make getHttpVal() take the array to extract from

refactor so verify early finds out which of $_GET and $_POST to use and then stick to using only that for the entire flow. sync only works with GET anyways so use $_GET directly.
2025-02-26 21:54:16 +01:00 · 2016-04-29 15:42:37 +02:00 · 2016-04-29 15:42:37 +02:00 · aaef07083a
commit aaef07083a
parent b47206fff9
3 changed files with 20 additions and 51 deletions
--- a/ykval-common.php
+++ b/ykval-common.php
@ -53,15 +53,11 @@ function logdie ($logger, $str)
 	die($str . "\n");
 }
-function getHttpVal ($key, $default)
+function getHttpVal ($key, $default, $a)
 {
-	if (array_key_exists($key, $_GET))
+	if (array_key_exists($key, $a))
 	{
-		$val = $_GET[$key];
+		$val = $a[$key];
 	}
 	elseif (array_key_exists($key, $_POST))
 	{
 		$val = $_POST[$key];
 	}
 	else
 	{
--- a/ykval-sync.php
+++ b/ykval-sync.php
@ -54,7 +54,6 @@ if (in_array($ipaddr, $allowed, TRUE) === FALSE)
 	sendResp(S_OPERATION_NOT_ALLOWED, $myLog);
 }
 // define requirements on protocol
 $syncParams = array(
 	'modified' => NULL,
@ -71,7 +70,7 @@ $syncParams = array(
 $tmp_log = 'Received ';
 foreach ($syncParams as $param => $value)
 {
-	$value = getHttpVal($param, NULL);
+	$value = getHttpVal($param, NULL, $_GET);
 	if ($value == NULL)
 	{
--- a/ykval-verify.php
+++ b/ykval-verify.php
@ -41,17 +41,6 @@ $ipaddr = $_SERVER['REMOTE_ADDR'];
 $https = (array_key_exists('HTTPS', $_SERVER) === TRUE
 			&& strtolower($_SERVER['HTTPS']) !== 'off' ? TRUE : FALSE);
 /**
 * FIXME
 *
 * Refactor code which extracts the request arguments,
 *	pull it up here and avoid sprinlking the following in the "core":
 *
 * $_GET, $_POST, $_SERVER['QUERY_STRING'], getHttpVal()
 *
 * Avoid ambiguity with urldecode.
 */
 $myLog = new Log('ykval-verify');
 $myLog->addField('ip', $ipaddr);
@ -69,21 +58,21 @@ $myLog->request->set('time_start', $time_start);
 unset($time_start);
 // FIXME
 $message = '';
-if ($_POST)
+if ($_GET) {
 	$request = $_GET;
 	$message = 'Request: ' . $_SERVER['QUERY_STRING'];
 }
 else if ($_POST)
 {
 	$request = $_POST;
 	$kv = array();
-	foreach ($_POST as $key => $value)
+	foreach ($request as $key => $value)
 	{
 		$kv[] = "$key=$value";
 	}
 	$message = 'POST: ' . join('&', $kv);
 }
 else
 {
 	$message = 'Request: ' . $_SERVER['QUERY_STRING'];
 }
 $message .= ' (at ' . date('c') . ' ' . microtime() . ') HTTP' . ($https ? 'S' : '');
 $myLog->log(LOG_INFO, $message);
 unset($message);
@ -105,10 +94,10 @@ $myLog->log(LOG_DEBUG, "found protocol version $protocol_version");
 /**
 * Extract values from HTTP request
 */
-$h = getHttpVal('h', '');
+$h = getHttpVal('h', '', $request);
-$client = getHttpVal('id', '0');
+$client = getHttpVal('id', '0', $request);
-$timestamp = getHttpVal('timestamp', '0');
+$timestamp = getHttpVal('timestamp', '0', $request);
-$otp = getHttpVal('otp', '');
+$otp = getHttpVal('otp', '', $request);
 $otp = strtolower($otp);
 if (preg_match('/^[jxe.uidchtnbpygk]+$/', $otp))
@ -142,9 +131,9 @@ $myLog->addField('otp', $otp);
 if ($protocol_version >= 2.0)
 {
-	$sl = getHttpVal('sl', '');
+	$sl = getHttpVal('sl', '', $request);
-	$timeout = getHttpVal('timeout', '');
+	$timeout = getHttpVal('timeout', '', $request);
-	$nonce = getHttpVal('nonce', '');
+	$nonce = getHttpVal('nonce', '', $request);
 	$myLog->request->set('sl', $sl);
 	$myLog->request->set('timeout', $timeout);
@ -278,24 +267,9 @@ unset($cd);
 if ($h != '')
 {
 	// Create the signature using the API key
-	$a;
+	unset($request['h']);
 	if ($_GET)
 	{
 		$a = $_GET;
 	}
 	elseif ($_POST)
 	{
 		$a = $_POST;
 	}
 	else
 	{
 		// FIXME sendResp
 		sendRest(S_BACKEND_ERROR);
 		exit;
 	}
 	unset($a['h']);
-	$hmac = sign($a, $apiKey, $myLog);
+	$hmac = sign($request, $apiKey, $myLog);
 	if (hash_equals($hmac, $h) === FALSE)
 	{