The Arcive of Official vBulletin Modifications Site.

zethon · #1 12-20-2009, 12:00 AM

I have a plugin that uses a webservice hosted on my vBulletin site. The client posts XML in the request. My script reads the entire POST request and parses it as XML. For example:

PHP Code:


			
$postdata = file_get_contents("php://input"); 
$xmlobj = new XMLparser($postdata, '');
$xmlarray = $xmlobj->parse();

The problem with this is the CSRF protection. In init.php I see:

PHP Code:


			
    if (empty($_POST) AND isset($_SERVER['CONTENT_LENGTH']) AND $_SERVER['CONTENT_LENGTH'] > 0)
    {
        die('The file(s) uploaded were too large to process.');
    }

I tried defining CSRF_PROTECTION as false, but that won't work. In init.php, it seems like the test for "CSRF_PROTECTION === true" on line 460 should be in line 452 with "if (strtoupper($_SERVER['REQUEST_METHOD']) == 'POST')". In cases like mine, the $_POST array will always be empty and the content length will always be greater than zero.

I imagine if I implement a "do" action and pass the XML as a POST variable, this will take care of it. However, that seems like a silly solution and I'm wondering if there is a better way to do this.

Thanks!

CGhostGroup · #2 01-09-2010, 11:43 PM

Something new about that?
I get this message with a normal <input>-field via POST-Request...

event with the securitytoken-field it won't work.

zethon · #3 05-21-2010, 05:35 PM

Bump?

I managed to get this to work by doing $_POST["foo"] = ""; at the start of my script.

Still though, seems awkward to do this.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.03734 seconds Memory Usage 2,182KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (2)bbcode_php (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (3)post_thanks_box (3)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (3)post_thanks_postbit_info (3)postbit (3)postbit_onlinestatus (3)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!