Subversion Repositories prepend

Rev

Rev 12 | Rev 14 | Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | RSS feed

  1. <?php
  2.  
  3. // ATTENTION: This is a very simple XSS "Firewall". There ARE many other ways to do an XSS attack, so please don't rely on this script!
  4.  
  5. $xxx_vts_prepend_config = array();
  6. if (file_exists($xxx_vts_prepend_config_file = __DIR__.'/../config.local.php')) include $xxx_vts_prepend_config_file;
  7. unset($xxx_vts_prepend_config_file);
  8. $xxx_directories_need_anti_xss = $xxx_vts_prepend_config['directories_need_anti_xss'] ?? array(); /* @phpstan-ignore-line */
  9. unset($xxx_vts_prepend_config);
  10.  
  11. function ___check_xss___($str) {
  12.         $ary = is_array($str) ? $str : array($str);
  13.         foreach ($ary as $str) {
  14.                 if ((stripos($str, '<svg') !== false) || (stripos($str, '<script') !== false)) {
  15.                         #@header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error', true, 500);
  16.                         @header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request', true, 400);
  17.                         die('There is a problem with the data you have entered. Please write us an email if you think you received this message in error. info at viathinksoft.de');
  18.                 }
  19.         }
  20. }
  21.  
  22. // ---
  23.  
  24. $xxx_go = false;
  25. foreach ($xxx_directories_need_anti_xss as $xxx_directory_need_anti_xss) { /* @phpstan-ignore-line */
  26.         if ($xxx_negate = (substr($xxx_directory_need_anti_xss,0,1) === '!')) {
  27.                 $xxx_directory_need_anti_xss = substr($xxx_directory_need_anti_xss,1);
  28.         }
  29.         if (strpos($_SERVER['SCRIPT_FILENAME'], $xxx_directory_need_anti_xss) === 0) {
  30.                 $xxx_go = !$xxx_negate;
  31.         }
  32.         if (strpos($_SERVER['PWD'] ?? '', $xxx_directory_need_anti_xss) === 0) {
  33.                 $xxx_go = !$xxx_negate;
  34.         }
  35. }
  36. unset($xxx_directories_need_anti_xss);
  37. unset($xxx_directory_need_anti_xss);
  38.  
  39. if ($xxx_go) { /* @phpstan-ignore-line */
  40.         if (isset($_SERVER['REQUEST_URI'])) ___check_xss___($_SERVER['REQUEST_URI']);
  41.         if (isset($_SERVER['QUERY_STRING'])) ___check_xss___($_SERVER['QUERY_STRING']);
  42.         if (isset($_SERVER['SCRIPT_URI'])) ___check_xss___($_SERVER['SCRIPT_URI']);
  43.         if (isset($_SERVER['SCRIPT_URL'])) ___check_xss___($_SERVER['SCRIPT_URL']);
  44.         if (isset($_SERVER['PHP_SELF'])) ___check_xss___($_SERVER['PHP_SELF']);
  45.  
  46.         # Warum so viele ___ ? Damit man auf keinen Fall ein GET/POST Argument mit diesen Variablen überschreibt!
  47.         foreach ($_REQUEST as $___key___ => $___val___) {
  48.                 ___check_xss___($___val___);
  49.         }
  50.         unset($___key___);
  51.         unset($___val___);
  52. }
  53. unset($xxx_go);
  54.