Subversion Repositories prepend

Rev

Rev 14 | Details | Compare with Previous | Last modification | View Log | RSS feed

Rev Author Line No. Line
3 daniel-mar 1 
<?php
2 
 
3 
// ATTENTION: This is a very simple XSS "Firewall". There ARE many other ways to do an XSS attack, so please don't rely on this script!
4 
 
9 daniel-mar 5 
$xxx_vts_prepend_config = array();
10 daniel-mar 6 
if (file_exists($xxx_vts_prepend_config_file = __DIR__.'/../config.local.php')) include $xxx_vts_prepend_config_file;
9 daniel-mar 7 
unset($xxx_vts_prepend_config_file);
12 daniel-mar 8 
$xxx_directories_need_anti_xss = $xxx_vts_prepend_config['directories_need_anti_xss'] ?? array(); /* @phpstan-ignore-line */
9 daniel-mar 9 
unset($xxx_vts_prepend_config);
3 daniel-mar 10 
 
11 
function ___check_xss___($str) {
6 daniel-mar 12 
        $ary = is_array($str) ? $str : array($str);
13 
        foreach ($ary as $str) {
14 daniel-mar 14 
                if (!is_string($str)) continue;
6 daniel-mar 15 
                if ((stripos($str, '<svg') !== false) || (stripos($str, '<script') !== false)) {
9 daniel-mar 16 
                        #@header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error', true, 500);
17 
                        @header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request', true, 400);
6 daniel-mar 18 
                        die('There is a problem with the data you have entered. Please write us an email if you think you received this message in error. info at viathinksoft.de');
19 
                }
3 daniel-mar 20 
        }
21 
}
22 
 
23 
// ---
24 
 
25 
$xxx_go = false;
12 daniel-mar 26 
foreach ($xxx_directories_need_anti_xss as $xxx_directory_need_anti_xss) { /* @phpstan-ignore-line */
9 daniel-mar 27 
        if ($xxx_negate = (substr($xxx_directory_need_anti_xss,0,1) === '!')) {
28 
                $xxx_directory_need_anti_xss = substr($xxx_directory_need_anti_xss,1);
29 
        }
15 daniel-mar 30 
        if (strpos($_SERVER['SCRIPT_FILENAME']??'', $xxx_directory_need_anti_xss) === 0) {
9 daniel-mar 31 
                $xxx_go = !$xxx_negate;
3 daniel-mar 32 
        }
15 daniel-mar 33 
        if (strpos(rtrim($_SERVER['PWD']??'',DIRECTORY_SEPARATOR), rtrim($xxx_directory_need_anti_xss,DIRECTORY_SEPARATOR)) === 0) {
13 daniel-mar 34 
                $xxx_go = !$xxx_negate;
35 
        }
3 daniel-mar 36 
}
37 
unset($xxx_directories_need_anti_xss);
38 
unset($xxx_directory_need_anti_xss);
9 daniel-mar 39 
 
12 daniel-mar 40 
if ($xxx_go) { /* @phpstan-ignore-line */
3 daniel-mar 41 
        if (isset($_SERVER['REQUEST_URI'])) ___check_xss___($_SERVER['REQUEST_URI']);
42 
        if (isset($_SERVER['QUERY_STRING'])) ___check_xss___($_SERVER['QUERY_STRING']);
43 
        if (isset($_SERVER['SCRIPT_URI'])) ___check_xss___($_SERVER['SCRIPT_URI']);
44 
        if (isset($_SERVER['SCRIPT_URL'])) ___check_xss___($_SERVER['SCRIPT_URL']);
45 
        if (isset($_SERVER['PHP_SELF'])) ___check_xss___($_SERVER['PHP_SELF']);
46 
 
9 daniel-mar 47 
        # Warum so viele ___ ? Damit man auf keinen Fall ein GET/POST Argument mit diesen Variablen überschreibt!
3 daniel-mar 48 
        foreach ($_REQUEST as $___key___ => $___val___) {
49 
                ___check_xss___($___val___);
50 
        }
51 
        unset($___key___);
52 
        unset($___val___);
53 
}
54 
unset($xxx_go);