WebSVN – prepend – Diff – /trunk/php_auto_pre/004-anti-xss.php


<?php
 
// ATTENTION: This is a very simple XSS "Firewall". There ARE many other ways to do an XSS attack, so please don't rely on this script!
 
$xxx_vts_prepend_config = array();
if (file_exists($xxx_vts_prepend_config_file = __DIR__.'/../config.local.php')) include $xxx_vts_prepend_config_file;
unset($xxx_vts_prepend_config_file);
$xxx_directories_need_anti_xss = $xxx_vts_prepend_config['directories_need_anti_xss'] ?? array(); /* @phpstan-ignore-line */
unset($xxx_vts_prepend_config);
 
function ___check_xss___($str) {
        $ary = is_array($str) ? $str : array($str);
        foreach ($ary as $str) {
                if (!is_string($str)) continue;
                if ((stripos($str, '<svg') !== false) || (stripos($str, '<script') !== false)) {
                        #@header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error', true, 500);
                        @header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request', true, 400);
                        die('There is a problem with the data you have entered. Please write us an email if you think you received this message in error. info at viathinksoft.de');
                }
        }
}
 
// ---
 
$xxx_go = false;
foreach ($xxx_directories_need_anti_xss as $xxx_directory_need_anti_xss) { /* @phpstan-ignore-line */
        if ($xxx_negate = (substr($xxx_directory_need_anti_xss,0,1) === '!')) {
                $xxx_directory_need_anti_xss = substr($xxx_directory_need_anti_xss,1);
        }
        if (strpos($_SERVER['SCRIPT_FILENAME']??'', $xxx_directory_need_anti_xss) === 0) {
                $xxx_go = !$xxx_negate;
        }
        if (strpos(rtrim($_SERVER['PWD']??'',DIRECTORY_SEPARATOR), rtrim($xxx_directory_need_anti_xss,DIRECTORY_SEPARATOR)) === 0) {
                $xxx_go = !$xxx_negate;
        }
}
unset($xxx_directories_need_anti_xss);
unset($xxx_directory_need_anti_xss);
 
if ($xxx_go) { /* @phpstan-ignore-line */
        if (isset($_SERVER['REQUEST_URI'])) ___check_xss___($_SERVER['REQUEST_URI']);
        if (isset($_SERVER['QUERY_STRING'])) ___check_xss___($_SERVER['QUERY_STRING']);
        if (isset($_SERVER['SCRIPT_URI'])) ___check_xss___($_SERVER['SCRIPT_URI']);
        if (isset($_SERVER['SCRIPT_URL'])) ___check_xss___($_SERVER['SCRIPT_URL']);
        if (isset($_SERVER['PHP_SELF'])) ___check_xss___($_SERVER['PHP_SELF']);
 
        # Warum so viele ___ ? Damit man auf keinen Fall ein GET/POST Argument mit diesen Variablen überschreibt!
        foreach ($_REQUEST as $___key___ => $___val___) {
                ___check_xss___($___val___);
        }
        unset($___key___);
        unset($___val___);
}
unset($xxx_go);
 

Subversion Repositories prepend

prepend/trunk/php_auto_pre/004-anti-xss.php – Rev 14 → 15

Rev 14		Rev 15
1	<?php	1	<?php
2		2
3	// ATTENTION: This is a very simple XSS "Firewall". There ARE many other ways to do an XSS attack, so please don't rely on this script!	3	// ATTENTION: This is a very simple XSS "Firewall". There ARE many other ways to do an XSS attack, so please don't rely on this script!
4		4
5	$xxx_vts_prepend_config = array();	5	$xxx_vts_prepend_config = array();
6	if (file_exists($xxx_vts_prepend_config_file = __DIR__.'/../config.local.php')) include $xxx_vts_prepend_config_file;	6	if (file_exists($xxx_vts_prepend_config_file = __DIR__.'/../config.local.php')) include $xxx_vts_prepend_config_file;
7	unset($xxx_vts_prepend_config_file);	7	unset($xxx_vts_prepend_config_file);
8	$xxx_directories_need_anti_xss = $xxx_vts_prepend_config['directories_need_anti_xss'] ?? array(); /* @phpstan-ignore-line */	8	$xxx_directories_need_anti_xss = $xxx_vts_prepend_config['directories_need_anti_xss'] ?? array(); /* @phpstan-ignore-line */
9	unset($xxx_vts_prepend_config);	9	unset($xxx_vts_prepend_config);
10		10
11	function ___check_xss___($str) {	11	function ___check_xss___($str) {
12	$ary = is_array($str) ? $str : array($str);	12	$ary = is_array($str) ? $str : array($str);
13	foreach ($ary as $str) {	13	foreach ($ary as $str) {
14	if (!is_string($str)) continue;	14	if (!is_string($str)) continue;
15	if ((stripos($str, '<svg') !== false) \|\| (stripos($str, '<script') !== false)) {	15	if ((stripos($str, '<svg') !== false) \|\| (stripos($str, '<script') !== false)) {
16	#@header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error', true, 500);	16	#@header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error', true, 500);
17	@header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request', true, 400);	17	@header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request', true, 400);
18	die('There is a problem with the data you have entered. Please write us an email if you think you received this message in error. info at viathinksoft.de');	18	die('There is a problem with the data you have entered. Please write us an email if you think you received this message in error. info at viathinksoft.de');
19	}	19	}
20	}	20	}
21	}	21	}
22		22
23	// ---	23	// ---
24		24
25	$xxx_go = false;	25	$xxx_go = false;
26	foreach ($xxx_directories_need_anti_xss as $xxx_directory_need_anti_xss) { /* @phpstan-ignore-line */	26	foreach ($xxx_directories_need_anti_xss as $xxx_directory_need_anti_xss) { /* @phpstan-ignore-line */
27	if ($xxx_negate = (substr($xxx_directory_need_anti_xss,0,1) === '!')) {	27	if ($xxx_negate = (substr($xxx_directory_need_anti_xss,0,1) === '!')) {
28	$xxx_directory_need_anti_xss = substr($xxx_directory_need_anti_xss,1);	28	$xxx_directory_need_anti_xss = substr($xxx_directory_need_anti_xss,1);
29	}	29	}
30	if (strpos($_SERVER['SCRIPT_FILENAME'], $xxx_directory_need_anti_xss) === 0) {	30	if (strpos($_SERVER['SCRIPT_FILENAME']??'', $xxx_directory_need_anti_xss) === 0) {
31	$xxx_go = !$xxx_negate;	31	$xxx_go = !$xxx_negate;
32	}	32	}
33	if (strpos($_SERVER['PWD'] ?? '', $xxx_directory_need_anti_xss) === 0) {	33	if (strpos(rtrim($_SERVER['PWD']??'',DIRECTORY_SEPARATOR), rtrim($xxx_directory_need_anti_xss,DIRECTORY_SEPARATOR)) === 0) {
34	$xxx_go = !$xxx_negate;	34	$xxx_go = !$xxx_negate;
35	}	35	}
36	}	36	}
37	unset($xxx_directories_need_anti_xss);	37	unset($xxx_directories_need_anti_xss);
38	unset($xxx_directory_need_anti_xss);	38	unset($xxx_directory_need_anti_xss);
39		39
40	if ($xxx_go) { /* @phpstan-ignore-line */	40	if ($xxx_go) { /* @phpstan-ignore-line */
41	if (isset($_SERVER['REQUEST_URI'])) ___check_xss___($_SERVER['REQUEST_URI']);	41	if (isset($_SERVER['REQUEST_URI'])) ___check_xss___($_SERVER['REQUEST_URI']);
42	if (isset($_SERVER['QUERY_STRING'])) ___check_xss___($_SERVER['QUERY_STRING']);	42	if (isset($_SERVER['QUERY_STRING'])) ___check_xss___($_SERVER['QUERY_STRING']);
43	if (isset($_SERVER['SCRIPT_URI'])) ___check_xss___($_SERVER['SCRIPT_URI']);	43	if (isset($_SERVER['SCRIPT_URI'])) ___check_xss___($_SERVER['SCRIPT_URI']);
44	if (isset($_SERVER['SCRIPT_URL'])) ___check_xss___($_SERVER['SCRIPT_URL']);	44	if (isset($_SERVER['SCRIPT_URL'])) ___check_xss___($_SERVER['SCRIPT_URL']);
45	if (isset($_SERVER['PHP_SELF'])) ___check_xss___($_SERVER['PHP_SELF']);	45	if (isset($_SERVER['PHP_SELF'])) ___check_xss___($_SERVER['PHP_SELF']);
46		46
47	# Warum so viele ___ ? Damit man auf keinen Fall ein GET/POST Argument mit diesen Variablen überschreibt!	47	# Warum so viele ___ ? Damit man auf keinen Fall ein GET/POST Argument mit diesen Variablen überschreibt!
48	foreach ($_REQUEST as $___key___ => $___val___) {	48	foreach ($_REQUEST as $___key___ => $___val___) {
49	___check_xss___($___val___);	49	___check_xss___($___val___);
50	}	50	}
51	unset($___key___);	51	unset($___key___);
52	unset($___val___);	52	unset($___val___);
53	}	53	}
54	unset($xxx_go);	54	unset($xxx_go);
55		55