Experimental commit:

decode URL before checking to avoid something like this: q=%2FopenFooBar which
would be converted to q=%2fopenfoobar and then blocked as 'fopen' is then found.

This happens with StatusNet 1.1.1

diff --git a/libs/lib_detector.php b/libs/lib_detector.php
index 11d5c0765eb4e8cd717d28663e222d538c2822d8..3fa9b4da9ea0fb83545fba330c6698fd5d655520 100644 (file)
--- a/libs/lib_detector.php
+++ b/libs/lib_detector.php
@@ -95,7 +95,7 @@ function initCrackerTrackerArrays () {
 // Checks for worms
 function isCrackerTrackerWormDetected () {
        // Check against the whole list
-       $GLOBALS['ctracker_checkworm'] = str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerQueryString());
+       $GLOBALS['ctracker_checkworm'] = str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', urldecode(crackerTrackerQueryString()));
 
        // If it differs to original and the *whole* request string is not in whitelist
        // then blog the attempt

diff --git a/libs/lib_general.php b/libs/lib_general.php
index 64bc6a78fe8de929c05f23366932756a1b497f48..fe382dc249938179c20c9db3921ea562de560dc5 100644 (file)
--- a/libs/lib_general.php
+++ b/libs/lib_general.php
@@ -93,7 +93,7 @@ function determineCrackerTrackerRealRemoteAddress () {
                $address = $_SERVER['HTTP_CLIENT_IP'];
        } elseif (isset($_SERVER['REMOTE_ADDR'])) {
                // The regular address when no proxy was used
-               $address = $_SERVER['REMOTE_ADDR'];
+               $address = getenv('REMOTE_ADDR');
        }
 
        // This strips out the real address from proxy output