diff --git a/public_html/deployment/classes/sws.class.php b/public_html/deployment/classes/sws.class.php index 5da960db10976988d6108636fb9dc48f63538909..4833108e56c4bb51463e99fc45fb2af1e3da4683 100644 --- a/public_html/deployment/classes/sws.class.php +++ b/public_html/deployment/classes/sws.class.php @@ -103,7 +103,7 @@ class sws { * version * @var string */ - private $_sVersion = "0.06 (beta)"; + private $_sVersion = "0.07 (beta)"; /** * title @@ -166,6 +166,23 @@ class sws { return false; } + /** + * helper for _parseParams + * check if parameter args contain safe chars + * @param type $sParamValue + * @return boolean + */ + private function _verifyParamValue($sParamValue){ + $sOKChars='a-z0-9\"\{\}\[\]\.\,\ \:\-\+'; + if(isset($this->_aParams[$sParamValue])){ + $sVal=urldecode($this->_aParams[$sParamValue]); + if(preg_match('/[^'.$sOKChars. ']/i', $sVal)){ + $this->_quit("ERROR: parameter $sParamValue=.. contains unsupported character(s): [". preg_replace('/['.$sOKChars. ']/i', '',$sVal)."]"); + } + + } + return true; + } /** * parse parameters (given GET/ POST is in by _aParams @see setParams) * class - class to initialize @@ -176,7 +193,7 @@ class sws { */ private function _parseParams() { $aMinParams = array("class", "action"); - $aMaxParams = array_merge($aMinParams, array("args")); + $aMaxParams = array_merge($aMinParams, array("init", "args", "type")); $sErrors = ''; // set defaults @@ -202,7 +219,12 @@ class sws { $sErrors.="- <em>" . $sKey . "</em><br>"; } } - // TODO: checkMaxParams + // check max Params + foreach(array_keys($this->_aParams) as $sKey){ + if(!in_array($sKey, $aMaxParams)){ + $this->_quit("ERROR: parameter ". htmlentities($sKey)." is unknown."); + } + } // check if classname and action exist in configuration if (array_key_exists("class", $this->_aParams)) { @@ -214,6 +236,9 @@ class sws { $this->_sClassfile = $this->_aKnownClasses["classes"][$this->_aParams["class"]]["file"]; // get arguments for the method + $this->_verifyParamValue("init"); + $this->_verifyParamValue("args"); + if (array_key_exists("init", $this->_aParams)) { try { $aTmp = json_decode($this->_aParams["init"], 1); @@ -222,7 +247,7 @@ class sws { } if (!is_array($aTmp)) { $this->_quit( - 'ERROR: wrong request - init value must be a json string<br>' + 'ERROR: wrong request - init value must be a json string (in url encoded form)<br>' . 'examples:<br>' . '- one arg <code>(...)&init=["my string"]</code><br>' . '- two args <code>(...)&init=["my string", 123]</code> ' @@ -249,7 +274,7 @@ class sws { } if (!is_array($aTmp)) { $this->_quit( - 'ERROR: wrong request - args value must be a json string<br>' + 'ERROR: wrong request - args value must be a json string (in url encoded form)<br>' . 'examples:<br>' . '- one arg <code>(...)&args=["my string"]</code><br>' . '- two args <code>(...)&args=["my string", 123]</code> ' @@ -623,7 +648,7 @@ class sws { $sClassInit = '<span class="urlvalue">[initparams]</span>'; $sActionSelect = '<span class="urlvalue">[action]</span>'; $sParamSelect = '<span class="urlvalue">[parameters]</span>'; - $sTypeSelect = '<span class="urlvalue">[type: raw|json]</span>'; + $sTypeSelect = '<span class="urlvalue">[raw|json]</span>'; $sSyntax = sprintf( '<pre>?' @@ -701,6 +726,9 @@ class sws { . '.warning{ color:#a96; background:#fc8; padding: 0.5em; margin-bottom: 2em; border-left: 4px solid;}' . '.defaultvalue{color: #33c;}' . '</style>' + ; + if($this->_aOptions["enableGui"]){ + $sReturn.= '' . '<script>' . 'function toggleDesciption(sId, a){' . 'var o=document.getElementById(sId);' @@ -781,6 +809,9 @@ class sws { ' . '</script>' + ; + } + $sReturn.= '' . '</head>' . '<body>'; diff --git a/public_html/webservice/sws-config.json b/public_html/webservice/sws-config.json index a7b7e3273c59e06c4baf89e8dfb4962564307f84..a2cdf80e167968735114c65e56b12c18bc165851 100644 --- a/public_html/webservice/sws-config.json +++ b/public_html/webservice/sws-config.json @@ -1,7 +1,7 @@ { "options": { "enableGui": 1, - "enableDump": 1 + "enableDump": 0 }, "classes": { "Actionlog": { @@ -9,6 +9,12 @@ "actions": { "getLogs": {} } + }, + "project": { + "file": "project.class.php", + "actions": { + "getProjects": {} + } } } } \ No newline at end of file