projects / mailer.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
(no commit message)
[mailer.git] / 0.2.1 / inc / libs / security_functions.php
1 <?php\r
2 /************************************************************************\r
3  * MXChange v0.2.1                                    Start: 09/20/2005 *\r
4  * ===============                              Last change: 09/20/2005 *\r
5  *                                                                      *\r
6  * -------------------------------------------------------------------- *\r
7  * File              : security_functions.php                           *\r
8  * -------------------------------------------------------------------- *\r
9  * Short description : Secure all GET, POST and COOKIE data             *\r
10  * -------------------------------------------------------------------- *\r
11  * Kurzbeschreibung  : Alle GET, POST und COOKIE-Daten sichern          *\r
12  * -------------------------------------------------------------------- *\r
13  *                                                                      *\r
14  * -------------------------------------------------------------------- *\r
15  * Copyright (c) 2003 - 2007 by Roland Haeder                           *\r
16  * For more information visit: http://www.mxchange.org                  *\r
17  *                                                                      *\r
18  * This program is free software; you can redistribute it and/or modify *\r
19  * it under the terms of the GNU General Public License as published by *\r
20  * the Free Software Foundation; either version 2 of the License, or    *\r
21  * (at your option) any later version.                                  *\r
22  *                                                                      *\r
23  * This program is distributed in the hope that it will be useful,      *\r
24  * but WITHOUT ANY WARRANTY; without even the implied warranty of       *\r
25  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the        *\r
26  * GNU General Public License for more details.                         *\r
27  *                                                                      *\r
28  * You should have received a copy of the GNU General Public License    *\r
29  * along with this program; if not, write to the Free Software          *\r
30  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,               *\r
31  * MA  02110-1301  USA                                                  *\r
32  ************************************************************************/\r
33 \r
34 // Some security stuff...\r
35 if (ereg(basename(__FILE__), $_SERVER['PHP_SELF']))\r
36 {\r
37         $INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), "/inc") + 4)."/security.php";\r
38         require($INC);\r
39 }\r
40 \r
41 // Run only once this security check/exchange\r
42 if (defined('__SECURITY')) return;\r
43 \r
44 // Fatal messages goes here\r
45 global $FATAL;\r
46 $FATAL = array();\r
47 \r
48 // Runtime quoting is off now...\r
49 set_magic_quotes_runtime(false);\r
50 \r
51 // Unregister all global variables because of vultures and surpress failed attemps\r
52 @import_request_variables('');\r
53 \r
54 // Error reporting level\r
55 @error_reporting(E_ALL | E_STRICT);\r
56 \r
57 // Check if important arrays are found and define them if missing\r
58 if (!isset($_SERVER))\r
59 {\r
60         global $_SERVER;\r
61         $_SERVER = $GLOBALS['_SERVER'];\r
62 }\r
63 if (!isset($_GET))\r
64 {\r
65         global $_GET;\r
66         $_GET = $GLOBALS['_GET'];\r
67 }\r
68 if (!isset($_POST))\r
69 {\r
70         global $_POST;\r
71         $_POST = $GLOBALS['_POST'];\r
72 }\r
73 if (!isset($_COOKIE))\r
74 {\r
75         global $_COOKIE;\r
76         $_COOKIE = $GLOBALS['_COOKIE'];\r
77 }\r
78 \r
79 // Include IP-Filter here\r
80 //require("/usr/share/php/ipfilter.php");\r
81 \r
82 // Generate arrays which holds the relevante chars to replace\r
83 global $SEC_CHARS, $URL_CHARS;\r
84 $SEC_CHARS = array(\r
85         // The chars we are looking for...\r
86         'from' => array("{", "}", "/", ".", "'", "$", "(", ")", "{--", "--}", "%", ";", "[", "]", ":", "--"),\r
87         // ... and we will replace to.\r
88         'to'   => array(\r
89                 "{OPEN_ANCHOR2}",\r
90                 "{CLOSE_ANCHOR2}",\r
91                 "{SLASH}",\r
92                 "{DOT}",\r
93                 "{QUOT}",\r
94                 "{DOLLAR}",\r
95                 "{OPEN_ANCHOR}",\r
96                 "{CLOSE_ANCHOR}",\r
97                 "{OPEN_TEMPLATE}",\r
98                 "{CLOSE_TEMPLATE}",\r
99                 "{PER}",\r
100                 "{SEMI}",\r
101                 "{OPEN_INDEX}",\r
102                 "{CLOSE_INDEX}",\r
103                 "{DBL_DOT}",\r
104                 "{COMMENT}"\r
105         ),\r
106 );\r
107 \r
108 // Characters allowed in URLs\r
109 //\r
110 // Note: Do not replace 'to' with 'from' and vise-versa! When you do this all booked URLs will be\r
111 //       rejected because of the {SLASH}, {DOT} and all below listed items inside the URL.\r
112 $URL_CHARS = array(\r
113         // Search for these secured characters\r
114         'to'   => array("{SLASH}", "{DOT}", "{PER}", "{DBL_DOT}", "{COMMENT}"),\r
115         // Replace with these characters\r
116         'from' => array("/", ".", "%", ":", "--")\r
117 );\r
118 \r
119 // Overworked security part:\r
120 if (is_array($_GET)) {\r
121         foreach ($_GET as $seckey=>$secvalue)\r
122         {\r
123                 if (is_array($secvalue))\r
124                 {\r
125                         // Throw arrays away...\r
126                         unset($_GET[$seckey]);\r
127                 }\r
128                  else\r
129                 {\r
130                         // Only variables are allowed (non-array) but we secure them all!\r
131                         foreach ($SEC_CHARS['from'] as $key=>$char)\r
132                         {\r
133                                 // Pass all through\r
134                                 $_GET[$seckey] = str_replace($char  , $SEC_CHARS['to'][$key], $_GET[$seckey]);\r
135                         }\r
136 \r
137                         // Strip all other out\r
138                         $_GET[$seckey] = strip_tags($_GET[$seckey]);\r
139                 }\r
140         }\r
141 }\r
142 \r
143 if (basename($_SERVER['PHP_SELF']) != "install.php")\r
144 {\r
145         // And POST data\r
146         foreach ($_POST as $seckey=>$secvalue)\r
147         {\r
148                 if (!is_array($secvalue))\r
149                 {\r
150                         // Only variables are allowed (non-array) to be secured...\r
151                         foreach ($SEC_CHARS['from'] as $key=>$char)\r
152                         {\r
153                                 // Pass all through\r
154                                 $_POST[$seckey] = str_replace($char  , $SEC_CHARS['to'][$key], $_POST[$seckey]);\r
155                         }\r
156 \r
157                         // Strip all other out\r
158                         $_POST[$seckey] = strip_tags($_POST[$seckey]);\r
159                 }\r
160         }\r
161 \r
162         // ... and finally cookies\r
163         foreach ($_COOKIE as $seckey=>$secvalue)\r
164         {\r
165                 if (is_array($secvalue))\r
166                 {\r
167                         // Throw arrays away...\r
168                         unset($_COOKIE[$seckey]);\r
169                 }\r
170                  else\r
171                 {\r
172                         // Only variables are allowed (non-array) but we secure them all!\r
173                         foreach ($SEC_CHARS['from'] as $key=>$char)\r
174                         {\r
175                                 // Pass all through\r
176                                 $_COOKIE[$seckey] = str_replace($char  , $SEC_CHARS['to'][$key], $_COOKIE[$seckey]);\r
177                         }\r
178 \r
179                         // Strip all other out\r
180                         $_COOKIE[$seckey] = strip_tags($_COOKIE[$seckey]);\r
181                 }\r
182         }\r
183 }\r
184 \r
185 // Activate caching or transparent compressing when it is not already done\r
186 if (!defined('_OB_CACHING'))\r
187 {\r
188         if (phpversion() >= '4.0.4pl1' && (strstr(getenv('HTTP_USER_AGENT'),'compatible') || (strstr(getenv('HTTP_USER_AGENT'), "Mozilla"))))\r
189         {\r
190                 if ((extension_loaded('zlib')) && (function_exists('ob_start')))\r
191                 {\r
192                         // Start caching\r
193                         define('_OB_CACHING', "on");\r
194                         ob_start();\r
195                 }\r
196                  else\r
197                 {\r
198                         // Extension not loaded or required function is missing\r
199                         define('_OB_CACHING', "404");\r
200                 }\r
201         }\r
202          else\r
203         {\r
204                 // Old PHP version\r
205                 define('_OB_CACHING', "old");\r
206         }\r
207 }\r
208 \r
209 // At last secure the $_SERVER['PHP_SELF'] element\r
210 $_SERVER['PHP_SELF'] = htmlentities(strip_tags($_SERVER['PHP_SELF']), ENT_QUOTES);\r
211 \r
212 // Split it up into path and filename\r
213 $SELF_DIR  = dirname($_SERVER['PHP_SELF']);\r
214 $SELF_FILE = basename($_SERVER['PHP_SELF']);\r
215 \r
216 // Check for a .php inside the $SELF_DIR...\r
217 while (ereg(".php", $SELF_DIR))\r
218 {\r
219         // Correct the dirname\r
220         $SELF_DIR = substr($SELF_DIR, 0, (strpos($SELF_DIR, ".php") + 4));\r
221         // Rewrite filename...\r
222         $SELF_FILE = basename($SELF_DIR);\r
223         // ... and dirname\r
224         $SELF_DIR = dirname($SELF_DIR);\r
225 }\r
226 \r
227 // Put both together again and let's pray it is secured now...\r
228 $_SERVER['PHP_SELF'] = $SELF_DIR."/".$SELF_FILE;\r
229 \r
230 // Remove uneccessary variables\r
231 unset($SELF_DIR);\r
232 unset($SELF_FILE);\r
233 \r
234 // Security system loaded...\r
235 define('__SECURITY', "1");\r
236 \r
237 //\r
238 ?>\r
Mailer-Project repository