tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

2012-06-14 Sergio Martin <sergio.martin@artica.es> 

* include/api.php: Change the security checks adding
	a new parameter to API pass
	Merged from 4.0.2



git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@6549 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
This commit is contained in:
zarzuelo 2012-06-14 11:59:10 +00:00
parent 4a44893f0b
commit 677f5c017b
2 changed files with 20 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pandora_console/ChangeLog
View File

@ -1,3 +1,9 @@
2012-06-14 Sergio Martin <sergio.martin@artica.es>
* include/api.php: Change the security checks adding
a new parameter to API pass
Merged from 4.0.2
2012-06-14 Miguel de Dios <miguel.dedios@artica.es> 2012-06-14 Miguel de Dios <miguel.dedios@artica.es>
* include/functions_agents.php: deprecated the function with bad and * include/functions_agents.php: deprecated the function with bad and

28
pandora_console/include/api.php
View File

@ -34,6 +34,7 @@ $id2 = get_parameter('id2');
$otherSerialize = get_parameter('other'); $otherSerialize = get_parameter('other');
$otherMode = get_parameter('other_mode', 'url_encode'); $otherMode = get_parameter('other_mode', 'url_encode');
$returnType = get_parameter('return_type', 'string'); $returnType = get_parameter('return_type', 'string');
$api_password = get_parameter('apipass', '');
$password = get_parameter('pass', ''); $password = get_parameter('pass', '');
$user = get_parameter('user', ''); $user = get_parameter('user', '');
@ -43,27 +44,25 @@ $apiPassword = db_get_value_filter('value', 'tconfig', array('token' => 'api_pas
$correctLogin = false; $correctLogin = false;
$user_in_db = null; $user_in_db = null;
if (!empty($apiPassword)) { $no_login_msg = "";
if (($password === $apiPassword) && (empty($user))) {
$correctLogin = true; if (isInACL($ipOrigin)) {
} if(empty($apiPassword) || (!empty($apiPassword) && $api_password === $apiPassword)) {
else {
$user_in_db = process_user_login($user, $password); $user_in_db = process_user_login($user, $password);
if ($user_in_db !== false) { if ($user_in_db !== false) {
$config['id_user'] = $user_in_db; $config['id_user'] = $user_in_db;
$correctLogin = true; $correctLogin = true;
} }
else {
$no_login_msg = "Incorrect user credentials";
}
}
else {
$no_login_msg = "Incorrect given API password";
} }
} }
else { else {
$user_in_db = process_user_login($user, $password); $no_login_msg = "IP $ipOrigin is not in ACL list";
if ($user_in_db !== false) {
$config['id_user'] = $user_in_db;
$correctLogin = true;
}
else if (isInACL($ipOrigin)) {
$correctLogin = true;
}
} }
if ($correctLogin) { if ($correctLogin) {
@ -86,6 +85,7 @@ if ($correctLogin) {
} }
} }
else { else {
echo 'ERROR: Your IP (' . $ipOrigin . ') is not in ACL IP list.'; db_pandora_audit("API access Failed", $no_login_msg, $user, $ipOrigin);
echo 'auth error';
} }
?> ?>