Conjunto de cambios 6627152 en sipes para cord/includes/xmlrpcs.inc

Fecha y hora:

26/05/2016 19:22:55 (hace 8 años)

Autor:

José Gregorio Puentes <jpuentes@…>

Branches:

stable, version-3.0

Children:

a149f73

Parents:

52861f4

Mensaje:

se actualizo el cord

Fichero:

• cord/includes/xmlrpcs.inc (modificado) (2 diferencias)

cord/includes/xmlrpcs.inc

@@ -214 +214 @@
 function xmlrpc_server_multicall($methodcalls) {
   // See http://www.xmlrpc.com/discuss/msgReader$1208
+  // To avoid multicall expansion attacks, limit the number of duplicate method
+  // calls allowed with a default of 1. Set to -1 for unlimited.
+  $duplicate_method_limit = variable_get('xmlrpc_multicall_duplicate_method_limit', 1);
+  $method_count = array();
   $return = array();
   $xmlrpc_server = xmlrpc_server_get();
@@ -223 +227 @@
     }
     $method = $call['methodName'];
+    $method_count[$method] = isset($method_count[$method]) ? $method_count[$method] + 1 : 1;
     $params = $call['params'];
     if ($method == 'system.multicall') {
       $result = xmlrpc_error(-32600, t('Recursive calls to system.multicall are forbidden.'));
+    }
+    elseif ($duplicate_method_limit > 0 && $method_count[$method] > $duplicate_method_limit) {
+      $result = xmlrpc_error(-156579, t('Too many duplicate method calls in system.multicall.'));
     }
     elseif ($ok) {