<?php /** * Security * * @package GetSimple * @subpackage init */ /* * File and File MIME-TYPE Blacklist arrays */ $mime_type_blacklist = array( # HTML may contain cookie-stealing JavaScript and web bugs 'text/html', 'text/javascript', 'text/x-javascript', 'application/x-shellscript', # PHP scripts may execute arbitrary code on the server 'application/x-php', 'text/x-php', # Other types that may be interpreted by some servers 'text/x-python', 'text/x-perl', 'text/x-bash', 'text/x-sh', 'text/x-csh', # Client-side hazards on Internet Explorer 'text/scriptlet', 'application/x-msdownload', # Windows metafile, client-side vulnerability on some systems 'application/x-msmetafile', # MS Office OpenXML and other Open Package Conventions files are zip files # and thus blacklisted just as other zip files 'application/x-opc+zip' ); $file_ext_blacklist = array( # HTML may contain cookie-stealing JavaScript and web bugs 'html', 'htm', 'js', 'jsb', 'mhtml', 'mht', # PHP scripts may execute arbitrary code on the server 'php', 'phtml', 'php3', 'php4', 'php5', 'phps', # Other types that may be interpreted by some servers 'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh', 'ksh', 'bsh', 'c', 'htaccess', 'htpasswd', # May contain harmful executables for Windows victims 'exe', 'scr', 'dll', 'msi', 'vbs', 'bat', 'com', 'pif', 'cmd', 'vxd', 'cpl' ); /** * Anti-XSS * * Attempts to clean variables from XSS attacks * @since 2.03 * * @author Martijn van der Ven * * @param string $str The string to be stripped of XSS attempts * @return string */ function antixss($str){ // attributes blacklist: $attr = array('style','on[a-z]+'); // elements blacklist: $elem = array('script','iframe','embed','object'); // extermination: $str = preg_replace('#<!--.*?-->?#', '', $str); $str = preg_replace('#<!--#', '', $str); $str = preg_replace('#(<[a-z]+(\s+[a-z][a-z\-]+\s*=\s*(\'[^\']*\'|"[^"]*"|[^\'">][^\s>]*))*)\s+href\s*=\s*(\'javascript:[^\']*\'|"javascript:[^"]*"|javascript:[^\s>]*)((\s+[a-z][a-z\-]*\s*=\s*(\'[^\']*\'|"[^"]*"|[^\'">][^\s>]*))*\s*>)#is', '$1$5', $str); foreach($attr as $a) { $regex = '(<[a-z]+(\s+[a-z][a-z\-]+\s*=\s*(\'[^\']*\'|"[^"]*"|[^\'">][^\s>]*))*)\s+'.$a.'\s*=\s*(\'[^\']*\'|"[^"]*"|[^\'">][^\s>]*)((\s+[a-z][a-z\-]*\s*=\s*(\'[^\']*\'|"[^"]*"|[^\'">][^\s>]*))*\s*>)'; $str = preg_replace('#'.$regex.'#is', '$1$5', $str); } foreach($elem as $e) { $regex = '<'.$e.'(\s+[a-z][a-z\-]*\s*=\s*(\'[^\']*\'|"[^"]*"|[^\'">][^\s>]*))*\s*>.*?<\/'.$e.'\s*>'; $str = preg_replace('#'.$regex.'#is', '', $str); } return $str; } /** * Get Nonce * * @since 2.03 * @author tankmiche * @uses $USR * @uses $SALT * * @param string $action Id of current page * @param string $file Optional, default is empty string * @param bool $last * @return string */ function get_nonce($action, $file = "", $last = false) { global $USR; global $SALT; if($file == "") $file = $_SERVER['PHP_SELF']; // using user agent since ip can change on proxys $uid = $_SERVER['HTTP_USER_AGENT']; // Limits Nonce to one hour $time = $last ? time() - 3600: time(); // Mix with a little salt $hash=sha1($action.$file.$uid.$USR.$SALT.@date('YmdH',$time)); return $hash; } /** * Check Nonce * * @since 2.03 * @author tankmiche * @uses get_nonce * * @param string $nonce * @param string $action * @param string $file Optional, default is empty string * @return bool */ function check_nonce($nonce, $action, $file = ""){ return ( $nonce === get_nonce($action, $file) || $nonce === get_nonce($action, $file, true) ); } /* * Validate Safe File * * @since 3.1 * @uses file_mime_type * @uses $mime_type_blacklist * @uses $file_ext_blacklist * * @param string $file, absolute path * @param string $name, default null * @param string $type, default 'upload' * @return bool */ function validate_safe_file($file, $name, $mime){ global $mime_type_blacklist, $file_ext_blacklist, $mime_type_whitelist, $file_ext_whitelist; include(GSADMININCPATH.'configuration.php'); $file_extention = pathinfo($name,PATHINFO_EXTENSION); $file_mime_type = $mime; if ($mime_type_whitelist && in_arrayi($file_mime_type, $mime_type_whitelist)) { return true; } elseif ($file_ext_whitelist && $in_arrayi($file_extention, $file_ext_whitelist)) { return true; } // skip blackist checks if whitelists exist if($mime_type_whitelist || $file_ext_whitelist) return false; if (in_arrayi($file_mime_type, $mime_type_blacklist)) { return false; } elseif (in_arrayi($file_extention, $file_ext_blacklist)) { return false; } else { return true; } } /** * Checks that an existing filepath is safe to use by checking canonicalized absolute pathname. * * @since 3.1.3 * * @param string $path Unknown Path to file to check for safety * @param string $pathmatch Known Path to parent folder to check against * @param bool $subdir allow path to be a deeper subfolder * @return bool Returns true if files path resolves to your known path */ function filepath_is_safe($path,$pathmatch,$subdir = true){ $realpath = realpath($path); $realpathmatch = realpath($pathmatch); if($subdir) return strpos(dirname($realpath),$realpathmatch) === 0; return dirname($realpath) == $realpathmatch; } /** * Checks that an existing path is safe to use by checking canonicalized absolute path * * @since 3.1.3 * * @param string $path Unknown Path to check for safety * @param string $pathmatch Known Path to check against * @param bool $subdir allow path to be a deeper subfolder * @return bool Returns true if $path is direct subfolder of $pathmatch * */ function path_is_safe($path,$pathmatch,$subdir = true){ $realpath = realpath($path); $realpathmatch = realpath($pathmatch); if($subdir) return strpos($realpath,$realpathmatch) === 0; return $realpath == $realpathmatch; } /** * Check if server is Apache * * @returns bool */ function server_is_apache() { return( strpos(strtolower($_SERVER['SERVER_SOFTWARE']),'apache') !== false ); } /** * Performs filtering on variable, falls back to htmlentities * * @since 3.3.0 * @param string $var var to filter * @param string $filter filter type * @return string return filtered string */ function var_out($var,$filter = "special"){ if(function_exists( "filter_var") ){ $aryFilter = array( "string" => FILTER_SANITIZE_STRING, "int" => FILTER_SANITIZE_NUMBER_INT, "float" => FILTER_SANITIZE_NUMBER_FLOAT, "url" => FILTER_SANITIZE_URL, "email" => FILTER_SANITIZE_EMAIL, "special" => FILTER_SANITIZE_SPECIAL_CHARS, ); if(isset($aryFilter[$filter])) return filter_var( $var, $aryFilter[$filter]); return filter_var( $var, FILTER_SANITIZE_SPECIAL_CHARS); } else { return htmlentities($var); } }