X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=inc%2Flibs%2Fsecurity_functions.php;h=10002eea7120000cc4ee52f429653b2919b17459;hb=6ab597cf6eeb82241f57ca7d13871338dbb9bcaa;hp=df3d5686b041a2c92d12329778be45f75d188291;hpb=90ea643fa8c32b94f6f5ed636730d87eb31bba6b;p=mailer.git diff --git a/inc/libs/security_functions.php b/inc/libs/security_functions.php index df3d5686b0..10002eea71 100644 --- a/inc/libs/security_functions.php +++ b/inc/libs/security_functions.php @@ -16,8 +16,8 @@ * $Author:: $ * * -------------------------------------------------------------------- * * Copyright (c) 2003 - 2009 by Roland Haeder * - * Copyright (c) 2009 - 2011 by Mailer Developer Team * - * For more information visit: http://www.mxchange.org * + * Copyright (c) 2009 - 2012 by Mailer Developer Team * + * For more information visit: http://mxchange.org * * * * This program is free software; you can redistribute it and/or modify * * it under the terms of the GNU General Public License as published by * @@ -41,33 +41,39 @@ if (defined('__SECURITY')) { } // END - if // Some security stuff... -if (strpos($_SERVER['PHP_SELF'], basename(__FILE__)) !== false) { +if (strpos($_SERVER['PHP_SELF'], basename(__FILE__)) !== FALSE) { die(); } // END - if // Include ctracker, recommended place! //require_once('ctracker.php'); +//require_once('ipfilter.php'); /** * Function to secure input strings * - * @param $str The unsecured string - * @param $strip Strip tags - * @return $str A (hopefully) secured string against XSS and other bad things + * @param $str The unsecured string + * @param $stripTags Strip tags + * @return $str A (hopefully) secured string against XSS and other bad things */ -function secureString ($str, $strip = true, $encode = false) { +function secureString ($str, $stripTags = TRUE, $encode = FALSE) { // Shall we strip HTML code? - if ($strip === true) $str = strip_tags($str); + if ($stripTags === TRUE) { + $str = strip_tags($str); + } // END - if // Trim string $str = trim($str); // Encode in entities if requested - if ($encode === true) { + if ($encode === TRUE) { // Encode in entities (this breakes UTF-8!) $str = htmlentities($str, ENT_QUOTES); } // END - if + // Replace {,} with entities + $str = str_replace(array('{', '}'), array('{', '}'), $str); + // Return result return $str; } @@ -92,7 +98,7 @@ function securePhpSelf () { $phpSelfFile = basename($_SERVER['PHP_SELF']); // Check for a .php inside the $phpSelfDirectory... - while (strpos($phpSelfDirectory, '.php') !== false) { + while (strpos($phpSelfDirectory, '.php') !== FALSE) { // Correct the dirname $phpSelfDirectory = substr($phpSelfDirectory, 0, (strpos($phpSelfDirectory, '.php') + 4)); // Rewrite filename... @@ -105,13 +111,23 @@ function securePhpSelf () { $_SERVER['PHP_SELF'] = $phpSelfDirectory . '/' . $phpSelfFile; // Did run... - $GLOBALS['php_self_secured'] = true; + $GLOBALS['php_self_secured'] = TRUE; // Remove uneccessary variables unset($phpSelfDirectory); unset($phpSelfFile); } +/** + * Checks if PHP_VERSION is newer or equal to given version string + * + * @param $versionString A PHP'ized version string which shall be compared with PHP_VERSION + * @return $isEqualNewer Wether the given version string is equal or newer to PHP_VERSION + */ +function isPhpVersionEqualNewer ($versionString) { + return (version_compare(PHP_VERSION, $versionString, '>=')); +} + /** * Detects caching in PHP * @@ -119,7 +135,7 @@ function securePhpSelf () { */ function detectPhpCaching () { // Activate caching or transparent compressing when it is not already done - if (phpversion() >= '4.0.4pl1' && (strstr(getenv('HTTP_USER_AGENT'),'compatible') || (strstr(getenv('HTTP_USER_AGENT'), 'Mozilla')))) { + if ((isPhpVersionEqualNewer('4.0.4pl1')) && (strstr(getenv('HTTP_USER_AGENT'),'compatible') || (strstr(getenv('HTTP_USER_AGENT'), 'Mozilla')))) { if ((extension_loaded('zlib')) && (function_exists('ob_start'))) { // Start caching $GLOBALS['php_caching'] = 'on'; @@ -135,12 +151,14 @@ function detectPhpCaching () { } // Runtime/GPC quoting is off now... -ini_set('magic_quotes_runtime', false); -ini_set('magic_quotes_gpc', false); // This may not work on some systems +ini_set('magic_quotes_runtime', FALSE); +ini_set('magic_quotes_gpc', FALSE); // This may not work on some systems -// No compatibility with Zend Engine 1, else an error like 'Implicit cloning' -// will be produced. -if (phpversion() >= '5.0') { +/* + * No compatibility with Zend Engine 1, else an error like 'Implicit cloning' + * will be produced. + */ +if (isPhpVersionEqualNewer('5.0')) { ini_set('zend.ze1_compatibility_mode', 'Off'); } // END - if @@ -163,7 +181,7 @@ if (!isset($_POST)) { // Generate arrays which holds the relevante chars to replace $GLOBALS['security_chars'] = array( // The chars we are looking for... - 'from' => array('/', '.', "'", '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--'), + 'from' => array('/', '.', chr(39), '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--', chr(92), chr(39), '<', '>'), // ... and we will replace to. 'to' => array( '{SLASH}', @@ -181,14 +199,20 @@ $GLOBALS['security_chars'] = array( '{OPEN_INDEX}', '{CLOSE_INDEX}', '{DBL_DOT}', - '{COMMENT}' + '{COMMENT}', + '{BACKSLASH}', + '{SQUOTE}', + '{OPEN_TAG}', + '{CLOSE_TAG}' ), ); -// Characters allowed in URLs -// -// Note: Do not replace 'to' with 'from' and vise-versa! When you do this all booked URLs will be -// rejected because of the {SLASH}, {DOT} and all below listed items inside the URL. +/* + * Characters allowed in booked URLs + * + * Note: Do not replace 'to' with 'from' and vise-versa! When you do this all booked URLs will be + * rejected because of the {SLASH}, {DOT} and all below listed items inside the URL. + */ $GLOBALS['url_chars'] = array( // Search for these secured characters 'to' => array('{SLASH}', '{DOT}', '{PER}', '{DBL_DOT}', '{COMMENT}'),