-
Notifications
You must be signed in to change notification settings - Fork 38
/
json.php
121 lines (110 loc) · 3.51 KB
/
json.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
<?php
/**
* json.php
* HTTP request handler for JSON-encoded AJAX calls
*
* Copyright Gottfried Haider, Danja Vasiliev 2010.
* This source code is licensed under the GNU General Public License.
* See the file COPYING for more details.
*/
@require_once('config.inc.php');
require_once('log.inc.php');
log_msg('info', '--- json request ---');
require_once('common.inc.php');
require_once('modules.inc.php');
require_once('util.inc.php');
// set mime type and encoding first
header('Content-Type: application/json; charset=UTF-8');
// get method and arguments
$args = array();
switch ($_SERVER['REQUEST_METHOD']) {
// we don't use $_REQUEST here because this includes cookies as well
// disable support for GET to make cross site request forgery (xsrf)
// at least harder to do
//case 'GET':
// foreach ($_GET as $key=>$val) {
// if (get_magic_quotes_gpc()) {
// $val = stripslashes($val);
// }
// $dec = @json_decode($val, true);
// if ($dec === NULL) {
// $err = response('Error decoding the argument '.quot($key).' => '.var_dump_inl($val), 400);
// echo json_encode($err);
// log_msg('warn', 'json: '.$err['#data']);
// die();
// } else {
// $args[$key] = $dec;
// }
// }
// break;
case 'POST':
foreach ($_POST as $key=>$val) {
$val = stripslashes($val);
$dec = @json_decode($val, true);
if ($dec === NULL) {
$err = response('Error decoding the argument '.quot($key).' => '.var_dump_inl($val), 400);
echo json_encode($err);
log_msg('warn', 'json: '.$err['#data']);
die();
} else {
$args[$key] = $dec;
}
}
break;
default:
//$err = response('Only HTTP GET and POST requests supported', 400);
$err = response('Only HTTP POST requests supported', 400);
echo json_encode($err);
log_msg('warn', 'json: '.$err['#data']);
die();
}
// check if we got a method argument
if (!empty($args['method'])) {
$method = $args['method'];
unset($args['method']);
log_msg('debug', 'json: method is '.quot($method));
log_msg('debug', 'json: arguments are '.var_dump_inl($args));
log_msg('debug', 'json: base url is '.quot(base_url()));
} else {
// this can also be caused by an upload exceeding the limits
// set in php.ini
$err = response('Required argument "method" missing', 400);
echo json_encode($err);
log_msg('warn', 'json: '.$err['#data']);
die();
}
load_modules($method);
if (!($m = get_service($method))) {
$err = response('Unknown method '.quot($method), 400);
echo json_encode($err);
log_msg('warn', 'json: '.$err['#data']);
die();
}
// check authentication
if (isset($m['auth']) && $m['auth']) {
if (!is_auth()) {
prompt_auth(true);
}
}
if (isset($m['cross-origin']) && $m['cross-origin']) {
// output cross-origin header if requested
header('Access-Controll-Allow-Origin: *');
} else {
// otherwise check the referer to make xsrf harder
if (!empty($_SERVER['HTTP_REFERER'])) {
$bu = base_url();
if (substr($_SERVER['HTTP_REFERER'], 0, strlen($bu)) != $bu) {
echo json_encode(response('Cross-origin requests not supported for this method', 400));
log_msg('warn', 'json: possible xsrf detected, referer is '.quot($_SERVER['HTTP_REFERER']).', arguments '.var_dump_inl($args));
die();
}
}
}
// run service and output result
$ret = run_service($method, $args);
if (is_array($ret) && isset($ret['#error']) && $ret['#error']) {
log_msg('warn', 'json: service '.$method.' returned error '.quot($ret['#data']));
} elseif (is_array($ret) && isset($ret['#data'])) {
log_msg('debug', 'json: service returned '.var_dump_inl($ret['#data']));
}
echo json_encode($ret);