PHPXref.com - phpWebSite 0.10.2 - /security.php source

[Summary view] [Print] [Text view]
   1  <?php
   2  if (!defined('PHPWS_SOURCE_DIR')) {
   3    exit();
   4  }
   5  
   6  /* Security against those with register globals = on */
   7  if (isset($_REQUEST)){
   8      foreach ($_REQUEST as $postVarName=>$nullIT) {
   9      unset($postVarName);
  10      }
  11  }
  12  
  13  
  14  forbidLowerAscii();
  15  
  16  /* Checks the file array for imbedded code */
  17  secureAllFiles();
  18  
  19  
  20  /* Clean out bad script, php, and newline characters */
  21  cleanArray($_REQUEST);
  22  cleanArray($_GET);
  23  
  24  /* Prevent scripting and bad new line characters from being passed via http get */
  25  function cleanArray(&$Value) {
  26      if (is_array($Value)) {
  27      array_walk ($Value, 'cleanArray');
  28      } else {
  29      $scriptPatterns = array('/<+script/i', '/(%3C)+script/i', '/(&lt;)+script/i', '/(&#60;)+script/i');
  30      $phpPatterns    = array("'<+\?'", "'(%3C)+\?'", "'(&lt;)+\?'", "'(&#60;)+\?'");
  31  
  32          $Value = preg_replace('/\.\.\//', '', $Value);
  33      $Value = preg_replace($scriptPatterns, 'NOSCRIPT', $Value);
  34      $Value = preg_replace($phpPatterns, 'NOPHP', $Value);
  35      }
  36      return;
  37  }
  38  
  39  function secureAllFiles()
  40  {
  41    include  PHPWS_SOURCE_DIR . 'conf/security_config.php';
  42  
  43    if (empty($_FILES)) {
  44      return;
  45    }
  46  
  47    foreach ($_FILES as $file_key => $checkFile) {
  48      $temp_name = $checkFile['tmp_name'];
  49      $filename  = $checkFile['name'];
  50  
  51      if (is_array($temp_name)) {
  52        foreach ($checkFile['tmp_name'] as $tmp_key => $tmp_name) {
  53      if ( ($parse_all_files == TRUE && !secureFile($tmp_name, $embedded_text))
  54           || !secureName($checkFile['name'][$tmp_key], $forbidden_extensions) )
  55      {
  56        $_FILES[$file_key]['tmp_name'][$tmp_key] = NULL;
  57        $_FILES[$file_key]['name'][$tmp_key] = NULL;
  58      }
  59        }
  60      } else {
  61        if ( (($parse_all_files == TRUE && !secureFile($checkFile['tmp_name'], $embedded_text))
  62          || !secureName($filename, $forbidden_extensions)))
  63        {
  64      $_FILES[$file_key]['name'] = NULL;
  65      $_FILES[$file_key]['tmp_name'] = NULL;
  66        }
  67      }
  68  
  69    }
  70  }
  71  
  72  
  73  function secureFile($filename, $embedded_text) {
  74    if (empty($filename)) {
  75      return FALSE;
  76    }
  77    
  78    $match = implode('|', $embedded_text);
  79    
  80    $hdl = fopen($filename,'r');
  81    if ($hdl) {
  82      while (!feof($hdl)) {
  83        $check = preg_replace('/\s/', '', fgets($hdl, 1024));
  84        if (preg_match('/' . $match . '/i', $check)) {
  85      fclose($hdl); 
  86      return FALSE;
  87        }
  88      }
  89      fclose($hdl);
  90      return TRUE;
  91    } else {
  92      return FALSE;
  93    }
  94  }
  95  
  96  function secureName($filename, $forbidden_extensions) {
  97    $structure = explode('.', trim($filename));
  98  
  99    $match = implode('|', $forbidden_extensions);
 100    
 101    $extension = array_pop($structure);
 102    if (preg_match('/' . $match . '/i', $extension)) {
 103      return FALSE;
 104    } else {
 105      return TRUE;
 106    }
 107  
 108  }
 109  
 110  function forbidLowerAscii()
 111  {
 112      if (isset($_SERVER['REQUEST_URI']) && 
 113          preg_match('/%(0|1)(\d|[a-f])/i', $_SERVER['REQUEST_URI'])) {
 114          header ('Location: index.php');
 115          exit();
 116      }
 117  }
 118  
 119  ?>
[ PHPXref.com ]	[ Generated: Sun Jul 20 19:58:21 2008 ]	[ phpWebSite 0.10.2 ]
[ Index ] [ Variables ] [ Functions ] [ Classes ] [ Constants ] [ Statistics ]
/ -> security.php (source)
