fix stripping of escape-sequences in api-endpoint; fixes #746
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
8
api.php
8
api.php
@@ -23,7 +23,7 @@ if (empty($request)) {
|
||||
}
|
||||
|
||||
// decode json request
|
||||
$decoded_request = json_decode(stripslashes($request), true);
|
||||
$decoded_request = json_decode($request, true);
|
||||
|
||||
// is it valid?
|
||||
if (is_null($decoded_request)) {
|
||||
@@ -32,6 +32,7 @@ if (is_null($decoded_request)) {
|
||||
|
||||
// validate content
|
||||
try {
|
||||
$decoded_request = stripcslashes_deep($decoded_request);
|
||||
$request = \Froxlor\Api\FroxlorRPC::validateRequest($decoded_request);
|
||||
// now actually do it
|
||||
$cls = "\\Froxlor\\Api\\Commands\\" . $request['command']['class'];
|
||||
@@ -72,3 +73,8 @@ function json_response($status, $status_message = '', $data = null)
|
||||
echo $json_response;
|
||||
exit();
|
||||
}
|
||||
|
||||
function stripcslashes_deep($value)
|
||||
{
|
||||
return is_array($value) ? array_map('stripcslashes_deep', $value) : stripcslashes($value);
|
||||
}
|
||||
|
||||
@@ -189,7 +189,6 @@ class CertificatesTest extends TestCase
|
||||
));
|
||||
|
||||
// export
|
||||
openssl_csr_export($csr, $csrout);
|
||||
openssl_x509_export($sscert, $certout);
|
||||
openssl_pkey_export($privkey, $pkeyout, null);
|
||||
|
||||
|
||||
@@ -124,4 +124,63 @@ class FroxlorRpcTest extends TestCase
|
||||
$this->assertEquals('listFunctions', $result['command']['method']);
|
||||
$this->assertNull($result['params']);
|
||||
}
|
||||
|
||||
public function testApiPhpEscaping()
|
||||
{
|
||||
$key = $this->generateKey();
|
||||
$request = array(
|
||||
'body' => [
|
||||
'command' => 'Froxlor.listFunctions',
|
||||
'params' => $key
|
||||
]
|
||||
);
|
||||
$json_request = json_encode($request);
|
||||
$decoded_request = json_decode($json_request, true);
|
||||
$decoded_request = $this->stripcslashes_deep($decoded_request);
|
||||
$this->assertEquals($key['key'], $decoded_request['body']['params']['key']);
|
||||
$this->assertEquals($key['cert'], $decoded_request['body']['params']['cert']);
|
||||
}
|
||||
|
||||
private function stripcslashes_deep($value)
|
||||
{
|
||||
return is_array($value) ? array_map([$this, 'stripcslashes_deep'], $value) : stripcslashes($value);
|
||||
}
|
||||
|
||||
private function generateKey()
|
||||
{
|
||||
$dn = array(
|
||||
"countryName" => "DE",
|
||||
"stateOrProvinceName" => "Hessen",
|
||||
"localityName" => "Frankfurt",
|
||||
"organizationName" => "Froxlor",
|
||||
"organizationalUnitName" => "Testing",
|
||||
"commonName" => "test2.local",
|
||||
"emailAddress" => "team@froxlor.org"
|
||||
);
|
||||
|
||||
// generate key pair
|
||||
$privkey = openssl_pkey_new(array(
|
||||
"private_key_bits" => 2048,
|
||||
"private_key_type" => OPENSSL_KEYTYPE_RSA
|
||||
));
|
||||
|
||||
// generate csr
|
||||
$csr = openssl_csr_new($dn, $privkey, array(
|
||||
'digest_alg' => 'sha256'
|
||||
));
|
||||
|
||||
// generate self-signed certificate
|
||||
$sscert = openssl_csr_sign($csr, null, $privkey, 365, array(
|
||||
'digest_alg' => 'sha256'
|
||||
));
|
||||
|
||||
// export
|
||||
openssl_x509_export($sscert, $certout);
|
||||
openssl_pkey_export($privkey, $pkeyout, null);
|
||||
|
||||
return array(
|
||||
'cert' => $certout,
|
||||
'key' => $pkeyout
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user