X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;ds=inline;f=inc%2Flibs%2Fsecurity_functions.php;h=8409e0c72742e092d8c91239b9052f21d21fa538;hb=fc58173ad036517148d2f17ad6e21cd756bb14e5;hp=fc61bdf3606196ff1896f4de63e57fa9bcfcc1dd;hpb=c8d76610eb94093d4eed4fcd8a6cb72e74c8f6d8;p=mailer.git diff --git a/inc/libs/security_functions.php b/inc/libs/security_functions.php index fc61bdf360..8409e0c727 100644 --- a/inc/libs/security_functions.php +++ b/inc/libs/security_functions.php @@ -16,8 +16,8 @@ * $Author:: $ * * -------------------------------------------------------------------- * * Copyright (c) 2003 - 2009 by Roland Haeder * - * Copyright (c) 2009, 2010 by Mailer Developer Team * - * For more information visit: http://www.mxchange.org * + * Copyright (c) 2009 - 2012 by Mailer Developer Team * + * For more information visit: http://mxchange.org * * * * This program is free software; you can redistribute it and/or modify * * it under the terms of the GNU General Public License as published by * @@ -36,7 +36,9 @@ ************************************************************************/ // Run only once this security check/replacement -if (defined('__SECURITY')) return; +if (defined('__SECURITY')) { + return; +} // END - if // Some security stuff... if (strpos($_SERVER['PHP_SELF'], basename(__FILE__)) !== false) { @@ -45,17 +47,20 @@ if (strpos($_SERVER['PHP_SELF'], basename(__FILE__)) !== false) { // Include ctracker, recommended place! //require_once('ctracker.php'); +//require_once('ipfilter.php'); /** * Function to secure input strings * - * @param $str The unsecured string - * @param $strip Strip tags - * @return $str A (hopefully) secured string against XSS and other bad things + * @param $str The unsecured string + * @param $stripTags Strip tags + * @return $str A (hopefully) secured string against XSS and other bad things */ -function secureString ($str, $strip = true, $encode = false) { +function secureString ($str, $stripTags = true, $encode = false) { // Shall we strip HTML code? - if ($strip === true) $str = strip_tags($str); + if ($stripTags === true) { + $str = strip_tags($str); + } // END - if // Trim string $str = trim($str); @@ -66,6 +71,9 @@ function secureString ($str, $strip = true, $encode = false) { $str = htmlentities($str, ENT_QUOTES); } // END - if + // Replace {,} with entities + $str = str_replace(array('{', '}'), array('{', '}'), $str); + // Return result return $str; } @@ -110,6 +118,16 @@ function securePhpSelf () { unset($phpSelfFile); } +/** + * Checks if PHP_VERSION is newer or equal to given version string + * + * @param $versionString A PHP'ized version string which shall be compared with PHP_VERSION + * @return $isEqualNewer Wether the given version string is equal or newer to PHP_VERSION + */ +function isPhpVersionEqualNewer ($versionString) { + return (version_compare(PHP_VERSION, $versionString, '>=')); +} + /** * Detects caching in PHP * @@ -117,7 +135,7 @@ function securePhpSelf () { */ function detectPhpCaching () { // Activate caching or transparent compressing when it is not already done - if (phpversion() >= '4.0.4pl1' && (strstr(getenv('HTTP_USER_AGENT'),'compatible') || (strstr(getenv('HTTP_USER_AGENT'), 'Mozilla')))) { + if ((isPhpVersionEqualNewer('4.0.4pl1')) && (strstr(getenv('HTTP_USER_AGENT'),'compatible') || (strstr(getenv('HTTP_USER_AGENT'), 'Mozilla')))) { if ((extension_loaded('zlib')) && (function_exists('ob_start'))) { // Start caching $GLOBALS['php_caching'] = 'on'; @@ -136,6 +154,14 @@ function detectPhpCaching () { ini_set('magic_quotes_runtime', false); ini_set('magic_quotes_gpc', false); // This may not work on some systems +/* + * No compatibility with Zend Engine 1, else an error like 'Implicit cloning' + * will be produced. + */ +if (isPhpVersionEqualNewer('5.0')) { + ini_set('zend.ze1_compatibility_mode', 'Off'); +} // END - if + // Check if important arrays are found and define them if missing if (!isset($_SERVER)) { global $_SERVER; @@ -155,7 +181,7 @@ if (!isset($_POST)) { // Generate arrays which holds the relevante chars to replace $GLOBALS['security_chars'] = array( // The chars we are looking for... - 'from' => array('/', '.', "'", '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--'), + 'from' => array('/', '.', chr(39), '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--', chr(92)), // ... and we will replace to. 'to' => array( '{SLASH}', @@ -173,14 +199,17 @@ $GLOBALS['security_chars'] = array( '{OPEN_INDEX}', '{CLOSE_INDEX}', '{DBL_DOT}', - '{COMMENT}' + '{COMMENT}', + '{BACKSLASH}' ), ); -// Characters allowed in URLs -// -// Note: Do not replace 'to' with 'from' and vise-versa! When you do this all booked URLs will be -// rejected because of the {SLASH}, {DOT} and all below listed items inside the URL. +/* + * Characters allowed in URLs + * + * Note: Do not replace 'to' with 'from' and vise-versa! When you do this all booked URLs will be + * rejected because of the {SLASH}, {DOT} and all below listed items inside the URL. + */ $GLOBALS['url_chars'] = array( // Search for these secured characters 'to' => array('{SLASH}', '{DOT}', '{PER}', '{DBL_DOT}', '{COMMENT}'), @@ -196,10 +225,7 @@ if (is_array($_GET)) { unset($_GET[$seckey]); } else { // Only variables are allowed (non-array) but we secure them all! - foreach ($GLOBALS['security_chars']['from'] as $key => $char) { - // Pass all through - $_GET[$seckey] = str_replace($char , $GLOBALS['security_chars']['to'][$key], $_GET[$seckey]); - } // END - foreach + $_GET[$seckey] = str_replace($GLOBALS['security_chars']['from'], $GLOBALS['security_chars']['to'], $_GET[$seckey]); // Strip all other out $_GET[$seckey] = secureString($_GET[$seckey]); @@ -207,6 +233,18 @@ if (is_array($_GET)) { } // END - foreach } // END - if +// Secure also $_POST data (only simple, no replace) +if (is_array($_POST)) { + // Secure only simple data + foreach ($_POST as $seckey => $secvalue) { + // Is it an array? + if (!is_array($secvalue)) { + // Strip all other out + $_POST[$seckey] = secureString($_POST[$seckey]); + } // END - if + } // END - foreach +} // END - if + // Detect PHP caching detectPhpCaching();