Rev 14 | Only display areas with differences | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 14 | Rev 15 | ||
---|---|---|---|
1 | <?php |
1 | <?php |
2 | 2 | ||
3 | // ATTENTION: This is a very simple XSS "Firewall". There ARE many other ways to do an XSS attack, so please don't rely on this script! |
3 | // ATTENTION: This is a very simple XSS "Firewall". There ARE many other ways to do an XSS attack, so please don't rely on this script! |
4 | 4 | ||
5 | $xxx_vts_prepend_config = array(); |
5 | $xxx_vts_prepend_config = array(); |
6 | if (file_exists($xxx_vts_prepend_config_file = __DIR__.'/../config.local.php')) include $xxx_vts_prepend_config_file; |
6 | if (file_exists($xxx_vts_prepend_config_file = __DIR__.'/../config.local.php')) include $xxx_vts_prepend_config_file; |
7 | unset($xxx_vts_prepend_config_file); |
7 | unset($xxx_vts_prepend_config_file); |
8 | $xxx_directories_need_anti_xss = $xxx_vts_prepend_config['directories_need_anti_xss'] ?? array(); /* @phpstan-ignore-line */ |
8 | $xxx_directories_need_anti_xss = $xxx_vts_prepend_config['directories_need_anti_xss'] ?? array(); /* @phpstan-ignore-line */ |
9 | unset($xxx_vts_prepend_config); |
9 | unset($xxx_vts_prepend_config); |
10 | 10 | ||
11 | function ___check_xss___($str) { |
11 | function ___check_xss___($str) { |
12 | $ary = is_array($str) ? $str : array($str); |
12 | $ary = is_array($str) ? $str : array($str); |
13 | foreach ($ary as $str) { |
13 | foreach ($ary as $str) { |
14 | if (!is_string($str)) continue; |
14 | if (!is_string($str)) continue; |
15 | if ((stripos($str, '<svg') !== false) || (stripos($str, '<script') !== false)) { |
15 | if ((stripos($str, '<svg') !== false) || (stripos($str, '<script') !== false)) { |
16 | #@header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error', true, 500); |
16 | #@header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error', true, 500); |
17 | @header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request', true, 400); |
17 | @header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request', true, 400); |
18 | die('There is a problem with the data you have entered. Please write us an email if you think you received this message in error. info at viathinksoft.de'); |
18 | die('There is a problem with the data you have entered. Please write us an email if you think you received this message in error. info at viathinksoft.de'); |
19 | } |
19 | } |
20 | } |
20 | } |
21 | } |
21 | } |
22 | 22 | ||
23 | // --- |
23 | // --- |
24 | 24 | ||
25 | $xxx_go = false; |
25 | $xxx_go = false; |
26 | foreach ($xxx_directories_need_anti_xss as $xxx_directory_need_anti_xss) { /* @phpstan-ignore-line */ |
26 | foreach ($xxx_directories_need_anti_xss as $xxx_directory_need_anti_xss) { /* @phpstan-ignore-line */ |
27 | if ($xxx_negate = (substr($xxx_directory_need_anti_xss,0,1) === '!')) { |
27 | if ($xxx_negate = (substr($xxx_directory_need_anti_xss,0,1) === '!')) { |
28 | $xxx_directory_need_anti_xss = substr($xxx_directory_need_anti_xss,1); |
28 | $xxx_directory_need_anti_xss = substr($xxx_directory_need_anti_xss,1); |
29 | } |
29 | } |
30 | if (strpos($_SERVER['SCRIPT_FILENAME'], $xxx_directory_need_anti_xss) === 0) { |
30 | if (strpos($_SERVER['SCRIPT_FILENAME']??'', $xxx_directory_need_anti_xss) === 0) { |
31 | $xxx_go = !$xxx_negate; |
31 | $xxx_go = !$xxx_negate; |
32 | } |
32 | } |
33 | if (strpos($_SERVER['PWD'] ?? '', $xxx_directory_need_anti_xss) === 0) { |
33 | if (strpos(rtrim($_SERVER['PWD']??'',DIRECTORY_SEPARATOR), rtrim($xxx_directory_need_anti_xss,DIRECTORY_SEPARATOR)) === 0) { |
34 | $xxx_go = !$xxx_negate; |
34 | $xxx_go = !$xxx_negate; |
35 | } |
35 | } |
36 | } |
36 | } |
37 | unset($xxx_directories_need_anti_xss); |
37 | unset($xxx_directories_need_anti_xss); |
38 | unset($xxx_directory_need_anti_xss); |
38 | unset($xxx_directory_need_anti_xss); |
39 | 39 | ||
40 | if ($xxx_go) { /* @phpstan-ignore-line */ |
40 | if ($xxx_go) { /* @phpstan-ignore-line */ |
41 | if (isset($_SERVER['REQUEST_URI'])) ___check_xss___($_SERVER['REQUEST_URI']); |
41 | if (isset($_SERVER['REQUEST_URI'])) ___check_xss___($_SERVER['REQUEST_URI']); |
42 | if (isset($_SERVER['QUERY_STRING'])) ___check_xss___($_SERVER['QUERY_STRING']); |
42 | if (isset($_SERVER['QUERY_STRING'])) ___check_xss___($_SERVER['QUERY_STRING']); |
43 | if (isset($_SERVER['SCRIPT_URI'])) ___check_xss___($_SERVER['SCRIPT_URI']); |
43 | if (isset($_SERVER['SCRIPT_URI'])) ___check_xss___($_SERVER['SCRIPT_URI']); |
44 | if (isset($_SERVER['SCRIPT_URL'])) ___check_xss___($_SERVER['SCRIPT_URL']); |
44 | if (isset($_SERVER['SCRIPT_URL'])) ___check_xss___($_SERVER['SCRIPT_URL']); |
45 | if (isset($_SERVER['PHP_SELF'])) ___check_xss___($_SERVER['PHP_SELF']); |
45 | if (isset($_SERVER['PHP_SELF'])) ___check_xss___($_SERVER['PHP_SELF']); |
46 | 46 | ||
47 | # Warum so viele ___ ? Damit man auf keinen Fall ein GET/POST Argument mit diesen Variablen überschreibt! |
47 | # Warum so viele ___ ? Damit man auf keinen Fall ein GET/POST Argument mit diesen Variablen überschreibt! |
48 | foreach ($_REQUEST as $___key___ => $___val___) { |
48 | foreach ($_REQUEST as $___key___ => $___val___) { |
49 | ___check_xss___($___val___); |
49 | ___check_xss___($___val___); |
50 | } |
50 | } |
51 | unset($___key___); |
51 | unset($___key___); |
52 | unset($___val___); |
52 | unset($___val___); |
53 | } |
53 | } |
54 | unset($xxx_go); |
54 | unset($xxx_go); |
55 | 55 |