Skip to content

Z
z-push
Commit b0c58c90 authored by Sebastian Kummer's avatar Sebastian Kummer
Browse files
Options

Merge pull request #577 in ZP/z-push from... 

Merge pull request #577 in ZP/z-push from bugfix/ZP-1273-missing-warnings-for-autodiscover to develop

* commit 'b52c9d9c':
  ZP-1273 Fixed review comment. Released under the Affero GNU General Public License (AGPL) version 3.
  ZP-1273 Limit amount read from input stream and move check on reponse schema. Released under the Affero GNU General Public License (AGPL) version 3.
  ZP-1273 Bugfix missing warnings for autodiscover. Released under the Affero GNU General Public License (AGPL) version 3.
parents ce95e834 b52c9d9c
Hide whitespace changes
Inline Side-by-side
Showing with 11 additions and 11 deletions
src/autodiscover/autodiscover.php
View file @ b0c58c90
...@@ -28,7 +28,6 @@ require_once 'config.php'; ...@@ -28,7 +28,6 @@ require_once 'config.php';
class ZPushAutodiscover { class ZPushAutodiscover {
const ACCEPTABLERESPONSESCHEMAMOBILESYNC = 'http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006'; const ACCEPTABLERESPONSESCHEMAMOBILESYNC = 'http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006';
const ACCEPTABLERESPONSESCHEMAOUTLOOK = 'http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a';
const MAXINPUTSIZE = 8192; // Bytes, the autodiscover request shouldn't exceed that value const MAXINPUTSIZE = 8192; // Bytes, the autodiscover request shouldn't exceed that value
private static $instance; private static $instance;
...@@ -79,11 +78,8 @@ class ZPushAutodiscover { ...@@ -79,11 +78,8 @@ class ZPushAutodiscover {
$email = ($this->getAttribFromUserDetails($userDetails, 'emailaddress')) ? $this->getAttribFromUserDetails($userDetails, 'emailaddress') : $incomingXml->Request->EMailAddress; $email = ($this->getAttribFromUserDetails($userDetails, 'emailaddress')) ? $this->getAttribFromUserDetails($userDetails, 'emailaddress') : $incomingXml->Request->EMailAddress;
$userFullname = ($this->getAttribFromUserDetails($userDetails, 'fullname')) ? $this->getAttribFromUserDetails($userDetails, 'fullname') : $email; $userFullname = ($this->getAttribFromUserDetails($userDetails, 'fullname')) ? $this->getAttribFromUserDetails($userDetails, 'fullname') : $email;
ZLog::Write(LOGLEVEL_WBXML, sprintf("Resolved user's '%s' fullname to '%s'", $username, $userFullname)); ZLog::Write(LOGLEVEL_WBXML, sprintf("Resolved user's '%s' fullname to '%s'", $username, $userFullname));
// At the moment Z-Push only supports mobile response schema for autodiscover. Send empty response if the client request outlook response schema. $response = $this->createResponse($email, $userFullname);
if ($incomingXml->Request->AcceptableResponseSchema == ZPushAutodiscover::ACCEPTABLERESPONSESCHEMAMOBILESYNC) { setcookie("membername", $username);
$response = $this->createResponse($email, $userFullname);
setcookie("membername", $username);
}
} }
catch (Exception $ex) { catch (Exception $ex) {
...@@ -135,15 +131,19 @@ class ZPushAutodiscover { ...@@ -135,15 +131,19 @@ class ZPushAutodiscover {
* @return SimpleXMLElement * @return SimpleXMLElement
*/ */
private function getIncomingXml() { private function getIncomingXml() {
if ($_SERVER['CONTENT_LENGTH'] > ZPushAutodiscover::MAXINPUTSIZE) { if (isset($_SERVER['CONTENT_LENGTH']) && $_SERVER['CONTENT_LENGTH'] > ZPushAutodiscover::MAXINPUTSIZE) {
throw new ZPushException('The request input size exceeds 8kb.'); throw new ZPushException('The request will not be processed as the input exceeds our maximum expected input size.');
} }
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) { if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) {
throw new AuthenticationRequiredException(); throw new AuthenticationRequiredException();
} }
$input = @file_get_contents('php://input'); $input = @file_get_contents('php://input', NULL, NULL, 0, ZPushAutodiscover::MAXINPUTSIZE);
if (strlen($input) == ZPushAutodiscover::MAXINPUTSIZE) {
throw new ZPushException('The request will not be processed as the input exceeds our maximum expected input size.');
}
$xml = simplexml_load_string($input); $xml = simplexml_load_string($input);
if (LOGLEVEL >= LOGLEVEL_WBXML) { if (LOGLEVEL >= LOGLEVEL_WBXML) {
...@@ -163,8 +163,8 @@ class ZPushAutodiscover { ...@@ -163,8 +163,8 @@ class ZPushAutodiscover {
throw new FatalException('Invalid input XML: no AcceptableResponseSchema.'); throw new FatalException('Invalid input XML: no AcceptableResponseSchema.');
} }
if ($xml->Request->AcceptableResponseSchema != ZPushAutodiscover::ACCEPTABLERESPONSESCHEMAMOBILESYNC && $xml->Request->AcceptableResponseSchema != ZPushAutodiscover::ACCEPTABLERESPONSESCHEMAOUTLOOK) { if (strcasecmp($xml->Request->AcceptableResponseSchema, ZPushAutodiscover::ACCEPTABLERESPONSESCHEMAMOBILESYNC) != 0) {
throw new FatalException('Invalid input XML: not a mobilesync responseschema.'); throw new FatalException(sprintf('Request for a responseschema that is not supported (only mobilesync is supported): %s', $xml->Request->AcceptableResponseSchema));
} }
return $xml; return $xml;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment