X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=inc%2Flibs%2Fsecurity_functions.php;h=e2568b5c3c4261fa292e690566ae995e4d56d255;hb=c6e467582761f7d6e4eb2d140c9dd4ee6b8845a7;hp=7309965b5b7b80cd4675122411d3b927afa36333;hpb=68808513bae244881b38640d307d907535c676b9;p=mailer.git diff --git a/inc/libs/security_functions.php b/inc/libs/security_functions.php index 7309965b5b..e2568b5c3c 100644 --- a/inc/libs/security_functions.php +++ b/inc/libs/security_functions.php @@ -14,12 +14,10 @@ * $Date:: $ * * $Tag:: 0.2.1-FINAL $ * * $Author:: $ * - * Needs to be in all Files and every File needs "svn propset * - * svn:keywords Date Revision" (autoprobset!) at least!!!!!! * * -------------------------------------------------------------------- * * Copyright (c) 2003 - 2009 by Roland Haeder * - * Copyright (c) 2009, 2010 by Mailer Developer Team * - * For more information visit: http://www.mxchange.org * + * Copyright (c) 2009 - 2013 by Mailer Developer Team * + * For more information visit: http://mxchange.org * * * * This program is free software; you can redistribute it and/or modify * * it under the terms of the GNU General Public License as published by * @@ -38,33 +36,44 @@ ************************************************************************/ // Run only once this security check/replacement -if (defined('__SECURITY')) return; +if (defined('__SECURITY')) { + return; +} // END - if // Some security stuff... -if (strpos($_SERVER['PHP_SELF'], basename(__FILE__)) !== false) { +if (strpos($_SERVER['PHP_SELF'], basename(__FILE__)) !== FALSE) { die(); } // END - if +// Include ctracker, recommended place! +//require_once('ctracker.php'); +//require_once('ipfilter.php'); + /** * Function to secure input strings * - * @param $str The unsecured string - * @param $strip Strip tags - * @return $str A (hopefully) secured string against XSS and other bad things + * @param $str The unsecured string + * @param $stripTags Strip tags + * @return $str A (hopefully) secured string against XSS and other bad things */ -function secureString ($str, $strip = true, $encode = false) { +function secureString ($str, $stripTags = TRUE, $encode = FALSE) { // Shall we strip HTML code? - if ($strip === true) $str = strip_tags($str); + if ($stripTags === TRUE) { + $str = strip_tags($str); + } // END - if // Trim string $str = trim($str); // Encode in entities if requested - if ($encode === true) { + if ($encode === TRUE) { // Encode in entities (this breakes UTF-8!) $str = htmlentities($str, ENT_QUOTES); } // END - if + // Replace {,} with entities + $str = str_replace(array('{', '}'), array('{', '}'), $str); + // Return result return $str; } @@ -89,7 +98,7 @@ function securePhpSelf () { $phpSelfFile = basename($_SERVER['PHP_SELF']); // Check for a .php inside the $phpSelfDirectory... - while (ereg('.php', $phpSelfDirectory)) { + while (strpos($phpSelfDirectory, '.php') !== FALSE) { // Correct the dirname $phpSelfDirectory = substr($phpSelfDirectory, 0, (strpos($phpSelfDirectory, '.php') + 4)); // Rewrite filename... @@ -102,13 +111,23 @@ function securePhpSelf () { $_SERVER['PHP_SELF'] = $phpSelfDirectory . '/' . $phpSelfFile; // Did run... - $GLOBALS['php_self_secured'] = true; + $GLOBALS['php_self_secured'] = TRUE; // Remove uneccessary variables unset($phpSelfDirectory); unset($phpSelfFile); } +/** + * Checks if PHP_VERSION is newer or equal to given version string + * + * @param $versionString A PHP'ized version string which shall be compared with PHP_VERSION + * @return $isEqualNewer Wether the given version string is equal or newer to PHP_VERSION + */ +function isPhpVersionEqualNewer ($versionString) { + return (version_compare(PHP_VERSION, $versionString, '>=')); +} + /** * Detects caching in PHP * @@ -116,7 +135,7 @@ function securePhpSelf () { */ function detectPhpCaching () { // Activate caching or transparent compressing when it is not already done - if (phpversion() >= '4.0.4pl1' && (strstr(getenv('HTTP_USER_AGENT'),'compatible') || (strstr(getenv('HTTP_USER_AGENT'), 'Mozilla')))) { + if ((isPhpVersionEqualNewer('4.0.4pl1')) && (strstr(getenv('HTTP_USER_AGENT'),'compatible') || (strstr(getenv('HTTP_USER_AGENT'), 'Mozilla')))) { if ((extension_loaded('zlib')) && (function_exists('ob_start'))) { // Start caching $GLOBALS['php_caching'] = 'on'; @@ -132,42 +151,47 @@ function detectPhpCaching () { } // Runtime/GPC quoting is off now... -set_magic_quotes_runtime(false); -ini_set('magic_quotes_gpc', false); // This may not work on some systems +ini_set('magic_quotes_runtime', FALSE); +ini_set('magic_quotes_gpc', FALSE); // This may not work on some systems + +/* + * No compatibility with Zend Engine 1, else an error like 'Implicit cloning' + * will be produced. + */ +if (isPhpVersionEqualNewer('5.0')) { + ini_set('zend.ze1_compatibility_mode', 'Off'); +} // END - if // Check if important arrays are found and define them if missing -if (!isset($_SERVER)) { +if ((!isset($_SERVER)) || (!is_array($_SERVER))) { global $_SERVER; $_SERVER = $GLOBALS['_SERVER']; } // END - if -if (!isset($_GET)) { +if ((!isset($_GET)) || (!is_array($_GET))) { global $_GET; $_GET = $GLOBALS['_GET']; } // END - if -if (!isset($_POST)) { +if ((!isset($_POST)) || (!is_array($_POST))) { global $_POST; $_POST = $GLOBALS['_POST']; } // END - if -// Include IP-Filter here -//include("/usr/share/php/ipfilter.php"); - // Generate arrays which holds the relevante chars to replace $GLOBALS['security_chars'] = array( // The chars we are looking for... - 'from' => array('{', '}', '/', '.', "'", '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--'), + 'from' => array('/', '.', chr(39), '$', '(', ')', '{--', '--}', '{%', '%}', '{?', '?}', '%', ';', '[', ']', ':', '--', chr(92), chr(39), '<', '>'), // ... and we will replace to. 'to' => array( - '{OPEN_ANCHOR2}', - '{CLOSE_ANCHOR2}', '{SLASH}', '{DOT}', '{QUOT}', '{DOLLAR}', '{OPEN_ANCHOR}', '{CLOSE_ANCHOR}', + '{OPEN_LANGUAGE}', + '{CLOSE_LANGUAGE}', '{OPEN_TEMPLATE}', '{CLOSE_TEMPLATE}', '{OPEN_CONFIG}', @@ -177,14 +201,20 @@ $GLOBALS['security_chars'] = array( '{OPEN_INDEX}', '{CLOSE_INDEX}', '{DBL_DOT}', - '{COMMENT}' + '{COMMENT}', + '{BACKSLASH}', + '{SQUOTE}', + '{OPEN_TAG}', + '{CLOSE_TAG}' ), ); -// Characters allowed in URLs -// -// Note: Do not replace 'to' with 'from' and vise-versa! When you do this all booked URLs will be -// rejected because of the {SLASH}, {DOT} and all below listed items inside the URL. +/* + * Characters allowed in booked URLs + * + * Note: Do not replace 'to' with 'from' and vise-versa! When you do this all booked URLs will be + * rejected because of the {SLASH}, {DOT} and all below listed items inside the URL. + */ $GLOBALS['url_chars'] = array( // Search for these secured characters 'to' => array('{SLASH}', '{DOT}', '{PER}', '{DBL_DOT}', '{COMMENT}'), @@ -196,14 +226,11 @@ $GLOBALS['url_chars'] = array( if (is_array($_GET)) { foreach ($_GET as $seckey => $secvalue) { if (is_array($secvalue)) { - // Throw arrays away... + // Throw arrays away ... unset($_GET[$seckey]); } else { - // Only variables are allowed (non-array) but we secure them all! - foreach ($GLOBALS['security_chars']['from'] as $key => $char) { - // Pass all through - $_GET[$seckey] = str_replace($char , $GLOBALS['security_chars']['to'][$key], $_GET[$seckey]); - } // END - foreach + // Only variables are allowed (non-array) but we secure them all. + $_GET[$seckey] = str_replace($GLOBALS['security_chars']['from'], $GLOBALS['security_chars']['to'], $_GET[$seckey]); // Strip all other out $_GET[$seckey] = secureString($_GET[$seckey]); @@ -211,6 +238,18 @@ if (is_array($_GET)) { } // END - foreach } // END - if +// Secure also $_POST data (only simple, no replace) +if (is_array($_POST)) { + // Secure only simple data + foreach ($_POST as $seckey => $secvalue) { + // Is it an array? + if (!is_array($secvalue)) { + // Strip all other out + $_POST[$seckey] = secureString($_POST[$seckey]); + } // END - if + } // END - foreach +} // END - if + // Detect PHP caching detectPhpCaching();