} // New global variable which ONLY gets set in this server page, so you know that // if you've been called by a remote Moodle, this should be set: $MNET_REMOTE_CLIENT = new mnet_remote_client(); // Peek at the message to see if it's an XML-ENC document. If it is, note that // the client connection was encrypted, and strip the xml-encryption and // xml-signature wrappers from the XML-RPC payload if (strpos(substr($HTTP_RAW_POST_DATA, 0, 100), '<encryptedMessage>')) { $MNET_REMOTE_CLIENT->was_encrypted(); // Extract the XML-RPC payload from the XML-ENC and XML-SIG wrappers. $payload = mnet_server_strip_wrappers($HTTP_RAW_POST_DATA); } else { $params = xmlrpc_decode_request($HTTP_RAW_POST_DATA, $method); if ($method == 'system.keyswap' || $method == 'system/keyswap') { // OK } elseif ($MNET_REMOTE_CLIENT->plaintext_is_ok() == false) { exit(mnet_server_fault(7021, 'forbidden-transport')); } // Looks like plaintext is ok. It is assumed that a plaintext call: // 1. Came from a trusted host on your local network // 2. Is *not* from a Moodle - otherwise why skip encryption/signing? // 3. Is free to execute ANY function in Moodle // 4. Cannot execute any methods (as it can't instantiate a class first) // To execute a method, you'll need to create a wrapper function that first // instantiates the class, and then calls the method. $payload = $HTTP_RAW_POST_DATA; } if (!empty($CFG->mnet_rpcdebug)) { trigger_error("XMLRPC Payload"); trigger_error(print_r($payload, 1)); }
$MNET_REMOTE_CLIENT = new mnet_remote_client(); $plaintextmessage = mnet_server_strip_encryption($HTTP_RAW_POST_DATA); $xmlrpcrequest = mnet_server_strip_signature($plaintextmessage); if ($MNET_REMOTE_CLIENT->pushkey == true) { // The peer used one of our older public keys, we will return a // signed/encrypted error message containing our new public key // Sign message with our old key, and encrypt to the peer's private key. exit(mnet_server_fault_xml(7025, $MNET->public_key, $MNET_REMOTE_CLIENT->useprivatekey)); } // Have a peek at what the request would be if we were to process it $params = xmlrpc_decode_request($xmlrpcrequest, $method); // One of three conditions need to be met before we continue processing this request: // 1. Request is properly encrypted and signed // 2. Request is for a keyswap (we don't mind enencrypted or unsigned requests for a public key) // 3. Request is properly signed and we're happy with it being unencrypted if ($MNET_REMOTE_CLIENT->request_was_encrypted == true && $MNET_REMOTE_CLIENT->signatureok == true || ($method == 'system.keyswap' || $method == 'system/keyswap') || $MNET_REMOTE_CLIENT->signatureok == true && $MNET_REMOTE_CLIENT->plaintext_is_ok() == true) { $response = mnet_server_dispatch($xmlrpcrequest); } else { if ($MNET_REMOTE_CLIENT->request_was_encrypted == false && $MNET_REMOTE_CLIENT->plaintext_is_ok() == false) { exit(mnet_server_fault(7021, 'forbidden-transport')); } if ($MNET_REMOTE_CLIENT->request_was_signed == false) { // Request was not signed exit(mnet_server_fault(711, 'verifysignature-error')); } if ($MNET_REMOTE_CLIENT->signatureok == false) { // We were unable to verify the signature exit(mnet_server_fault(710, 'verifysignature-invalid')); } } if (!empty($CFG->mnet_rpcdebug)) {