web: add security check on old XMLRPC API

This commit is contained in:
Bart Van Der Meerssche 2009-08-25 11:48:56 +00:00
parent 0a3887c2bd
commit 6f160e7176
2 changed files with 35 additions and 33 deletions

View File

@ -156,7 +156,7 @@ function logger_menu() {
* Callback functions registered in the logger_menu section * Callback functions registered in the logger_menu section
*/ */
function _logger_dashboard($type, $function, $interval) { function _logger_dashboard($type, $function, $interval) {
watchdog('dashboard', 'arguments: %type, %function, %interval', array('%type' => $type, '%function' => $function, '%interval' => $interval), WATCHDOG_DEBUG); // watchdog('dashboard', 'arguments: %type, %function, %interval', array('%type' => $type, '%function' => $function, '%interval' => $interval), WATCHDOG_DEBUG);
if (user_access('logger')) { if (user_access('logger')) {
drupal_set_title(t('your dashboard')); drupal_set_title(t('your dashboard'));
@ -240,7 +240,7 @@ function _logger_dashboard($type, $function, $interval) {
$command .= $string->def; $command .= $string->def;
$command .= $string->line; $command .= $string->line;
exec($command, $output, $return_var); exec($command, $output, $return_var);
watchdog('dashboard', 'arguments: %command ++ %output ++ %return_var', array('%command' => $command, '%output' => serialize($output), '%return_var' => $return_var), WATCHDOG_DEBUG); // watchdog('dashboard', 'arguments: %command ++ %output ++ %return_var', array('%command' => $command, '%output' => serialize($output), '%return_var' => $return_var), WATCHDOG_DEBUG);
return theme('chart', $graph_path . $pngid .'.png'); return theme('chart', $graph_path . $pngid .'.png');
} }

View File

@ -63,7 +63,8 @@ function _logger_measurement_add($logs) {
$path->night = $path->root .'/data/night/'; $path->night = $path->root .'/data/night/';
foreach ($logs as $meter => $measurements) { foreach ($logs as $meter => $measurements) {
//load the normalisation factor, relative to 1pulse = 1Wh //load the normalisation factor, relative to 1pulse = 1Wh
$meterdata = db_fetch_object(db_query("SELECT night, factor FROM {logger_meters} WHERE meter = '%s'", $meter)); $meterdata = db_fetch_object(db_query("SELECT uid, night, factor FROM {logger_meters} WHERE meter = '%s'", $meter));
if ($meterdata->uid < 5) { // only alpha users are allowed to call this API
$command = $path->root .'/rrdtool update '. $path->base . $meter .'.rrd '; $command = $path->root .'/rrdtool update '. $path->base . $meter .'.rrd ';
ksort($measurements); // sort the key-value pairs in the associative array by key, i.e. the timestamp ksort($measurements); // sort the key-value pairs in the associative array by key, i.e. the timestamp
foreach ($measurements as $timestamp => $value) { foreach ($measurements as $timestamp => $value) {
@ -100,5 +101,6 @@ function _logger_measurement_add($logs) {
watchdog_xmlrpc('logger.measurementAdd', 'shell command execution failed: %return %command', array('%command' => $command, '%return' => $return), WATCHDOG_ERROR); watchdog_xmlrpc('logger.measurementAdd', 'shell command execution failed: %return %command', array('%command' => $command, '%return' => $return), WATCHDOG_ERROR);
} }
} }
}
return $command; //using $command for testing purposes, replace by $info afterwards return $command; //using $command for testing purposes, replace by $info afterwards
} }