Subversion Repositories prepend

Rev

Rev 13 | Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | RSS feed

  1. <?php
  2.  
  3. // ATTENTION: This is a very simple XSS "Firewall". There ARE many other ways to do an XSS attack, so please don't rely on this script!
  4.  
  5. $xxx_vts_prepend_config = array();
  6. if (file_exists($xxx_vts_prepend_config_file = __DIR__.'/../config.local.php')) include $xxx_vts_prepend_config_file;
  7. unset($xxx_vts_prepend_config_file);
  8. $xxx_directories_need_anti_xss = $xxx_vts_prepend_config['directories_need_anti_xss'] ?? array(); /* @phpstan-ignore-line */
  9. unset($xxx_vts_prepend_config);
  10.  
  11. function ___check_xss___($str) {
  12.         $ary = is_array($str) ? $str : array($str);
  13.         foreach ($ary as $str) {
  14.                 if (!is_string($str)) continue;
  15.                 if ((stripos($str, '<svg') !== false) || (stripos($str, '<script') !== false)) {
  16.                         #@header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error', true, 500);
  17.                         @header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request', true, 400);
  18.                         die('There is a problem with the data you have entered. Please write us an email if you think you received this message in error. info at viathinksoft.de');
  19.                 }
  20.         }
  21. }
  22.  
  23. // ---
  24.  
  25. $xxx_go = false;
  26. foreach ($xxx_directories_need_anti_xss as $xxx_directory_need_anti_xss) { /* @phpstan-ignore-line */
  27.         if ($xxx_negate = (substr($xxx_directory_need_anti_xss,0,1) === '!')) {
  28.                 $xxx_directory_need_anti_xss = substr($xxx_directory_need_anti_xss,1);
  29.         }
  30.         if (strpos($_SERVER['SCRIPT_FILENAME'], $xxx_directory_need_anti_xss) === 0) {
  31.                 $xxx_go = !$xxx_negate;
  32.         }
  33.         if (strpos($_SERVER['PWD'] ?? '', $xxx_directory_need_anti_xss) === 0) {
  34.                 $xxx_go = !$xxx_negate;
  35.         }
  36. }
  37. unset($xxx_directories_need_anti_xss);
  38. unset($xxx_directory_need_anti_xss);
  39.  
  40. if ($xxx_go) { /* @phpstan-ignore-line */
  41.         if (isset($_SERVER['REQUEST_URI'])) ___check_xss___($_SERVER['REQUEST_URI']);
  42.         if (isset($_SERVER['QUERY_STRING'])) ___check_xss___($_SERVER['QUERY_STRING']);
  43.         if (isset($_SERVER['SCRIPT_URI'])) ___check_xss___($_SERVER['SCRIPT_URI']);
  44.         if (isset($_SERVER['SCRIPT_URL'])) ___check_xss___($_SERVER['SCRIPT_URL']);
  45.         if (isset($_SERVER['PHP_SELF'])) ___check_xss___($_SERVER['PHP_SELF']);
  46.  
  47.         # Warum so viele ___ ? Damit man auf keinen Fall ein GET/POST Argument mit diesen Variablen überschreibt!
  48.         foreach ($_REQUEST as $___key___ => $___val___) {
  49.                 ___check_xss___($___val___);
  50.         }
  51.         unset($___key___);
  52.         unset($___val___);
  53. }
  54. unset($xxx_go);
  55.