zethon
12-20-2009, 12:00 AM
I have a plugin that uses a webservice hosted on my vBulletin site. The client posts XML in the request. My script reads the entire POST request and parses it as XML. For example:
$postdata = file_get_contents("php://input");
$xmlobj = new XMLparser($postdata, '');
$xmlarray = $xmlobj->parse();
The problem with this is the CSRF protection. In init.php I see:
if (empty($_POST) AND isset($_SERVER['CONTENT_LENGTH']) AND $_SERVER['CONTENT_LENGTH'] > 0)
{
die('The file(s) uploaded were too large to process.');
}
I tried defining CSRF_PROTECTION as false, but that won't work. In init.php, it seems like the test for "CSRF_PROTECTION === true" on line 460 should be in line 452 with "if (strtoupper($_SERVER['REQUEST_METHOD']) == 'POST')". In cases like mine, the $_POST array will always be empty and the content length will always be greater than zero.
I imagine if I implement a "do" action and pass the XML as a POST variable, this will take care of it. However, that seems like a silly solution and I'm wondering if there is a better way to do this.
Thanks!
$postdata = file_get_contents("php://input");
$xmlobj = new XMLparser($postdata, '');
$xmlarray = $xmlobj->parse();
The problem with this is the CSRF protection. In init.php I see:
if (empty($_POST) AND isset($_SERVER['CONTENT_LENGTH']) AND $_SERVER['CONTENT_LENGTH'] > 0)
{
die('The file(s) uploaded were too large to process.');
}
I tried defining CSRF_PROTECTION as false, but that won't work. In init.php, it seems like the test for "CSRF_PROTECTION === true" on line 460 should be in line 452 with "if (strtoupper($_SERVER['REQUEST_METHOD']) == 'POST')". In cases like mine, the $_POST array will always be empty and the content length will always be greater than zero.
I imagine if I implement a "do" action and pass the XML as a POST variable, this will take care of it. However, that seems like a silly solution and I'm wondering if there is a better way to do this.
Thanks!