X-Git-Url: https://git.mxchange.org/?p=mailer.git;a=blobdiff_plain;f=inc%2Flibs%2Fsecurity_functions.php;h=7309965b5b7b80cd4675122411d3b927afa36333;hp=bb87b1ae36b0925ff1b26bb31d11bbabd5b2c2bd;hb=e995a896255f853ea731a602a6f4902878f16980;hpb=039203d5428c9c6a3bed61fb3a9a16958c6fd44c diff --git a/inc/libs/security_functions.php b/inc/libs/security_functions.php index bb87b1ae36..7309965b5b 100644 --- a/inc/libs/security_functions.php +++ b/inc/libs/security_functions.php @@ -18,6 +18,7 @@ * svn:keywords Date Revision" (autoprobset!) at least!!!!!! * * -------------------------------------------------------------------- * * Copyright (c) 2003 - 2009 by Roland Haeder * + * Copyright (c) 2009, 2010 by Mailer Developer Team * * For more information visit: http://www.mxchange.org * * * * This program is free software; you can redistribute it and/or modify * @@ -36,11 +37,11 @@ * MA 02110-1301 USA * ************************************************************************/ -// Run only once this security check/exchange +// Run only once this security check/replacement if (defined('__SECURITY')) return; // Some security stuff... -if (ereg(basename(__FILE__), $_SERVER['PHP_SELF'])) { +if (strpos($_SERVER['PHP_SELF'], basename(__FILE__)) !== false) { die(); } // END - if @@ -68,6 +69,68 @@ function secureString ($str, $strip = true, $encode = false) { return $str; } +/** + * Secures $_SERVER['PHP_SELF'] against attacks + * + * @return void + */ +function securePhpSelf () { + // Did it run before? + if (isset($GLOBALS['php_self_secured'])) { + // Please do not call this twice! + die('PHP_SELF is already secured. Please do not call ' . __FUNCTION__ . ' for your self.'); + } // END - if + + // Secure the string + $_SERVER['PHP_SELF'] = secureString($_SERVER['PHP_SELF']); + + // Split it up into path and filename + $phpSelfDirectory = dirname($_SERVER['PHP_SELF']); + $phpSelfFile = basename($_SERVER['PHP_SELF']); + + // Check for a .php inside the $phpSelfDirectory... + while (ereg('.php', $phpSelfDirectory)) { + // Correct the dirname + $phpSelfDirectory = substr($phpSelfDirectory, 0, (strpos($phpSelfDirectory, '.php') + 4)); + // Rewrite filename... + $phpSelfFile = basename($phpSelfDirectory); + // ... and dirname + $phpSelfDirectory = dirname($phpSelfDirectory); + } // END - while + + // Put both together again and let's pray it is secured now... + $_SERVER['PHP_SELF'] = $phpSelfDirectory . '/' . $phpSelfFile; + + // Did run... + $GLOBALS['php_self_secured'] = true; + + // Remove uneccessary variables + unset($phpSelfDirectory); + unset($phpSelfFile); +} + +/** + * Detects caching in PHP + * + * @return void + */ +function detectPhpCaching () { + // Activate caching or transparent compressing when it is not already done + if (phpversion() >= '4.0.4pl1' && (strstr(getenv('HTTP_USER_AGENT'),'compatible') || (strstr(getenv('HTTP_USER_AGENT'), 'Mozilla')))) { + if ((extension_loaded('zlib')) && (function_exists('ob_start'))) { + // Start caching + $GLOBALS['php_caching'] = 'on'; + ob_start(); + } else { + // Extension not loaded or required function is missing + $GLOBALS['php_caching'] = '404'; + } + } else { + // Old PHP version + $GLOBALS['php_caching'] = 'old'; + } +} + // Runtime/GPC quoting is off now... set_magic_quotes_runtime(false); ini_set('magic_quotes_gpc', false); // This may not work on some systems @@ -148,44 +211,11 @@ if (is_array($_GET)) { } // END - foreach } // END - if -// Activate caching or transparent compressing when it is not already done -if (phpversion() >= '4.0.4pl1' && (strstr(getenv('HTTP_USER_AGENT'),'compatible') || (strstr(getenv('HTTP_USER_AGENT'), 'Mozilla')))) { - if ((extension_loaded('zlib')) && (function_exists('ob_start'))) { - // Start caching - $GLOBALS['php_caching'] = 'on'; - ob_start(); - } else { - // Extension not loaded or required function is missing - $GLOBALS['php_caching'] = '404'; - } -} else { - // Old PHP version - $GLOBALS['php_caching'] = 'old'; -} +// Detect PHP caching +detectPhpCaching(); // At last secure the $_SERVER['PHP_SELF'] element -$_SERVER['PHP_SELF'] = secureString($_SERVER['PHP_SELF']); - -// Split it up into path and filename -$phpSelfDirectory = dirname($_SERVER['PHP_SELF']); -$phpSelfFile = basename($_SERVER['PHP_SELF']); - -// Check for a .php inside the $phpSelfDirectory... -while (ereg('.php', $phpSelfDirectory)) { - // Correct the dirname - $phpSelfDirectory = substr($phpSelfDirectory, 0, (strpos($phpSelfDirectory, '.php') + 4)); - // Rewrite filename... - $phpSelfFile = basename($phpSelfDirectory); - // ... and dirname - $phpSelfDirectory = dirname($phpSelfDirectory); -} // END - while - -// Put both together again and let's pray it is secured now... -$_SERVER['PHP_SELF'] = $phpSelfDirectory . '/' . $phpSelfFile; - -// Remove uneccessary variables -unset($phpSelfDirectory); -unset($phpSelfFile); +securePhpSelf(); // Security system loaded... define('__SECURITY', 1);