X-Git-Url: https://git.defcon.no/?a=blobdiff_plain;f=api%2Fauth.php;h=451581321a03b1f6e233d73713f73ad8a34388b5;hb=1fded126d8c419e3c1d07889c2d3d7808c747edc;hp=50050e515dc695c55edf9a300a5ae5b2f8f21e45;hpb=3d7c00b0b44ff6c0b763ffe7343cf5c8d76909e5;p=hermes

diff --git a/api/auth.php b/api/auth.php
index 50050e5..4515813 100644
--- a/api/auth.php
+++ b/api/auth.php
@@ -1,4 +1,30 @@
 <?php
+/*
+#  Copyright (c) 2012, GjÃ¸vik University College
+#  All rights reserved.
+
+#  Redistribution and use in source and binary forms, with or without
+#  modification, are permitted provided that the following conditions are met:
+#      * Redistributions of source code must retain the above copyright
+#        notice, this list of conditions and the following disclaimer.
+#      * Redistributions in binary form must reproduce the above copyright
+#        notice, this list of conditions and the following disclaimer in the
+#        documentation and/or other materials provided with the distribution.
+#      * Neither the name of the GjÃ¸vik University College nor the
+#        names of its contributors may be used to endorse or promote products
+#        derived from this software without specific prior written permission.
+#       
+#  THIS SOFTWARE IS PROVIDED BY GjÃ¸vik University College ''AS IS'' AND ANY
+#  EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+#  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+#  DISCLAIMED. IN NO EVENT SHALL GjÃ¸vik University College BE LIABLE FOR ANY
+#  DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+#  (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+#  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+#  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+#  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+#  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
 require_once('config.php');
 require_once('lib/auth_base.php');
 require_once('lib/common_functions.php');
@@ -32,13 +58,13 @@ if ( ( $_SERVER['PATH_INFO'] == "/login" ) || ( $_SERVER['PATH_INFO'] == "/logou
 			$type = false;
 			$authid = false;
 
-			if ( array_key_exists('username', $_GET) 
-				&& array_key_exists('password', $_GET) )
+			if ( array_key_exists('username', $_POST) 
+				&& array_key_exists('password', $_POST) )
 			{
-				if ( 1 == authuser_verify( sql_clean($_GET['username']), sql_clean($_GET['password'])))
+				if ( 1 == authuser_verify( sql_clean($_POST['username']), sql_clean($_POST['password'])))
 				{
 					$type = "user";
-					$authid = $_GET['username'];
+					$authid = $_POST['username'];
 				}
 				else
 				{
@@ -46,12 +72,12 @@ if ( ( $_SERVER['PATH_INFO'] == "/login" ) || ( $_SERVER['PATH_INFO'] == "/logou
 					exit;
 				}
 			}
-			else if ( array_key_exists('api_key', $_GET) )
+			else if ( array_key_exists('api_key', $_POST) )
 			{
-				if ( verify_apikey( sql_clean( $_GET['api_key'] ) ) == 1 )
+				if ( verify_apikey( sql_clean( $_POST['api_key'] ) ) == 1 )
 				{
 					$type = "key";
-					$authid = $_GET['api_key'];
+					$authid = $_POST['api_key'];
 				}
 				else
 				{
@@ -72,8 +98,8 @@ if ( ( $_SERVER['PATH_INFO'] == "/login" ) || ( $_SERVER['PATH_INFO'] == "/logou
 			// De-authenticate/deauthorize the ongoing session.
 			// I.e. destroy session data, remove session cookies.
 			$session_name = "";
-			if ( array_key_exists('session', $_GET ) )
-				$session_name = $_GET['session'];
+			if ( array_key_exists('session', $_POST ) )
+				$session_name = $_POST['session'];
 			session_name($session_name);
 			session_start();
 			clear_credentials($session_name);
@@ -101,7 +127,7 @@ else
 			// The ping required a valid session...
 			// A successful ping returns a 'response' => 'pong'
 			// along with the new auth_key.
-			$session_name = $_GET['session'];
+			$session_name = $_POST['session'];
 			$authid = $_SESSION['authid'];
 			$auth_key = update_authkey( $session_name, $authid );
 			print json_encode( array( 'response' => 'pong', 'auth_key' => $auth_key ));
@@ -112,11 +138,11 @@ else
 			if ( ! can_write() )
 				simple_authfail();
 
-			if ( array_key_exists('host_ip', $_GET )
-				&& array_key_exists('access', $_GET ))
+			if ( array_key_exists('host_ip', $_POST )
+				&& array_key_exists('access', $_POST ))
 			{
-				$host = $_GET['host_ip'];
-				$access = $_GET['access'];
+				$host = $_POST['host_ip'];
+				$access = $_POST['access'];
 
 				if (! preg_match("/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/", $host) || ! authlevel_value( $access ) )
 				{
@@ -141,9 +167,9 @@ else
 			if ( ! can_write() )
 				simple_authfail();
 
-			if ( array_key_exists('api_key', $_GET ) )
+			if ( array_key_exists('api_key', $_POST ) )
 			{
-				$key = sql_clean( $_GET['api_key'] );
+				$key = sql_clean( $_POST['api_key'] );
 				// Perform a key-verification, skipping host/remote-address check.
 				if ( ! verify_apikey( $key, true ) )
 				{
@@ -178,11 +204,11 @@ else
 			if ( ! can_write() )
 				simple_authfail();
 
-			if ( array_key_exists('username', $_GET )
-				&& array_key_exists('access', $_GET ))
+			if ( array_key_exists('username', $_POST )
+				&& array_key_exists('access', $_POST ))
 			{
-				$user = $_GET['username'];
-				$access = $_GET['access'];
+				$user = $_POST['username'];
+				$access = $_POST['access'];
 				$level = authlevel_value( $access );
 
 				if ( ! $level )
@@ -215,9 +241,9 @@ else
 			if ( ! can_write() )
 				simple_authfail();
 
-			if ( array_key_exists('username', $_GET ))
+			if ( array_key_exists('username', $_POST ))
 			{
-				$user = $_GET['username'];
+				$user = $_POST['username'];
 
 				$t_level = get_authorization( "user", $user );