I believe I have the framework for the XML-RPC daemon written. I've done some pretty silly (read… not really fool-proof and/or accurate) things in order to faciliate getting this out the door as quickly as possible. However, as it stands now, I believe it should work pretty well. The only place I really cut corners is on the HTTP emulation. Basically, I always return 200 OK and I don't even look at what METHOD is being requested, what version of HTTP is being used, or what URL is requested. However, aside from possibly breaking the laws of HTTP, I believe it is secure. The code is designed to run through inetd. Therefore, anything that goes out STDOUT will be sent to the client and anything coming in to STDIN came from the client.
I intend to run this as root, or, perhaps another user with the permission to restart Apache create directories and add user accounts via sudo or something similar. Therefore, I want it to be… pretty hack-proof. If you're a PHP or C coder, would you mind looking it over for any errors? Even if you aren't a PHP or C coder, PHP is pretty easy to follow. In particular, there is a chunk of code that handles incoming data. I'm not sure how to make certain that I don't end up in an infinite loop.
The code which, at this point, is NOT under the GPL or any other license allowing ANYONE to use it but me (I'm still trying to figure out what I want to do with it) can be found here. It requires only one library — Keith's XMLRPC library — which I've modified slightly. If you have a few more spare minutes, and would like to look it over as well, the code is over here.
Obviously, since the modules will be running as root as well, they will have to be written securely, too. I just want to make sure this part of it is good, before I progress any further.
Thanks in advance.
