Subversion Repositories php_utils

Compare Revisions

Regard whitespace Rev 6 → Rev 7

/trunk/VtsBrowserDownload.class.php
0,0 → 1,153
<?php
 
/*
* VtsBrowserDownload.class.php
* Copyright 2021 Daniel Marschall, ViaThinkSoft
* Revision: 2021-05-21
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
 
class VtsBrowserDownload {
 
private static function wellKnownInlineFile($file_extension) {
// Windows Firefox: Browser decided wheater to display or download by looking at the mime type (inline disposition with explicit filename works)
// Windows Chrome: Browser decided wheater to display or download by looking at the mime type (inline disposition with explicit filename DOES NOT WORK)
 
//$file_extension = strtolower($file_extension);
//$array_listen = array('txt', 'mp3', 'wav', 'mid', 'ogg', 'pdf', 'avi', 'mov', 'mp4', 'mpeg', 'mpg', 'swf', 'gif', 'jpg', 'jpeg', 'png');
//return in_array($file_extension, $array_listen);
 
return true;
}
 
private static function getMimeType($file_extension) {
$file_extension = strtolower($file_extension);
return VtsFileTypeDetect::getMimeType('dummy.'.$file_extension);
}
 
public static function output_file($file, $mime_type='', $inline_mode=2/*2=auto*/) {
// Partitally taken from:
// - https://stackoverflow.com/a/13821992/488539
// - https://stackoverflow.com/a/32885706/488539
 
if (connection_status() != 0) return false;
 
$file_extension = pathinfo($file, PATHINFO_EXTENSION);
 
if(!is_readable($file)) throw new Exception('File not found or inaccessible!');
$size = filesize($file);
$name = rawurldecode(basename($file));
 
if ($mime_type == '') {
$mime_type = self::getMimeType($file_extension);
if (!$mime_type) $mime_type='application/force-download';
}
 
 
 
while (ob_get_level() > 0) @ob_end_clean();
 
switch ($inline_mode) {
 
case 0:
$disposition = 'attachment';
break;
 
case 1:
$disposition = 'inline';
break;
 
case 2:
$disposition = self::wellKnownInlineFile($file_extension) ? 'inline' : 'attachment';
break;
 
default:
throw new Exception('Invalid value for inline_mode');
}
 
if(ini_get('zlib.output_compression')){
ini_set('zlib.output_compression', 'Off');
}
header('Content-Type: ' . $mime_type);
 
$ua = isset($_SERVER['HTTP_USER_AGENT']) ? strtoupper($_SERVER['HTTP_USER_AGENT']) : '';
if (strstr($ua, 'MSIE')) {
$name_msie = preg_replace('/\./', '%2e', $name, substr_count($name, '.') - 1);
header('Content-Disposition: '.$disposition.';filename="'.$name_msie.'"');
} else if (strstr($ua, 'FIREFOX')) {
// TODO: Implement "encodeRFC5987ValueChars" described at https://developer.mozilla.org/de/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent ?
header('Content-Disposition: '.$disposition.';filename*="UTF-8\'\''.utf8_encode($name).'"');
} else {
// Note: There is possibly a bug in Google Chrome: https://stackoverflow.com/questions/61866508/chrome-ignores-content-disposition-filename
header('Content-Disposition: '.$disposition.';filename="'.$name.'"');
}
 
header('Content-Transfer-Encoding: binary');
header('Accept-Ranges: bytes');
header('Cache-Control: public');
 
if (isset($_SERVER['HTTP_RANGE'])) {
list($a, $range) = explode("=",$_SERVER['HTTP_RANGE'],2);
list($range) = explode(",",$range,2);
list($range, $range_end) = explode("-", $range);
$range=intval($range);
if(!$range_end) {
$range_end=$size-1;
} else {
$range_end=intval($range_end);
}
 
$new_length = $range_end-$range+1;
header("HTTP/1.1 206 Partial Content");
header("Content-Length: $new_length");
header("Content-Range: bytes $range-$range_end/$size");
} else {
$range = 0;
$etag = md5_file($file);
header("Etag: $etag");
if (isset($_SERVER['HTTP_IF_NONE_MATCH']) && (trim($_SERVER['HTTP_IF_NONE_MATCH']) == $etag)) {
header("HTTP/1.1 304 Not Modified");
return true;
}
 
$new_length=$size;
header("Content-Length: ".$size);
header('Content-MD5: '.$etag); // RFC 2616 clause 14.15
}
 
set_time_limit(0);
 
$chunksize = 1*(1024*1024);
$bytes_send = 0;
if ($file = fopen($file, 'r')) {
if(isset($_SERVER['HTTP_RANGE']))
fseek($file, $range);
 
while(!feof($file) &&
(!connection_aborted()) && // connection_status() == 0
($bytes_send<$new_length))
{
$buffer = fread($file, $chunksize);
echo($buffer);
flush();
$bytes_send += strlen($buffer);
}
fclose($file);
} else {
throw new Exception("Cannot open file $file");
}
return((connection_status() == 0) and !connection_aborted());
}
 
}
/trunk/anti_xss.php
0,0 → 1,85
<?php
 
/*
* Anti XSS
* Copyright 2019 Daniel Marschall, ViaThinkSoft
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
 
// This function prevents XSS, while still allowing the usage of HTML
function anti_xss($str, $forbidden_tags=array('script','base','meta','link')) {
// Avoid usage of <script tags, but still allow tags that might
// have the prefix forbidden tagname as prefix (useful if you want
// to block other tags other than "script").
// $str = preg_replace('@<(/{0,1}script[^a-zA-Z])@i', '&lt;\\1', $str);
foreach ($forbidden_tags as $tagname) {
if ($tagname == '*') {
$str = str_replace('<', '&lt;', $str);
} else {
$str = preg_replace('@<(/{0,1}'.preg_quote($tagname,'@').'[^a-zA-Z])@i', '&lt;\\1', $str);
}
}
 
if (preg_grep('@^script$@i' , $forbidden_tags)) {
// (1) Avoid stuff like a href="javascript:"
$str = preg_replace('@(javascript|livescript|vbscript)\s*:@im', '\\1<!-- -->:', $str);
 
// (2) Avoid injection of JavaScript events like onload=, but still allow HTML tags that might start with <on...
$str = preg_replace('@O([nN][a-zA-Z]+\s*=)@m', '&#x4F;\\1', $str);
$str = preg_replace('@o([nN][a-zA-Z]+\s*=)@m', '&#x6F;\\1', $str);
}
 
return $str;
}
 
 
 
# Some testcases
#echo anti_xss('hallo welt <script>alert(1)</script>');
#echo anti_xss('<svg onload'."\n\n\r\t".'="alert(1)" src=""></svg><online></online> on august ONLINE');
#echo anti_xss('<svg/onload=alert(\'XSS\')>');
#echo '<a href="'.anti_xss('" onclick="alert(1)').'">Click me</a>';
#echo anti_xss('<a href="">foo</a> <abc>xxx</abc>', array('a'));
#echo anti_xss('<a href="">foo</a> <abc>xxx</abc>', array('*'));
#echo anti_xss("<a href=\"JaVaScRiPt:alert('XSS')\">foobar</a> <pre>JavaScript: is cool</pre>");
#echo anti_xss("<a href=\"JaVaScRiPt : alert('XSS')\">foobar</a> <pre>JavaScript : is cool</pre>");
#echo anti_xss("<a href=\"#\" onclick=\"vbscript:msgbox(\"XSS\")\">foobar</a> <pre>VbScript: is cool</pre>");
#echo anti_xss('<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(\'XSS\')</SCRIPT>">');
 
# Currently we don't support these XSS vectors. But I am unsure if they work at all, in modern browsers
#echo anti_xss('<BR SIZE="&{alert(\'XSS\')}">');
#echo anti_xss('<a href="" onclick="java&#x0d;script:alert(\'1\')">bla</a>');
 
# Currently we are vulnerable to this vectors
# (does not work with Chrome)
#echo anti_xss('<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>');
#echo anti_xss('<IMG STYLE="xss:expr/*XSS*/ession(alert(\'XSS\'))">'); // only IE
 
# TODO: find more vectors from cheat sheets
# https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
 
/*
if (isset($_POST['blabla'])) {
echo anti_xss($_POST['blabla']);
#echo $_POST['blabla'];
} else {
 
echo '<form method="POST" action="anti_xss.php">';
#echo '<textarea name="blabla">'.$_POST['blabla'].'</textarea>';
echo '<textarea name="blabla"></textarea>';
echo '<input type="submit">';
echo '</form>';
}
*/
 
/trunk/htmlentities_compat.inc.php
0,0 → 1,41
<?php
 
/*
* HtmlEntities compatibility functions
* Copyright 2019 Daniel Marschall, ViaThinkSoft
* Version 2019-11-18
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
 
# http://www.ufive.unibe.ch/index.php?c=php54entitiesfix&l=de
# This workaround is not required with PHP 5.6+, since htmlentities() now uses the default encoding charset as default parameter value
 
if (!function_exists('compat_htmlspecialchars')) {
function compat_htmlspecialchars($string, $ent=ENT_COMPAT, $charset='ISO-8859-1') {
return htmlspecialchars($string, $ent, $charset);
}
}
 
if (!function_exists('compat_htmlentities')) {
function compat_htmlentities($string, $ent=ENT_COMPAT, $charset='ISO-8859-1') {
return htmlentities($string, $ent, $charset);
}
}
 
if (!function_exists('compat_html_entity_decode')) {
function compat_html_entity_decode($string, $ent=ENT_COMPAT, $charset='ISO-8859-1') {
return html_entity_decode($string, $ent, $charset);
}
}