC_Value extends XML_RPC_Base @@ -1559,14 +1559,13 @@ class XML_RPC_Value extends XML_RPC_Base */ function serializeval($o) { - $rs = ''; + if (!is_object($o) || empty($o->me) || !is_array($o->me)) { + return ''; + } $ar = $o->me; reset($ar); list($typ, $val) = each($ar); - $rs .= ''; - $rs .= $this->serializedata($typ, $val); - $rs .= "\n"; - return $rs; + return '' . $this->serializedata($typ, $val) . "\n"; } /** @@ -1622,7 +1621,7 @@ class XML_RPC_Value extends XML_RPC_Base $t[$id] = $cont->scalarval(); } foreach ($t as $id => $cont) { - eval('$b->'.$id.' = $cont;'); + @eval('$b->'.$id.' = $cont;'); } } diff --git a/bundled-libs/XML/RPC/Dump.php b/bundled-libs/XML/RPC/Dump.php index 366307c..6813ad3 100644 --- a/bundled-libs/XML/RPC/Dump.php +++ b/bundled-libs/XML/RPC/Dump.php @@ -42,7 +42,7 @@ function XML_RPC_Dump($value) * @category Web Services * @package XML_RPC * @author Christian Weiske - * @version Release: @package_version@ + * @version Release: 1.3.2 * @link http://pear.php.net/package/XML_RPC */ class XML_RPC_Dump diff --git a/bundled-libs/XML/RPC/Server.php b/bundled-libs/XML/RPC/Server.php index 579411d..1b909e9 100644 --- a/bundled-libs/XML/RPC/Server.php +++ b/bundled-libs/XML/RPC/Server.php @@ -32,7 +32,7 @@ * @author Martin Jansen * @author Daniel Convissor * @copyright 1999-2001 Edd Dumbill, 2001-2005 The PHP Group - * @version CVS: $Id: Server.php,v 1.26 2005/05/09 21:39:47 danielc Exp $ + * @version CVS: $Id: Server.php,v 1.28 2005/07/07 01:21:29 danielc Exp $ * @link http://pear.php.net/package/XML_RPC */ @@ -40,7 +40,7 @@ /** * Pull in the XML_RPC class */ -require_once dirname(__FILE__) . '/../RPC.php'; +require_once 'XML/RPC.php'; /** @@ -270,7 +270,7 @@ function XML_RPC_Server_debugmsg($m) * @author Martin Jansen * @author Daniel Convissor * @copyright 1999-2001 Edd Dumbill, 2001-2005 The PHP Group - * @version Release: @package_version@ + * @version Release: 1.3.2 * @link http://pear.php.net/package/XML_RPC */ class XML_RPC_Server @@ -385,8 +385,12 @@ class XML_RPC_Server */ function service() { - $this->createServerPayload(); - $this->createServerHeaders(); + if (!$this->server_payload) { + $this->createServerPayload(); + } + if (!$this->server_headers) { + $this->createServerHeaders(); + } header($this->server_headers); print $this->server_payload; } @@ -529,7 +533,7 @@ class XML_RPC_Server for ($i = 0; $i < sizeof($XML_RPC_xh[$parser]['params']); $i++) { // print '\n"; $plist .= "$i - " . $XML_RPC_xh[$parser]['params'][$i] . " \n"; - eval('$m->addParam(' . $XML_RPC_xh[$parser]['params'][$i] . ');'); + @eval('$m->addParam(' . $XML_RPC_xh[$parser]['params'][$i] . ');'); } XML_RPC_Server_debugmsg($plist); diff --git a/docs/NEWS b/docs/NEWS index 87df938..76b9704 100644 --- a/docs/NEWS +++ b/docs/NEWS @@ -139,9 +139,16 @@ Version 0.9 () * "Comments" Sidebar plugin can now have a custom title (garvinhicking) + Version 0.8.3 () ------------------------------------------------------------------------ + * XML_RPC: Eliminate path disclosure vulnerabilities by suppressing + error messages when eval()'ing. Eliminate path disclosure + vulnerability by catching bogus parameters submitted + to XML_RPC_Value::serializeval(). (nohn) + + Version 0.8.2 (June 29th, 2005) ------------------------------------------------------------------------ -- 2.39.5