}
// New global variable which ONLY gets set in this server page, so you know that
// if you've been called by a remote Moodle, this should be set:
$MNET_REMOTE_CLIENT = new mnet_remote_client();
// Peek at the message to see if it's an XML-ENC document. If it is, note that
// the client connection was encrypted, and strip the xml-encryption and
// xml-signature wrappers from the XML-RPC payload
if (strpos(substr($HTTP_RAW_POST_DATA, 0, 100), '<encryptedMessage>')) {
$MNET_REMOTE_CLIENT->was_encrypted();
// Extract the XML-RPC payload from the XML-ENC and XML-SIG wrappers.
$payload = mnet_server_strip_wrappers($HTTP_RAW_POST_DATA);
} else {
$params = xmlrpc_decode_request($HTTP_RAW_POST_DATA, $method);
if ($method == 'system.keyswap' || $method == 'system/keyswap') {
// OK
} elseif ($MNET_REMOTE_CLIENT->plaintext_is_ok() == false) {
exit(mnet_server_fault(7021, 'forbidden-transport'));
}
// Looks like plaintext is ok. It is assumed that a plaintext call:
// 1. Came from a trusted host on your local network
// 2. Is *not* from a Moodle - otherwise why skip encryption/signing?
// 3. Is free to execute ANY function in Moodle
// 4. Cannot execute any methods (as it can't instantiate a class first)
// To execute a method, you'll need to create a wrapper function that first
// instantiates the class, and then calls the method.
$payload = $HTTP_RAW_POST_DATA;
}
if (!empty($CFG->mnet_rpcdebug)) {
trigger_error("XMLRPC Payload");
trigger_error(print_r($payload, 1));
}
$MNET_REMOTE_CLIENT = new mnet_remote_client();
$plaintextmessage = mnet_server_strip_encryption($HTTP_RAW_POST_DATA);
$xmlrpcrequest = mnet_server_strip_signature($plaintextmessage);
if ($MNET_REMOTE_CLIENT->pushkey == true) {
// The peer used one of our older public keys, we will return a
// signed/encrypted error message containing our new public key
// Sign message with our old key, and encrypt to the peer's private key.
exit(mnet_server_fault_xml(7025, $MNET->public_key, $MNET_REMOTE_CLIENT->useprivatekey));
}
// Have a peek at what the request would be if we were to process it
$params = xmlrpc_decode_request($xmlrpcrequest, $method);
// One of three conditions need to be met before we continue processing this request:
// 1. Request is properly encrypted and signed
// 2. Request is for a keyswap (we don't mind enencrypted or unsigned requests for a public key)
// 3. Request is properly signed and we're happy with it being unencrypted
if ($MNET_REMOTE_CLIENT->request_was_encrypted == true && $MNET_REMOTE_CLIENT->signatureok == true || ($method == 'system.keyswap' || $method == 'system/keyswap') || $MNET_REMOTE_CLIENT->signatureok == true && $MNET_REMOTE_CLIENT->plaintext_is_ok() == true) {
$response = mnet_server_dispatch($xmlrpcrequest);
} else {
if ($MNET_REMOTE_CLIENT->request_was_encrypted == false && $MNET_REMOTE_CLIENT->plaintext_is_ok() == false) {
exit(mnet_server_fault(7021, 'forbidden-transport'));
}
if ($MNET_REMOTE_CLIENT->request_was_signed == false) {
// Request was not signed
exit(mnet_server_fault(711, 'verifysignature-error'));
}
if ($MNET_REMOTE_CLIENT->signatureok == false) {
// We were unable to verify the signature
exit(mnet_server_fault(710, 'verifysignature-invalid'));
}
}
if (!empty($CFG->mnet_rpcdebug)) {
