X-Git-Url: https://git.mxchange.org/?p=mailer.git;a=blobdiff_plain;f=inc%2Flibs%2Fsecurity_functions.php;h=250540a2c64ee1c43839183fa70497c9fc5c6507;hp=193ddb9fb4cd5c12083a718de2a14742a6496443;hb=50ec4267016d288831aee809120992423db563e1;hpb=4e5020660b07f30b7bf3ccc0a2ca664a19a21c0d diff --git a/inc/libs/security_functions.php b/inc/libs/security_functions.php index 193ddb9fb4..250540a2c6 100644 --- a/inc/libs/security_functions.php +++ b/inc/libs/security_functions.php @@ -14,12 +14,10 @@ * $Date:: $ * * $Tag:: 0.2.1-FINAL $ * * $Author:: $ * - * Needs to be in all Files and every File needs "svn propset * - * svn:keywords Date Revision" (autoprobset!) at least!!!!!! * * -------------------------------------------------------------------- * * Copyright (c) 2003 - 2009 by Roland Haeder * - * Copyright (c) 2009, 2010 by Mailer Developer Team * - * For more information visit: http://www.mxchange.org * + * Copyright (c) 2009 - 2011 by Mailer Developer Team * + * For more information visit: http://mxchange.org * * * * This program is free software; you can redistribute it and/or modify * * it under the terms of the GNU General Public License as published by * @@ -38,13 +36,19 @@ ************************************************************************/ // Run only once this security check/replacement -if (defined('__SECURITY')) return; +if (defined('__SECURITY')) { + return; +} // END - if // Some security stuff... if (strpos($_SERVER['PHP_SELF'], basename(__FILE__)) !== false) { die(); } // END - if +// Include ctracker, recommended place! +require_once('ctracker.php'); +require_once('ipfilter.php'); + /** * Function to secure input strings * @@ -132,9 +136,15 @@ function detectPhpCaching () { } // Runtime/GPC quoting is off now... -set_magic_quotes_runtime(false); +ini_set('magic_quotes_runtime', false); ini_set('magic_quotes_gpc', false); // This may not work on some systems +// No compatibility with Zend Engine 1, else an error like 'Implicit cloning' +// will be produced. +if (phpversion() >= '5.0') { + ini_set('zend.ze1_compatibility_mode', 'Off'); +} // END - if + // Check if important arrays are found and define them if missing if (!isset($_SERVER)) { global $_SERVER; @@ -151,17 +161,12 @@ if (!isset($_POST)) { $_POST = $GLOBALS['_POST']; } // END - if -// Include IP-Filter here -//include("/usr/share/php/ipfilter.php"); - // Generate arrays which holds the relevante chars to replace $GLOBALS['security_chars'] = array( // The chars we are looking for... - 'from' => array('{', '}', '/', '.', "'", '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--'), + 'from' => array('/', '.', "'", '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--', "\\"), // ... and we will replace to. 'to' => array( - '{OPEN_ANCHOR2}', - '{CLOSE_ANCHOR2}', '{SLASH}', '{DOT}', '{QUOT}', @@ -177,7 +182,8 @@ $GLOBALS['security_chars'] = array( '{OPEN_INDEX}', '{CLOSE_INDEX}', '{DBL_DOT}', - '{COMMENT}' + '{COMMENT}', + '{BACKSLASH}' ), ); @@ -200,10 +206,7 @@ if (is_array($_GET)) { unset($_GET[$seckey]); } else { // Only variables are allowed (non-array) but we secure them all! - foreach ($GLOBALS['security_chars']['from'] as $key => $char) { - // Pass all through - $_GET[$seckey] = str_replace($char , $GLOBALS['security_chars']['to'][$key], $_GET[$seckey]); - } // END - foreach + $_GET[$seckey] = str_replace($GLOBALS['security_chars']['from'], $GLOBALS['security_chars']['to'], $_GET[$seckey]); // Strip all other out $_GET[$seckey] = secureString($_GET[$seckey]); @@ -211,6 +214,18 @@ if (is_array($_GET)) { } // END - foreach } // END - if +// Secure also $_POST data (only simple, no replace) +if (is_array($_POST)) { + // Secure only simple data + foreach ($_POST as $seckey => $secvalue) { + // Is it an array? + if (!is_array($secvalue)) { + // Strip all other out + $_POST[$seckey] = secureString($_POST[$seckey]); + } // END - if + } // END - foreach +} // END - if + // Detect PHP caching detectPhpCaching();