X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=lib%2Fapioauth.php;h=75b0b3c576aa9e3b9043ca4019c43e9fe75011a9;hb=f97b863fd709135fb9f7bf7c756a1c6721e3e988;hp=4cb8a677541d223b096522f63979e91b959f5fa2;hpb=a85a3ddc725a99ea182e86ec65f6be574752b18f;p=quix0rs-gnu-social.git diff --git a/lib/apioauth.php b/lib/apioauth.php index 4cb8a67754..75b0b3c576 100644 --- a/lib/apioauth.php +++ b/lib/apioauth.php @@ -30,7 +30,7 @@ if (!defined('STATUSNET')) { exit(1); } - +require_once INSTALLDIR . '/lib/apiaction.php'; require_once INSTALLDIR . '/lib/apioauthstore.php'; /** @@ -44,15 +44,13 @@ require_once INSTALLDIR . '/lib/apioauthstore.php'; * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @link http://status.net/ */ - -class ApiOauthAction extends Action +class ApiOauthAction extends ApiAction { /** * Is this a read-only action? * * @return boolean false */ - function isReadOnly($args) { return false; @@ -73,29 +71,39 @@ class ApiOauthAction extends Action * * @return void */ - function handle($args) { parent::handle($args); self::cleanRequest(); } + /* + * Clean up the request so the OAuth library doesn't find + * any extra parameters or anything else it's not expecting. + * I'm looking at you, p parameter. + */ static function cleanRequest() { // kill evil effects of magical slashing - if (get_magic_quotes_gpc() == 1) { $_POST = array_map('stripslashes', $_POST); $_GET = array_map('stripslashes', $_GET); } // strip out the p param added in index.php - - // XXX: should we strip anything else? Or alternatively - // only allow a known list of params? - unset($_GET['p']); unset($_POST['p']); + unset($_REQUEST['p']); + + $queryArray = explode('&', $_SERVER['QUERY_STRING']); + + for ($i = 0; $i < sizeof($queryArray); $i++) { + if (substr($queryArray[$i], 0, 2) == 'p=') { + unset($queryArray[$i]); + } + } + + $_SERVER['QUERY_STRING'] = implode('&', $queryArray); } function getCallback($url, $params)