Improved DDoS detection

diff --git a/index.php b/index.php
index fcd2bfec3e5c92738ce1eea0a087c60390753403..c2f469b5a837d550bbd9faeae576681c22543076 100644 (file)
--- a/index.php
+++ b/index.php
@@ -118,14 +118,20 @@ if((x($_SESSION,'language')) && ($_SESSION['language'] !== $lang)) {
 
 if((x($_GET,'zrl')) && (!$install && !$maintenance)) {
        // Only continue when the given profile link seems valid
-       // Valid profile links contain a path and no query parameters
+       // Valid profile links contain a path with "/profile/" and no query parameters
        if ((parse_url($_GET['zrl'], PHP_URL_QUERY) == "") AND
-               (parse_url($_GET['zrl'],  PHP_URL_PATH) != "")) {
+               strstr(parse_url($_GET['zrl'], PHP_URL_PATH), "/profile/")) {
                $_SESSION['my_url'] = $_GET['zrl'];
                $a->query_string = preg_replace('/[\?&]zrl=(.*?)([\?&]|$)/is','',$a->query_string);
                zrl_init($a);
-       } else
+       } else {
+               // Someone came with an invalid parameter, maybe as a DDoS attempt
+               // We simply stop processing here
                logger("Invalid ZRL parameter ".$_GET['zrl'], LOGGER_DEBUG);
+               header('HTTP/1.1 403 Forbidden');
+               echo "<h1>403 Forbidden</h1>";
+               killme();
+       }
 }
 
 /**