nsinnovations/fusionpbx
2
0
Fork 0
mirror of https://github.com/fusionpbx/fusionpbx.git synced 2025-12-30 09:03:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Secure xml cdr with http_enabled set to false if the url param is not found in the xml_cdr.conf.xml

Browse Source
This commit is contained in:
Mark Crane
2013-04-30 09:30:44 +00:00
parent 7e94c3e294
commit 0e262b1279
1 changed files with 16 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
app/xml_cdr/v_xml_cdr_import.php
View File

@@ -279,7 +279,7 @@ function process_xml_cdr($db, $leg, $xml_string) {
if (strlen($_POST["cdr"]) > 0) {
//authentication for xml cdr http post
if (strlen($_SESSION["xml_cdr_username"]) == 0) {
if (strlen($_SESSION["xml_cdr"]["http_enabled"]) == 0) {
//get the contents of xml_cdr.conf.xml
$conf_xml_string = file_get_contents($_SESSION['switch']['conf']['dir'].'/autoload_configs/xml_cdr.conf.xml');
@@ -290,19 +290,29 @@ function process_xml_cdr($db, $leg, $xml_string) {
catch(Exception $e) {
echo $e->getMessage();
}
$_SESSION["xml_cdr"]["http_enabled"] = false;
foreach ($conf_xml->settings->param as $row) {
if ($row->attributes()->name == "cred") {
$auth_array = explode(":", $row->attributes()->value);
$_SESSION["xml_cdr_username"] = $auth_array[0];
$_SESSION["xml_cdr_password"] = $auth_array[1];
//echo "username: ".$_SESSION["xml_cdr_username"]."<br />\n";
//echo "password: ".$_SESSION["xml_cdr_password"]."<br />\n";
$_SESSION["xml_cdr"]["username"] = $auth_array[0];
$_SESSION["xml_cdr"]["password"] = $auth_array[1];
//echo "username: ".$_SESSION["xml_cdr"]["username"]."<br />\n";
//echo "password: ".$_SESSION["xml_cdr"]["password"]."<br />\n";
}
if ($row->attributes()->name == "url") {
$_SESSION["xml_cdr"]["http_enabled"] = true;
}
}
}
//if http enabled is set to false then deny access
if (!$_SESSION["xml_cdr"]["http_enabled"]) {
echo "access denied<br />\n";
return;
}
//check for the correct username and password
if ($_SESSION["xml_cdr_username"] == $_SERVER["PHP_AUTH_USER"] && $_SESSION["xml_cdr_password"] == $_SERVER["PHP_AUTH_PW"]) {
if ($_SESSION["xml_cdr"]["username"] == $_SERVER["PHP_AUTH_USER"] && $_SESSION["xml_cdr"]["password"] == $_SERVER["PHP_AUTH_PW"]) {
//echo "access granted<br />\n";
}
else {