| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
This allows us to set doculemt root to the public directory, so that
there's less chance for shady actors to access the actual modules of the
system directly.
Just to be on the safe side, I added a new index.php file in the root of
the project, to return a forbidden status in case of a misconfigured
server.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
XMLParser would expand entities by default, which could make us
susceptible both to XXE attacks, and the billion laughs attack.
By default XMLReader does _not_ expand entities, so it's a safer choice.
This also changes the XmlRpcMethod::parse() function to throw a runtime
exception if the XML payload could not be parsed, and to return null if
the payload does not contain a valid <methodName> element.
In cases where we're unable to parse the payload as a valid XML-RPC
request, we fall back to saving the full request info as before.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
If the XML-RPC method is wp.getUsersBlogs, we just save submitted
credentials and otherwise ignore the request.
We get a lot of these, and they're not really that interesting, so we
don't need to save the full payload. But let's keep the credentials,
so that we can build a list of passwords and user names.
Other requests will be saved in full as before.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
