mirror of
https://github.com/e107inc/e107.git
synced 2025-07-29 10:50:25 +02:00
mod rewrite support - e_REQUEST_URI and e_REQUEST_URL added to be used in forms (instead e_SELF), basic experimental generic XSS protection
This commit is contained in:
14
class2.php
14
class2.php
@@ -432,7 +432,19 @@ $pref = e107::getPref();
|
||||
//DEPRECATED, BC, call e107::getConfig('menu')->get('pref_name') only when needed
|
||||
$menu_pref = e107::getConfig('menu')->getPref(); //extract menu prefs
|
||||
|
||||
|
||||
// NEW - force ssl
|
||||
if(e107::getPref('ssl_enabled') && !deftrue('e_SSL_DISABLE'))
|
||||
{
|
||||
// NOTE: e_SSL_DISABLE check is here to help webmasters fix 'ssl_enabled'
|
||||
// if set by accident on site with no SSL support - just define it in e107_config.php
|
||||
if(strpos(e_REQUEST_URL, 'http://') === 0)
|
||||
{
|
||||
// e_REQUEST_URL and e_REQUEST_URI introduced
|
||||
$url = 'https://'.substr(e_REQUEST_URL, 7);
|
||||
header('Location: '.$url);
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
// $sql->db_Mark_Time('(Extracting Core Prefs Done)');
|
||||
|
||||
|
@@ -311,7 +311,7 @@ class e107
|
||||
*/
|
||||
public function setDirs($e107_dirs, $e107_config_override = array())
|
||||
{
|
||||
$this->e107_dirs = array_merge($this->defaultDirs($e107_dirs), (array) $e107_dirs, (array) $e107_config_override);
|
||||
$this->e107_dirs = array_merge($this->defaultDirs($e107_dirs)/*, (array) $e107_dirs*/, (array) $e107_config_override);
|
||||
return $this;
|
||||
}
|
||||
|
||||
@@ -337,7 +337,7 @@ class e107
|
||||
'SYSTEM_DIRECTORY' => 'e107_system/',
|
||||
'CORE_DIRECTORY' => 'e107_core/',
|
||||
'WEB_DIRECTORY' => 'e107_web/',
|
||||
), $override_root);
|
||||
), (array) $override_root);
|
||||
|
||||
if($return_root) return $ret;
|
||||
|
||||
@@ -2188,13 +2188,53 @@ class e107
|
||||
$page = substr(strrchr($_SERVER['PHP_SELF'], '/'), 1);
|
||||
|
||||
define('e_PAGE', $page);
|
||||
define('e_SELF', $this->HTTP_SCHEME . '://' . $_SERVER['HTTP_HOST'] . ($_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_FILENAME']));
|
||||
|
||||
$eSelf = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_FILENAME'];
|
||||
define('e_SELF', $this->HTTP_SCHEME.'://'.$_SERVER['HTTP_HOST'].$eSelf);
|
||||
|
||||
// START New - request uri/url detection, XSS protection
|
||||
$requestUri = $requestUrl = '';
|
||||
if (isset($_SERVER['HTTP_X_REWRITE_URL']))
|
||||
{
|
||||
// check this first so IIS will catch
|
||||
$requestUri = $_SERVER['HTTP_X_REWRITE_URL'];
|
||||
$requestUrl = $this->HTTP_SCHEME.'://'.$_SERVER['HTTP_HOST'].$requestUri;
|
||||
// fix request uri
|
||||
$_SERVER['REQUEST_URI'] = $requestUri;
|
||||
}
|
||||
elseif (isset($_SERVER['REQUEST_URI']))
|
||||
{
|
||||
$requestUri = $_SERVER['REQUEST_URI'];
|
||||
$requestUrl = $this->HTTP_SCHEME.'://'.$_SERVER['HTTP_HOST'].$requestUri;
|
||||
}
|
||||
else
|
||||
{
|
||||
// go back to e_SELF
|
||||
$requestUri = $eSelf;
|
||||
$requestUrl = e_SELF;
|
||||
if (e_QUERY)
|
||||
{
|
||||
$requestUri .= '?'.e_QUERY;
|
||||
$requestUrl .= '?'.e_QUERY;
|
||||
}
|
||||
}
|
||||
// FIXME - basic security - add url sanitize method to e_parse
|
||||
$check = rawurldecode($requestUri); // urlencoded by default
|
||||
// a bit aggressive XSS protection... convert to e.g. htmlentities if you are not a bad guy
|
||||
if(preg_match('/[<>]/', $check))
|
||||
{
|
||||
header('HTTP/1.1 403 Forbidden');
|
||||
exit;
|
||||
}
|
||||
// the last anti-XSS measure, XHTML compliant URL to be used in forms instead e_SELF
|
||||
define('e_REQUEST_URL', str_replace(array("'", '"'), array('%27', '%22'), $requestUrl));
|
||||
define('e_REQUEST_URI', str_replace(array("'", '"'), array('%27', '%22'), $requestUri));
|
||||
unset($requestUrl, $requestUri);
|
||||
// END request uri/url detection, XSS protection
|
||||
|
||||
define('e_SIGNUP', e_BASE.(file_exists(e_BASE.'customsignup.php') ? 'customsignup.php' : 'signup.php'));
|
||||
define('e_LOGIN', e_BASE.(file_exists(e_BASE.'customlogin.php') ? 'customlogin.php' : 'login.php'));
|
||||
|
||||
|
||||
|
||||
// e_SELF has the full HTML path
|
||||
$inAdminDir = FALSE;
|
||||
$isPluginDir = strpos(e_SELF,'/'.$PLUGINS_DIRECTORY) !== FALSE; // True if we're in a plugin
|
||||
|
Reference in New Issue
Block a user