3 * @author Gaetano Giunta
4 * @copyright (C) 2005-2020 G. Giunta
5 * @license code licensed under the BSD License: see file license.txt
7 * Parses GET/POST variables
9 * @todo switch params for http compression from 0,1,2 to values to be used directly
10 * @todo do some more sanitization of received parameters
11 * @todo move parameters away from global namespace
14 // handle class autoloading:
15 if (file_exists(__DIR__.'/../vendor/autoload.php')) {
16 // if the debugger is installed as top-level project with Composer, allow finding classes from dependencies
17 include_once(__DIR__.'/../vendor/autoload.php');
19 // assume this is either a standalone install, or installed as Composer dependency
20 /// @todo if the latter is true, should we just not skip using the custom Autoloader, and let a top-level
21 /// debugger include this one, taking care of autoloading ?
22 include_once __DIR__ . "/../src/Autoloader.php";
23 PhpXmlRpc\Autoloader::register();
26 // work around register globals - @see https://www.php.net/manual/en/faq.misc.php#faq.misc.registerglobals
27 if (ini_get('register_globals')) {
28 function unregister_globals()
30 // Might want to change this perhaps to a nicer error
31 if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) {
32 die('GLOBALS overwrite attempt detected');
35 // Variables that shouldn't be unset
36 $noUnset = array('GLOBALS', '_GET', '_POST', '_COOKIE', '_REQUEST', '_SERVER', '_ENV', '_FILES');
38 $input = array_merge($_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_FILES,
39 isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array()
42 foreach ($input as $k => $v) {
43 if (!in_array($k, $noUnset) && isset($GLOBALS[$k])) {
51 // work around magic quotes
52 if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
53 function stripslashes_deep($value)
55 $value = is_array($value) ?
56 array_map('stripslashes_deep', $value) :
62 $_GET = array_map('stripslashes_deep', $_GET);
65 $preferredEncodings = 'UTF-8, ASCII, ISO-8859-1, UTF-7, EUC-JP, SJIS, eucJP-win, SJIS-win, JIS, ISO-2022-JP';
66 $inputcharset = mb_detect_encoding(urldecode($_SERVER['REQUEST_URI']), $preferredEncodings);
67 if (isset($_GET['usepost']) && $_GET['usepost'] === 'true') {
69 $inputcharset = mb_detect_encoding(implode('', $_GET), $preferredEncodings);
72 /// @todo if $inputcharset is not UTF8, we should probably re-encode $_GET to make it UTF-8
74 // recover input parameters
75 /// @todo instead of using globals, move them to an array. Also: use a class for this parsing...
79 $wstype = defined('DEFAULT_WSTYPE') ? DEFAULT_WSTYPE : 0;
81 if (isset($_GET['action'])) {
82 if (isset($_GET['wstype']) && $_GET['wstype'] == '1') {
84 if (isset($_GET['id'])) {
88 $host = isset($_GET['host']) ? $_GET['host'] : 'localhost'; // using '' will trigger an xmlrpc error...
89 if (isset($_GET['protocol']) && ($_GET['protocol'] == '1' || $_GET['protocol'] == '2')) {
90 $protocol = $_GET['protocol'];
92 if (strpos($host, 'http://') === 0) {
93 $host = substr($host, 7);
94 } elseif (strpos($host, 'https://') === 0) {
95 $host = substr($host, 8);
98 $port = isset($_GET['port']) ? $_GET['port'] : '';
99 $path = isset($_GET['path']) ? $_GET['path'] : '';
100 // in case user forgot initial '/' in xmlrpc server path, add it back
101 if ($path && ($path[0]) != '/') {
105 if (isset($_GET['debug']) && ($_GET['debug'] == '1' || $_GET['debug'] == '2')) {
106 $debug = $_GET['debug'];
109 $verifyhost = (isset($_GET['verifyhost']) && ($_GET['verifyhost'] == '1' || $_GET['verifyhost'] == '2')) ? $_GET['verifyhost'] : 0;
110 if (isset($_GET['verifypeer']) && $_GET['verifypeer'] == '1') {
115 $cainfo = isset($_GET['cainfo']) ? $_GET['cainfo'] : '';
116 $proxy = isset($_GET['proxy']) ? $_GET['proxy'] : 0;
117 if (strpos($proxy, 'http://') === 0) {
118 $proxy = substr($proxy, 7);
120 $proxyuser = isset($_GET['proxyuser']) ? $_GET['proxyuser'] : '';
121 $proxypwd = isset($_GET['proxypwd']) ? $_GET['proxypwd'] : '';
122 $timeout = isset($_GET['timeout']) ? $_GET['timeout'] : 0;
123 if (!is_numeric($timeout)) {
126 $action = $_GET['action'];
128 $method = isset($_GET['method']) ? $_GET['method'] : '';
129 $methodsig = isset($_GET['methodsig']) ? $_GET['methodsig'] : 0;
130 $payload = isset($_GET['methodpayload']) ? $_GET['methodpayload'] : '';
131 $alt_payload = isset($_GET['altmethodpayload']) ? $_GET['altmethodpayload'] : '';
133 if (isset($_GET['run']) && $_GET['run'] == 'now') {
137 $username = isset($_GET['username']) ? $_GET['username'] : '';
138 $password = isset($_GET['password']) ? $_GET['password'] : '';
140 $authtype = (isset($_GET['authtype']) && ($_GET['authtype'] == '2' || $_GET['authtype'] == '8')) ? $_GET['authtype'] : 1;
142 if (isset($_GET['requestcompression']) && ($_GET['requestcompression'] == '1' || $_GET['requestcompression'] == '2')) {
143 $requestcompression = $_GET['requestcompression'];
145 $requestcompression = 0;
147 if (isset($_GET['responsecompression']) && ($_GET['responsecompression'] == '1' || $_GET['responsecompression'] == '2' || $_GET['responsecompression'] == '3')) {
148 $responsecompression = $_GET['responsecompression'];
150 $responsecompression = 0;
153 $clientcookies = isset($_GET['clientcookies']) ? $_GET['clientcookies'] : '';
173 $requestcompression = 0;
174 $responsecompression = 0;
178 // check input for known XMLRPC attacks against this or other libs
179 function payload_is_safe($input)