X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=inc%2Flibs%2Fsecurity_functions.php;h=b1cce1c5b323b30827b90b452d01bf66ae9f226e;hb=4cf6094cc3cbebfda691fa797e00fe674bbb329c;hp=7309965b5b7b80cd4675122411d3b927afa36333;hpb=e995a896255f853ea731a602a6f4902878f16980;p=mailer.git diff --git a/inc/libs/security_functions.php b/inc/libs/security_functions.php index 7309965b5b..b1cce1c5b3 100644 --- a/inc/libs/security_functions.php +++ b/inc/libs/security_functions.php @@ -14,12 +14,10 @@ * $Date:: $ * * $Tag:: 0.2.1-FINAL $ * * $Author:: $ * - * Needs to be in all Files and every File needs "svn propset * - * svn:keywords Date Revision" (autoprobset!) at least!!!!!! * * -------------------------------------------------------------------- * * Copyright (c) 2003 - 2009 by Roland Haeder * - * Copyright (c) 2009, 2010 by Mailer Developer Team * - * For more information visit: http://www.mxchange.org * + * Copyright (c) 2009 - 2011 by Mailer Developer Team * + * For more information visit: http://mxchange.org * * * * This program is free software; you can redistribute it and/or modify * * it under the terms of the GNU General Public License as published by * @@ -38,13 +36,18 @@ ************************************************************************/ // Run only once this security check/replacement -if (defined('__SECURITY')) return; +if (defined('__SECURITY')) { + return; +} // END - if // Some security stuff... if (strpos($_SERVER['PHP_SELF'], basename(__FILE__)) !== false) { die(); } // END - if +// Include ctracker, recommended place! +//require_once('ctracker.php'); + /** * Function to secure input strings * @@ -89,7 +92,7 @@ function securePhpSelf () { $phpSelfFile = basename($_SERVER['PHP_SELF']); // Check for a .php inside the $phpSelfDirectory... - while (ereg('.php', $phpSelfDirectory)) { + while (strpos($phpSelfDirectory, '.php') !== false) { // Correct the dirname $phpSelfDirectory = substr($phpSelfDirectory, 0, (strpos($phpSelfDirectory, '.php') + 4)); // Rewrite filename... @@ -132,9 +135,15 @@ function detectPhpCaching () { } // Runtime/GPC quoting is off now... -set_magic_quotes_runtime(false); +ini_set('magic_quotes_runtime', false); ini_set('magic_quotes_gpc', false); // This may not work on some systems +// No compatibility with Zend Engine 1, else an error like 'Implicit cloning' +// will be produced. +if (phpversion() >= '5.0') { + ini_set('zend.ze1_compatibility_mode', 'Off'); +} // END - if + // Check if important arrays are found and define them if missing if (!isset($_SERVER)) { global $_SERVER; @@ -151,17 +160,12 @@ if (!isset($_POST)) { $_POST = $GLOBALS['_POST']; } // END - if -// Include IP-Filter here -//include("/usr/share/php/ipfilter.php"); - // Generate arrays which holds the relevante chars to replace $GLOBALS['security_chars'] = array( // The chars we are looking for... - 'from' => array('{', '}', '/', '.', "'", '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--'), + 'from' => array('/', '.', "'", '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--', "\\"), // ... and we will replace to. 'to' => array( - '{OPEN_ANCHOR2}', - '{CLOSE_ANCHOR2}', '{SLASH}', '{DOT}', '{QUOT}', @@ -177,7 +181,8 @@ $GLOBALS['security_chars'] = array( '{OPEN_INDEX}', '{CLOSE_INDEX}', '{DBL_DOT}', - '{COMMENT}' + '{COMMENT}', + '{BACKSLASH}' ), ); @@ -200,10 +205,7 @@ if (is_array($_GET)) { unset($_GET[$seckey]); } else { // Only variables are allowed (non-array) but we secure them all! - foreach ($GLOBALS['security_chars']['from'] as $key => $char) { - // Pass all through - $_GET[$seckey] = str_replace($char , $GLOBALS['security_chars']['to'][$key], $_GET[$seckey]); - } // END - foreach + $_GET[$seckey] = str_replace($GLOBALS['security_chars']['from'], $GLOBALS['security_chars']['to'], $_GET[$seckey]); // Strip all other out $_GET[$seckey] = secureString($_GET[$seckey]); @@ -211,6 +213,18 @@ if (is_array($_GET)) { } // END - foreach } // END - if +// Secure also $_POST data (only simple, no replace) +if (is_array($_POST)) { + // Secure only simple data + foreach ($_POST as $seckey => $secvalue) { + // Is it an array? + if (!is_array($secvalue)) { + // Strip all other out + $_POST[$seckey] = secureString($_POST[$seckey]); + } // END - if + } // END - foreach +} // END - if + // Detect PHP caching detectPhpCaching();