Skip to content

Commit d08d28c

Browse files
committed
Fix: Sanitize PHP_SELF
1 parent 5027152 commit d08d28c

File tree

1 file changed

+32
-18
lines changed

1 file changed

+32
-18
lines changed

Diff for: htdocs/main.inc.php

+32-18
Original file line numberDiff line numberDiff line change
@@ -62,26 +62,40 @@ function stripslashes_deep($value)
6262
}
6363
}
6464

65-
// Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST)
66-
function test_sql_and_script_inject($val,$get)
65+
66+
/**
67+
* Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF)
68+
*
69+
* @param string $val Value
70+
* @param string $type 1=GET, 0=POST, 2=PHP_SELF
71+
* @return boolean true if there is an injection
72+
*/
73+
function test_sql_and_script_inject($val, $type)
6774
{
6875
$sql_inj = 0;
69-
// For SQL Injection
70-
$sql_inj += preg_match('/delete[\s]+from/i', $val);
71-
$sql_inj += preg_match('/create[\s]+table/i', $val);
72-
$sql_inj += preg_match('/update.+set.+=/i', $val);
73-
$sql_inj += preg_match('/insert[\s]+into/i', $val);
74-
$sql_inj += preg_match('/select.+from/i', $val);
75-
$sql_inj += preg_match('/union.+select/i', $val);
76-
$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
76+
// For SQL Injection (onyl GET and POST are used to be included into bad escaped SQL requests)
77+
if ($type != 2)
78+
{
79+
$sql_inj += preg_match('/delete[\s]+from/i', $val);
80+
$sql_inj += preg_match('/create[\s]+table/i', $val);
81+
$sql_inj += preg_match('/update.+set.+=/i', $val);
82+
$sql_inj += preg_match('/insert[\s]+into/i', $val);
83+
$sql_inj += preg_match('/select.+from/i', $val);
84+
$sql_inj += preg_match('/union.+select/i', $val);
85+
$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
86+
}
7787
// For XSS Injection done by adding javascript with script
78-
$sql_inj += preg_match('/<script/i', $val);
79-
$sql_inj += preg_match('/base[\s]+href/i', $val);
80-
if ($get) $sql_inj += preg_match('/img[\s]+src/i', $val);
81-
if ($get) $sql_inj += preg_match('/style[\s]*=/i', $val);
82-
if ($get) $sql_inj += preg_match('/javascript:/i', $val);
83-
// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
84-
if ($get) $sql_inj += preg_match('/"/i', $val); // We refused " in GET parameters value
88+
$sql_inj += preg_match('/<script/i', $val);
89+
$sql_inj += preg_match('/base[\s]+href/i', $val);
90+
if ($type == 1)
91+
{
92+
$sql_inj += preg_match('/img[\s]+src/i', $val);
93+
$sql_inj += preg_match('/style[\s]*=/i', $val);
94+
$sql_inj += preg_match('/javascript:/i', $val);
95+
}
96+
// For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
97+
if ($type == 1) $sql_inj += preg_match('/"/i', $val); // We refused " in GET parameters value
98+
if ($type == 2) $sql_inj += preg_match('/[\s;"]/', $val); // PHP_SELF is an url and must match url syntax
8599
return $sql_inj;
86100
}
87101
// Security: Return true if OK, false otherwise
@@ -112,7 +126,7 @@ function analyse_sql_and_script(&$var,$get)
112126
if (! empty($_SERVER["PHP_SELF"]))
113127
{
114128
$morevaltochecklikepost=array($_SERVER["PHP_SELF"]);
115-
analyse_sql_and_script($morevaltochecklikepost,0);
129+
analyse_sql_and_script($morevaltochecklikepost,2);
116130
}
117131
// Sanity check on GET parameters
118132
if (! empty($_SERVER["QUERY_STRING"]))

0 commit comments

Comments
 (0)