diff --git a/dns_editor.php b/dns_editor.php index 6bac1ac0..4a466c90 100644 --- a/dns_editor.php +++ b/dns_editor.php @@ -19,13 +19,13 @@ if (! defined('AREA')) { * */ -use Froxlor\Api\Commands\DomainZones as DomainZones; +use Froxlor\Api\Commands\DomainZones; use Froxlor\UI\Request; // This file is being included in admin_domains and customer_domains // and therefore does not need to require lib/init.php -$domain_id = (int) Request::get(['domain_id']); +$domain_id = (int) Request::get('domain_id'); $record = isset($_POST['record']['record']) ? trim($_POST['record']['record']) : null; $type = isset($_POST['record']['type']) ? $_POST['record']['type'] : 'A'; diff --git a/lib/Froxlor/Api/FroxlorRPC.php b/lib/Froxlor/Api/FroxlorRPC.php index 56dfe43c..6bbdfdaf 100644 --- a/lib/Froxlor/Api/FroxlorRPC.php +++ b/lib/Froxlor/Api/FroxlorRPC.php @@ -3,7 +3,6 @@ namespace Froxlor\Api; use Exception; -use voku\helper\AntiXSS; /** * This file is part of the Froxlor project. @@ -23,110 +22,111 @@ use voku\helper\AntiXSS; */ class FroxlorRPC { - /** - * validate a given request - * - * @param $request - * @return array - * @throws Exception - */ - public static function validateRequest($request): array - { - // make basic authentication - if (!isset($_SERVER['PHP_AUTH_USER']) || !self::validateAuth($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) { - header('WWW-Authenticate: Basic realm="API"'); - throw new Exception('Unauthenticated. Please provide api user credentials.', 401); - } + /** + * validate a given request + * + * @param $request + * @return array + * @throws Exception + */ + public static function validateRequest($request): array + { + // make basic authentication + if (!isset($_SERVER['PHP_AUTH_USER']) || !self::validateAuth($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) { + if (@php_sapi_name() !== 'cli') { + header('WWW-Authenticate: Basic realm="API"'); + } + throw new Exception('Unauthenticated. Please provide api user credentials.', 401); + } - // check if present - if (empty($request)) { - throw new Exception('Empty request body.', 400); - } + // check if present + if (empty($request)) { + throw new Exception('Empty request body.', 400); + } - // decode json request - $decoded_request = json_decode($request, true); + // decode json request + $decoded_request = json_decode($request, true); - // is it valid? - if (is_null($decoded_request)) { - throw new Exception('Invalid JSON Format.', 400); - } + // is it valid? + if (is_null($decoded_request)) { + throw new Exception('Invalid JSON Format.', 400); + } - return self::validateBody($decoded_request); - } + return self::validateBody($decoded_request); + } - /** - * validates the given api credentials - * - * @param string $key - * @param string $secret - * @return boolean - */ - private static function validateAuth(string $key, string $secret): bool - { - $sel_stmt = \Froxlor\Database\Database::prepare( - " + /** + * validates the given api credentials + * + * @param string $key + * @param string $secret + * @return boolean + */ + private static function validateAuth(string $key, string $secret): bool + { + $sel_stmt = \Froxlor\Database\Database::prepare( + " SELECT ak.*, a.api_allowed as admin_api_allowed, c.api_allowed as cust_api_allowed, c.deactivated FROM `api_keys` ak LEFT JOIN `panel_admins` a ON a.adminid = ak.adminid LEFT JOIN `panel_customers` c ON c.customerid = ak.customerid WHERE `apikey` = :ak AND `secret` = :as " - ); - $result = \Froxlor\Database\Database::pexecute_first($sel_stmt, array( - 'ak' => $key, - 'as' => $secret - ), true, true); - if ($result) { - if ($result['apikey'] == $key && $result['secret'] == $secret && ($result['valid_until'] == -1 || $result['valid_until'] >= time( - )) && (($result['customerid'] == 0 && $result['admin_api_allowed'] == 1) || ($result['customerid'] > 0 && $result['cust_api_allowed'] == 1 && $result['deactivated'] == 0))) { - // get user to check whether api call is allowed - if (!empty($result['allowed_from'])) { - // @todo allow specification and validating of whole subnets later - $ip_list = explode(",", $result['allowed_from']); - $access_ip = inet_ntop(inet_pton($_SERVER['REMOTE_ADDR'])); - if (in_array($access_ip, $ip_list)) { - return true; - } - } else { - return true; - } - } - } - return false; - } + ); + $result = \Froxlor\Database\Database::pexecute_first($sel_stmt, array( + 'ak' => $key, + 'as' => $secret + ), true, true); + if ($result) { + if ($result['apikey'] == $key && $result['secret'] == $secret && ($result['valid_until'] == -1 || $result['valid_until'] >= time()) && (($result['customerid'] == 0 && $result['admin_api_allowed'] == 1) || ($result['customerid'] > 0 && $result['cust_api_allowed'] == 1 && $result['deactivated'] == 0))) { + // get user to check whether api call is allowed + if (!empty($result['allowed_from'])) { + // @todo allow specification and validating of whole subnets later + $ip_list = explode(",", $result['allowed_from']); + $access_ip = inet_ntop(inet_pton($_SERVER['REMOTE_ADDR'])); + if (in_array($access_ip, $ip_list)) { + return true; + } + } else { + return true; + } + } + } + return false; + } - /** - * validates the given command - * - * @param array $request - * - * @return array - * @throws Exception - */ - private static function validateBody($request) - { - // check command exists - if (empty($request['command'])) { - throw new Exception("Please provide a command.", 400); - } + /** + * validates the given command + * + * @param array $request + * + * @return array + * @throws Exception + */ + private static function validateBody($request) + { + // check command exists + if (empty($request['command'])) { + throw new Exception("Please provide a command.", 400); + } - $command = explode(".", $request['command']); + $command = explode(".", $request['command']); - if (count($command) != 2) { - throw new Exception("The given command is invalid.", 400); - } - // simply check for file-existance, as we do not want to use our autoloader because this way - // it will recognize non-api classes+methods as valid commands - $apiclass = '\\Froxlor\\Api\\Commands\\' . $command[0]; - if (!class_exists($apiclass) || !@method_exists($apiclass, $command[1])) { - throw new Exception("Unknown command", 400); - } - return array( - 'command' => array( - 'class' => $command[0], - 'method' => $command[1] - ), - 'params' => $request['params'] ?? null - ); - } + if (count($command) != 2) { + throw new Exception("The given command is invalid.", 400); + } + // simply check for file-existance, as we do not want to use our autoloader because this way + // it will recognize non-api classes+methods as valid commands + $apiclass = '\\Froxlor\\Api\\Commands\\' . $command[0]; + if (!class_exists($apiclass) || !@method_exists($apiclass, $command[1])) { + throw new Exception("Unknown command", 400); + } + return array( + 'command' => array( + 'class' => $command[0], + 'method' => $command[1] + ), + 'params' => $request['params'] ?? null + ); + } } diff --git a/logfiles_viewer.php b/logfiles_viewer.php index f943b9e1..63207132 100644 --- a/logfiles_viewer.php +++ b/logfiles_viewer.php @@ -19,15 +19,13 @@ if (! defined('AREA')) { * */ -use Froxlor\Api\Commands\SubDomains as SubDomains; +use Froxlor\Api\Commands\SubDomains; use Froxlor\Settings; use Froxlor\UI\Request; // This file is being included in admin_domains and customer_domains // and therefore does not need to require lib/init.php -// TODO get domain related settings for logfile (speciallogfile) - $domain_id = (int) Request::get('domain_id'); $last_n = (int) Request::get('number_of_lines', 100);