/** * Every API request comes with a sha512 hash included in a X-Kem-Signature HTTP header. This function will compare that signature with a similar signature generated using the private key stored on our side. */ protected function cheakApiRequestValidity() { // We use this function as getallheaders() is not available on nginx function parseRequestHeaders() { $headers = array(); foreach ($_SERVER as $key => $value) { if (substr($key, 0, 5) != 'HTTP_') { continue; } $header = str_replace(' ', '-', ucwords(str_replace('_', ' ', strtolower(substr($key, 5))))); $headers[$header] = $value; } return $headers; } $headers = parseRequestHeaders(); if (isset($headers['X-Kem-Signature'])) { $signature = $headers['X-Kem-Signature']; } else { $signature = null; } if (isset($headers["X-Kem-Salt"])) { $salt = $headers["X-Kem-Salt"]; } else { $salt = null; } if (isset($headers["X-Kem-User"])) { $client = $headers["X-Kem-User"]; } else { $client = null; } $body = Yii::app()->request->getRawBody($client); if ($this->public_api) { // This is a public api call $user = User::model()->findByPk($client); if ($this->require_authentification) { // This call requires authentification #TODO Implement } else { // This is a public api call with no authentification return true; } } else { // Private APIs require full authentication with KEM secret // Generate a signature combining salt+body+secret $concatenated_string = $salt . $body . Yii::app()->params['inbound_api_secret']; $generated_signature = hash('sha512', $concatenated_string); // Check if the generated signature on both sides match. // NEVER trust that simple mechanism for any sensitive transaction (anything regarding payments) if ($generated_signature === $signature && $client === Yii::app()->params['inbound_api_user']) { return true; } } return false; }
<?php /* Do not modify this line because of request limits set for Azure. */ ini_set('memory_limit', '1024K'); /* Do not modify above this line. */ $user_agent = 'AnyOrigin/1.0; Public API'; $user_domain = 'http://46.101.40.191/'; /* It is recommended that you keep this value to prevent requests looking like they are all from you if hosting multiple sites */ $incoming_headers = parseRequestHeaders(); $incoming_type = ""; $ao_user_origin = ""; if (isset($incoming_headers["origin"])) { $ao_user_origin = $incoming_headers["origin"]; $incoming_type = "origin"; } else { if (isset($incoming_headers["x-requested-with"])) { $ao_user_origin = $incoming_headers["x-requested-with"]; $incoming_type = "x-requested-with"; } } $allowed_hosts = array('*'); /* Do not modify below this line */ $user_agent_full = "{$user_agent} ({$user_domain})"; $client_referer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''; $client_referer = parse_url($client_referer); $client_host = $client_referer['host']; $client_url = $_GET['u']; $client_allowed = 1000; if (in_array(strtolower($client_host), $allowed_hosts) || $allowed_hosts[0] == '*') { $client_allowed = 1; }
/** * Parse HTTP request headers */ function parseRequestHeaders() { $headers = array(); foreach ($_SERVER as $key => $value) { if (substr($key, 0, 5) != 'HTTP_') { continue; } $header = str_replace(' ', '-', ucwords(str_replace('_', ' ', strtolower(substr($key, 5))))); $headers[$header] = $value; } return $headers; } $headers = parseRequestHeaders(); /** * If User-Agent header has VoxImplant value then create new session * and return session id in Set-Cookie header */ if (isset($headers['User-Agent'])) { session_start(); if ($headers['User-Agent'] == "VoxImplant") { header("Set-Cookie: PHPSESSID=" . session_id() . "; path=/"); } } else { session_start(); } /** * Database Interface and Web Services for Conference */
{ header("Access-Control-Allow-Origin: *"); } /* * handle pre-flighted requests. Needed for CORS operation */ function handlePreflight() { handleCorsRequest(); header("Access-Control-Allow-Methods: POST, DELETE"); header("Access-Control-Allow-Credentials: true"); header("Access-Control-Allow-Headers: Content-Type, X-Requested-With, Cache-Control"); } // Determine whether we are dealing with a regular ol' XMLHttpRequest, or // an XDomainRequest $_HEADERS = parseRequestHeaders(); $iframeRequest = false; if (!isset($_HEADERS['X-Requested-With']) || $_HEADERS['X-Requested-With'] != "XMLHttpRequest") { $iframeRequest = true; } /* * handle the preflighted OPTIONS request. Needed for CORS operation. */ if ($method == "OPTIONS") { handlePreflight(); } else { if ($method == "DELETE") { handleCorsRequest(); $result = $uploader->handleDelete("files"); // iframe uploads require the content-type to be 'text/html' and // return some JSON along with self-executing javascript (iframe.ss.response)
<?php require_once "secret.php"; // PHP is a terrible language. But I don't want to fire up a web server for automated deployment scripts. So, whatever. // thank you based stack overflow function parseRequestHeaders() { $headers = array(); foreach ($_SERVER as $key => $value) { if (substr($key, 0, 5) != 'HTTP_') { continue; } $header = str_replace(' ', '-', ucwords(str_replace('_', ' ', strtolower(substr($key, 5))))); $headers[$header] = $value; } return $headers; } $h = parseRequestHeaders(); $event = $h["X-Github-Event"]; $sig = $h["X-Hub-Signature"]; switch ($event) { case "ping": echo "pong!"; break; case "push": $d = shell_exec("cd /var/www/morganbaz.com/www && git reset --hard HEAD && git pull 2>&1"); echo "all right dude, {$d}"; break; }
if (function_exists('apache_request_headers')) { $ajax = apache_request_headers(); } else { function parseRequestHeaders() { $headers = array(); foreach ($_SERVER as $key => $value) { if (substr($key, 0, 5) != 'HTTP_') { continue; } $header = str_replace(' ', '-', ucwords(str_replace('_', ' ', strtolower(substr($key, 5))))); $headers[$header] = $value; } return $headers; } $ajax = parseRequestHeaders(); } $lng = $ajax["accept-language"] ?? $ajax["Accept-Language"] ?? "ru"; // echo json_encode($lng); // die(""); switch ($request) { default: $http_response_code = 404; // Not Found $api["error"] = ["code" => 404, "message" => "Not Found", "type" => "ServerException", "url" => "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.5"]; break; case "index": $api["identity"] = "index"; $api["data"] = ["first_name" => "Anton", "last_name" => "Trofimenko", "email" => "*****@*****.**", "session_id" => "djbncdslkjdnlfkjhlkdjhcdfklhjk"]; break; case "account/signin":