diff options
| author | Ermal <eri@pfsense.org> | 2013-01-30 10:57:00 +0000 |
|---|---|---|
| committer | Ermal <eri@pfsense.org> | 2013-01-30 10:57:00 +0000 |
| commit | c87f4b709261187cb5e76accde933404d81868f2 (patch) | |
| tree | f697abc71904abfb42dbc1fa5771d1b93fea5e30 /usr/local/www/xmlrpc.php | |
| parent | 311959fe8b65db2bbb39e06f27e91f242bf101fe (diff) | |
| download | pfsense-c87f4b709261187cb5e76accde933404d81868f2.zip pfsense-c87f4b709261187cb5e76accde933404d81868f2.tar.gz | |
Fixes #1928. Disallow sync loop only for certain types of calls but not for exec_[php|shell]. Also fix CARP loop detection to use correct variable
Diffstat (limited to 'usr/local/www/xmlrpc.php')
| -rwxr-xr-x | usr/local/www/xmlrpc.php | 36 |
1 files changed, 27 insertions, 9 deletions
diff --git a/usr/local/www/xmlrpc.php b/usr/local/www/xmlrpc.php index 1dda1ad..af58f67 100755 --- a/usr/local/www/xmlrpc.php +++ b/usr/local/www/xmlrpc.php @@ -44,16 +44,18 @@ require("xmlrpc_server.inc"); require("xmlrpc.inc"); require("array_intersect_key.inc"); -/* grab sync to ip if enabled */ -if ($config['hasync']) { - $synchronizetoip = $hasync['synchronizetoip']; -} - -if($synchronizetoip) { - if($synchronizetoip == $_SERVER['REMOTE_ADDR']) { - log_error(gettext("Disallowing CARP sync loop.")); - die; +function xmlrpc_loop_detect() { + global $config; + + /* grab sync to ip if enabled */ + if ($config['hasync']) + $synchronizetoip = $config['hasync']['synchronizetoip']; + if($synchronizetoip) { + if($synchronizetoip == $_SERVER['REMOTE_ADDR']) + return true; } + + return false; } $xmlrpc_g = array( @@ -138,6 +140,9 @@ $backup_config_section_sig = array( function backup_config_section_xmlrpc($raw_params) { global $config, $xmlrpc_g; + if (xmlrpc_loop_detect()) + log_error("Disallowing CARP sync loop"); + $params = xmlrpc_params_to_php($raw_params); if(!xmlrpc_auth($params)) { xmlrpc_authfail(); @@ -161,6 +166,9 @@ $restore_config_section_sig = array( function restore_config_section_xmlrpc($raw_params) { global $config, $xmlrpc_g; + if (xmlrpc_loop_detect()) + log_error("Disallowing CARP sync loop"); + $params = xmlrpc_params_to_php($raw_params); if(!xmlrpc_auth($params)) { xmlrpc_authfail(); @@ -278,6 +286,9 @@ $merge_config_section_sig = array( function merge_installedpackages_section_xmlrpc($raw_params) { global $config, $xmlrpc_g; + if (xmlrpc_loop_detect()) + log_error("Disallowing CARP sync loop"); + $params = xmlrpc_params_to_php($raw_params); if(!xmlrpc_auth($params)) { xmlrpc_authfail(); @@ -302,6 +313,10 @@ $merge_config_section_sig = array( function merge_config_section_xmlrpc($raw_params) { global $config, $xmlrpc_g; + + if (xmlrpc_loop_detect()) + log_error("Disallowing CARP sync loop"); + $params = xmlrpc_params_to_php($raw_params); if(!xmlrpc_auth($params)) { xmlrpc_authfail(); @@ -356,6 +371,9 @@ $carp_configure_sig = array( function interfaces_carp_configure_xmlrpc($raw_params) { global $xmlrpc_g; + if (xmlrpc_loop_detect()) + log_error("Disallowing CARP sync loop"); + $params = xmlrpc_params_to_php($raw_params); if(!xmlrpc_auth($params)) { xmlrpc_authfail(); |
