21 'information_schema' ,
58 $this->mydirname =
'protector' ;
62 $this->_conf = @unserialize( $this->_conf_serialized ) ;
63 if( empty( $this->_conf ) ) $this->_conf = array() ;
65 if( ! empty( $this->_conf[
'global_disabled'] ) )
return true ;
78 $this->_bad_globals = array(
'GLOBALS' ,
'_SESSION' ,
'HTTP_SESSION_VARS' ,
'_GET' ,
'HTTP_GET_VARS' ,
'_POST' ,
'HTTP_POST_VARS' ,
'_COOKIE' ,
'HTTP_COOKIE_VARS' ,
'_SERVER' ,
'HTTP_SERVER_VARS' ,
'_REQUEST' ,
'_ENV' ,
'_FILES' ,
'xoopsDB' ,
'xoopsUser' ,
'xoopsUserId' ,
'xoopsUserGroups' ,
'xoopsUserIsAdmin' ,
'xoopsConfig' ,
'xoopsOption' ,
'xoopsModule' ,
'xoopsModuleConfig' ) ;
88 if( is_array( $val ) ) {
89 foreach( $val as $subkey => $subval ) {
91 if( in_array( $subkey , $this->_bad_globals ,
true ) ) {
92 $this->message .=
"Attempt to inject '$subkey' was found.\n" ;
93 $this->_safe_contami =
false ;
94 $this->last_error_type =
'CONTAMI' ;
100 if( @$this->_conf[
'san_nullbyte'] && strstr( $val , chr(0) ) ) {
101 $val = str_replace( chr(0) ,
' ' , $val ) ;
103 $this->message .=
"Injecting Null-byte '$val' found.\n" ;
104 $this->
output_log(
'NullByte' , 0 ,
false , 32 ) ;
109 if( preg_match(
'?[\s\'"`/]?' , $val ) ) {
110 $this->_doubtful_requests[
"$key"] = $val ;
119 if( ! isset( $instance ) ) {
128 $constpref =
'_MI_' . strtoupper( $this->mydirname ) ;
130 if( empty( $this->_conn ) )
return false ;
137 while( list( $key , $val ) = mysql_fetch_row(
$result ) ) {
138 $db_conf[ $key ] = $val ;
140 $db_conf_serialized = serialize( $db_conf ) ;
143 if( $db_conf_serialized != $this->_conf_serialized ) {
145 fwrite( $fp , $db_conf_serialized ) ;
147 $this->_conf = $db_conf ;
155 $this->_conn = $conn ;
165 function purge( $redirect_to_top =
false )
173 if( ! headers_sent() ) {
175 setcookie(
'PHPSESSID' ,
'' , time() - 3600 ,
'/' ,
'' , 0 ) ;
176 if( isset( $_COOKIE[ session_name() ] ) ) {
177 setcookie( session_name() ,
'' , time() - 3600 ,
'/' ,
'' , 0 ) ;
181 $xoops_cookie_path = defined(
'XOOPS_COOKIE_PATH') ? XOOPS_COOKIE_PATH : preg_replace(
'?http://[^/]+(/.*)$?' ,
"$1" , XOOPS_URL ) ;
182 if( $xoops_cookie_path == XOOPS_URL ) $xoops_cookie_path =
'/' ;
183 setcookie(
'autologin_uname',
'', time() - 3600, $xoops_cookie_path,
'', 0);
184 setcookie(
'autologin_pass',
'', time() - 3600, $xoops_cookie_path,
'', 0);
187 if( $redirect_to_top ) {
188 header(
'Location: '.XOOPS_URL.
'/' ) ;
192 if(
$ret ==
false ) {
193 die(
'Protector detects attacking actions' ) ;
201 if( $this->_logged )
return true ;
203 if( ! ( $this->_conf[
'log_level'] & $level ) )
return true ;
205 if( empty( $this->_conn ) ) {
207 if( ! $this->_conn ) die(
'db connection failed.' ) ;
208 if( ! mysql_select_db(
XOOPS_DB_NAME , $this->_conn ) ) die(
'db selection failed.' ) ;
212 $agent = @
$_SERVER[
'HTTP_USER_AGENT'] ;
214 if( $unique_check ) {
215 $result = mysql_query(
'SELECT ip,type FROM '.
XOOPS_DB_PREFIX.
'_'.$this->mydirname.
'_log ORDER BY timestamp DESC LIMIT 1' , $this->_conn ) ;
216 list( $last_ip , $last_type ) = mysql_fetch_row(
$result ) ;
217 if( $last_ip == $ip && $last_type ==
$type ) {
218 $this->_logged =
true ;
223 mysql_query(
"INSERT INTO ".
XOOPS_DB_PREFIX.
"_".$this->mydirname.
"_log SET ip='".addslashes($ip).
"',agent='".addslashes($agent).
"',type='".addslashes(
$type).
"',description='".addslashes($this->message).
"',uid='".intval(
$uid).
"',timestamp=NOW()" , $this->_conn ) ;
224 $this->_logged =
true ;
231 $expire = min( intval( $expire ) , time() + 300 ) ;
235 @flock( $fp , LOCK_EX ) ;
236 fwrite( $fp , $expire .
"\n" ) ;
237 @flock( $fp , LOCK_UN ) ;
249 $expire = min( intval( $expire ) , time() + 300 ) ;
257 return XOOPS_TRUST_PATH .
'/modules/protector/configs/bwlimit' . substr( md5( XOOPS_ROOT_PATH .
XOOPS_DB_USER .
XOOPS_DB_PREFIX ) , 0 , 6 ) ;
267 @flock( $fp , LOCK_EX ) ;
268 fwrite( $fp , serialize(
$bad_ips ) .
"\n" ) ;
269 @flock( $fp , LOCK_UN ) ;
280 if( empty( $ip ) ) $ip = @
$_SERVER[
'REMOTE_ADDR'] ;
281 if( empty( $ip ) )
return false ;
284 $bad_ips[ $ip ] = $jailed_time ? $jailed_time : 0x7fffffff ;
293 $bad_ips = empty( $bad_ips_serialized ) ? array() : @unserialize( $bad_ips_serialized ) ;
298 foreach(
$bad_ips as $bad_ip => $jailed_time ) {
299 if( $jailed_time >= time() ) break ;
304 if( $with_jailed_time ) {
314 return XOOPS_TRUST_PATH .
'/modules/protector/configs/badips' . substr( md5( XOOPS_ROOT_PATH .
XOOPS_DB_USER .
XOOPS_DB_PREFIX ) , 0 , 6 ) ;
321 $group1_ips = empty( $group1_ips_serialized ) ? array() : @unserialize( $group1_ips_serialized ) ;
334 return XOOPS_TRUST_PATH .
'/modules/protector/configs/group1ips' . substr( md5( XOOPS_ROOT_PATH .
XOOPS_DB_USER .
XOOPS_DB_PREFIX ) , 0 , 6 ) ;
340 return XOOPS_TRUST_PATH .
'/modules/protector/configs/configcache' . substr( md5( XOOPS_ROOT_PATH .
XOOPS_DB_USER .
XOOPS_DB_PREFIX ) , 0 , 6 ) ;
346 foreach( $ips as $ip => $info ) {
348 switch( substr( $ip , -1 ) ) {
351 if( substr( @
$_SERVER[
'REMOTE_ADDR'] , 0 , strlen( $ip ) ) == $ip ) {
352 $this->ip_matched_info = $info ;
367 if( @
$_SERVER[
'REMOTE_ADDR'] == $ip ) {
368 $this->ip_matched_info = $info ;
374 if( @preg_match( $ip , @
$_SERVER[
'REMOTE_ADDR'] ) ) {
375 $this->ip_matched_info = $info ;
382 $this->ip_matched_info = null ;
389 if( empty( $ip ) ) $ip = @
$_SERVER[
'REMOTE_ADDR'] ;
390 if( empty( $ip ) )
return false ;
391 if( ! function_exists(
'file_get_contents' ) )
return false ;
393 $target_htaccess = XOOPS_ROOT_PATH.
'/.htaccess' ;
394 $backup_htaccess = XOOPS_ROOT_PATH.
'/uploads/.htaccess.bak' ;
396 $ht_body = file_get_contents( $target_htaccess ) ;
399 if( $ht_body && ! file_exists( $backup_htaccess ) ) {
400 $fw = fopen( $backup_htaccess ,
"w" ) ;
401 fwrite( $fw , $ht_body ) ;
406 if( ! $ht_body && file_exists( $backup_htaccess ) ) {
407 $ht_body = file_get_contents( $backup_htaccess ) ;
411 if( $ht_body ===
false ) {
415 if( preg_match(
"/^(.*)#PROTECTOR#\s+(DENY FROM .*)\n#PROTECTOR#\n(.*)$/si" , $ht_body , $regs ) ) {
416 if( substr( $regs[2] , - strlen( $ip ) ) == $ip )
return true ;
417 $new_ht_body = $regs[1] .
"#PROTECTOR#\n" . $regs[2] .
" $ip\n#PROTECTOR#\n" . $regs[3] ;
419 $new_ht_body =
"#PROTECTOR#\nDENY FROM $ip\n#PROTECTOR#\n" . $ht_body ;
424 $fw = fopen( $target_htaccess ,
"w" ) ;
425 @flock( $fw , LOCK_EX ) ;
426 fwrite( $fw , $new_ht_body ) ;
427 @flock( $fw , LOCK_UN ) ;
442 if( is_array( $val ) ) {
443 foreach( $val as $subval ) {
447 if( strlen( $val ) < 6 )
return ;
448 $val = get_magic_quotes_gpc() ? stripslashes( $val ) : $val ;
449 foreach( $this->_dblayertrap_doubtful_needles as $needle ) {
450 if( stristr( $val , $needle ) ) {
451 $this->_dblayertrap_doubtfuls[] = $val ;
460 if( ! empty(
$GLOBALS[
'xoopsOption'][
'nocommon'] ) || defined(
'_LEGACY_PREVENT_EXEC_COMMON_' ) || defined(
'_LEGACY_PREVENT_LOAD_CORE_' ) )
return ;
462 $this->_dblayertrap_doubtfuls = array() ;
466 if( empty( $this->_conf[
'dblayertrap_wo_server'] ) ) {
470 if( ! empty( $this->_dblayertrap_doubtfuls ) || $force_override ) {
471 @define(
'XOOPS_DB_ALTERNATIVE' ,
'ProtectorMysqlDatabase' ) ;
472 require_once dirname(dirname(__FILE__)).
'/class/ProtectorMysqlDatabase.class.php' ;
479 if( is_array( $val ) ) {
480 foreach( $val as $subval ) {
484 if( preg_match(
'/[<\'"].{15}/s' , $val , $regs ) ) {
485 $this->_bigumbrella_doubtfuls[] = $regs[0] ;
493 $this->_bigumbrella_doubtfuls = array() ;
497 if( ! empty( $this->_bigumbrella_doubtfuls ) ) {
498 ob_start( array( $this ,
'bigumbrella_outputcheck' ) ) ;
505 if( defined(
'BIGUMBRELLA_DISABLED' ) )
return $s ;
507 if( function_exists(
'headers_list' ) ) {
508 foreach( headers_list() as $header ) {
509 if( stristr( $header ,
'Content-Type:' ) && ! stristr( $header ,
'text/html' ) ) {
515 if( ! is_array( $this->_bigumbrella_doubtfuls ) ) {
516 return "bigumbrella injection found." ;
519 foreach( $this->_bigumbrella_doubtfuls as $doubtful ) {
520 if( strstr( $s , $doubtful ) ) {
521 return "XSS found by Protector." ;
530 global $HTTP_GET_VARS , $HTTP_POST_VARS , $HTTP_COOKIE_VARS ;
532 if( $this->_done_intval )
return true ;
533 else $this->_done_intval =
true ;
535 foreach(
$_GET as $key => $val ) {
536 if( substr( $key , -2 ) ==
'id' && ! is_array(
$_GET[ $key ] ) ) {
537 $newval = preg_replace(
'/[^0-9a-zA-Z_-]/' ,
'' , $val ) ;
538 $_GET[ $key ] = $HTTP_GET_VARS[ $key ] = $newval ;
544 foreach(
$_POST as $key => $val ) {
545 if( substr( $key , -2 ) ==
'id' && ! is_array(
$_POST[ $key ] ) ) {
546 $newval = preg_replace(
'/[^0-9a-zA-Z_-]/' ,
'' , $val ) ;
547 $_POST[ $key ] = $HTTP_POST_VARS[ $key ] = $newval ;
553 foreach( $_COOKIE as $key => $val ) {
554 if( substr( $key , -2 ) ==
'id' && ! is_array( $_COOKIE[ $key ] ) ) {
555 $newval = preg_replace(
'/[^0-9a-zA-Z_-]/' ,
'' , $val ) ;
556 $_COOKIE[ $key ] = $HTTP_COOKIE_VARS[ $key ] = $newval ;
557 if(
$_REQUEST[ $key ] == $_COOKIE[ $key ] ){
569 global $HTTP_GET_VARS , $HTTP_POST_VARS , $HTTP_COOKIE_VARS ;
571 if( $this->_done_dotdot )
return true ;
572 else $this->_done_dotdot =
true ;
574 foreach(
$_GET as $key => $val ) {
575 if( is_array(
$_GET[ $key ] ) ) continue ;
576 if( substr( trim( $val ) , 0 , 3 ) ==
'../' || strstr( $val ,
'../../' ) ) {
577 $this->last_error_type =
'DirTraversal' ;
578 $this->message .=
"Directory Traversal '$val' found.\n" ;
579 $this->
output_log( $this->last_error_type , 0 ,
false , 64 ) ;
580 $sanitized_val = str_replace( chr(0) ,
'' , $val ) ;
581 if( substr( $sanitized_val , -2 ) !=
' .' ) $sanitized_val .=
' .' ;
582 $_GET[ $key ] = $HTTP_GET_VARS[ $key ] = $sanitized_val ;
623 foreach( $indexes as
$index ) {
624 $index = base64_decode( $index ) ;
625 if( ! is_array( $current ) )
return false ;
626 $current =& $current[
$index ] ;
634 global $HTTP_GET_VARS , $HTTP_POST_VARS , $HTTP_COOKIE_VARS ;
636 $index_expression =
'' ;
637 $indexes = explode(
'_' , $key ) ;
638 $base_array = array_shift( $indexes ) ;
640 switch( $base_array ) {
656 if( ! isset( $main_ref ) )
exit ;
658 if( $request_ref !==
false && $main_ref == $request_ref ) {
659 $request_ref = $val ;
669 else $this->_done_badext =
true ;
672 $bad_extensions = array(
'php' ,
'phtml' ,
'phtm' ,
'php3' ,
'php4' ,
'cgi' ,
'pl' ,
'asp' ) ;
674 $image_extensions = array( 1 =>
'gif', 2 =>
'jpg', 3 =>
'png', 4 =>
'swf', 5 =>
'psd', 6 =>
'bmp', 7 =>
'tif', 8 =>
'tif', 9 =>
'jpc', 10 =>
'jp2', 11 =>
'jpx', 12 =>
'jb2', 13 =>
'swc', 14 =>
'iff', 15 =>
'wbmp', 16 =>
'xbm' ) ;
676 foreach( $_FILES as $_file ) {
677 if( ! empty( $_file[
'error'] ) ) continue ;
678 if( ! empty( $_file[
'name'] ) && is_string( $_file[
'name'] ) ) {
679 $ext = strtolower( substr( strrchr( $_file[
'name'] ,
'.' ) , 1 ) ) ;
681 else if(
$ext ==
'tiff' )
$ext =
'tif' ;
684 if( count( explode(
'.' , str_replace(
'.tar.gz' ,
'.tgz' , $_file[
'name'] ) ) ) > 2 ) {
685 $this->message .=
"Attempt to multiple dot file {$_file['name']}.\n" ;
686 $this->_safe_badext =
false ;
687 $this->last_error_type =
'UPLOAD' ;
691 if( in_array(
$ext , $bad_extensions ) ) {
692 $this->message .=
"Attempt to upload {$_file['name']}.\n" ;
693 $this->_safe_badext =
false ;
694 $this->last_error_type =
'UPLOAD' ;
698 if( in_array(
$ext , $image_extensions ) ) {
699 $image_attributes = @getimagesize( $_file[
'tmp_name'] ) ;
700 if( $image_attributes ===
false && is_uploaded_file( $_file[
'tmp_name'] ) ) {
702 $temp_file = XOOPS_ROOT_PATH.
'/uploads/protector_upload_temporary'.md5( time() ) ;
703 move_uploaded_file( $_file[
'tmp_name'] , $temp_file ) ;
704 $image_attributes = @getimagesize( $temp_file ) ;
705 @unlink( $temp_file ) ;
708 if( $image_attributes ===
false || $image_extensions[ intval( $image_attributes[2] ) ] !=
$ext ) {
709 $this->message .=
"Attempt to upload camouflaged image file {$_file['name']}.\n" ;
710 $this->_safe_badext =
false ;
711 $this->last_error_type =
'UPLOAD' ;
741 else $this->_done_isocom =
true ;
743 foreach( $this->_doubtful_requests as $key => $val ) {
745 while( $str = strstr( $str ,
'/*' ) ) {
746 $str = strstr( substr( $str , 2 ) ,
'*/' ) ;
747 if( $str ===
false ) {
748 $this->message .=
"Isolated comment-in found. ($val)\n" ;
750 $this->_safe_isocom =
false ;
751 $this->last_error_type =
'ISOCOM' ;
762 else $this->_done_union =
true ;
764 foreach( $this->_doubtful_requests as $key => $val ) {
766 $str = str_replace( array(
'/*' ,
'*/' ) ,
'' , preg_replace(
'?/\*.+\*/?sU' ,
'' , $val ) ) ;
767 if( preg_match(
'/\sUNION\s+(ALL|SELECT)/i' , $str ) ) {
768 $this->message .=
"Pattern like SQL injection found. ($val)\n" ;
769 if( $sanitize ) $this->
replace_doubtful( $key , preg_replace(
'/union/i' ,
'uni-on' , $val ) ) ;
770 $this->_safe_union =
false ;
771 $this->last_error_type =
'UNION' ;
779 if (!function_exists(
'curl_init'))
return false;
781 if (
$_SERVER[
'REQUEST_METHOD'] !=
'POST')
return false;
786 $url =
"http://www.stopforumspam.com/api?" .
$query;
788 curl_setopt($ch, CURLOPT_URL,
$url);
789 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
790 curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
791 $result = unserialize(curl_exec($ch));
795 if (isset(
$result[
'email']) && isset(
$result[
'email'][
'lastseen'])) {
800 $last = strtotime(
$result[
'ip'][
'lastseen']);
801 $oneMonth = 60*60*24*31;
802 $oneMonthAgo = time() - $oneMonth;
803 if ($last > $oneMonthAgo) {
808 if (!$spammer)
return false;
810 $this->last_error_type =
'SPAMMER POST' ;
812 switch ($this->_conf[
'stopforumspam_action']) {
818 $this->message .=
"POST deleted for IP:" .
$_SERVER[
'REMOTE_ADDR'];
822 $this->message .=
"BAN and POST deleted for IP:" .
$_SERVER[
'REMOTE_ADDR'];
823 $this->_should_be_banned_time0 =
true;
827 $this->message .=
"Ban and POST deleted for IP:" .
$_SERVER[
'REMOTE_ADDR'];
828 $this->_should_be_banned =
true;
842 if( $this->_done_dos )
return true ;
846 $ip4sql = addslashes( $ip ) ;
847 $uri4sql = addslashes( $uri ) ;
848 if( empty( $ip ) || $ip ==
'' )
return true ;
851 $result = $xoopsDB->queryF(
"DELETE FROM ".$xoopsDB->prefix($this->mydirname.
"_access").
" WHERE expire < UNIX_TIMESTAMP()" ) ;
855 $this->_done_dos =
true ;
860 $sql4insertlog =
"INSERT INTO ".$xoopsDB->prefix($this->mydirname.
"_access").
" SET ip='$ip4sql',request_uri='$uri4sql',expire=UNIX_TIMESTAMP()+'".intval($this->_conf[
'dos_expire']).
"'" ;
863 if( @$this->_conf[
'bwlimit_count'] >= 10 ) {
864 $result = $xoopsDB->query(
"SELECT COUNT(*) FROM ".$xoopsDB->prefix($this->mydirname.
"_access") ) ;
865 list( $bw_count ) = $xoopsDB->fetchRow(
$result ) ;
866 if( $bw_count > $this->_conf[
'bwlimit_count'] ) {
872 $result = $xoopsDB->query(
"SELECT COUNT(*) FROM ".$xoopsDB->prefix($this->mydirname.
"_access").
" WHERE ip='$ip4sql' AND request_uri='$uri4sql'" ) ;
873 list( $f5_count ) = $xoopsDB->fetchRow(
$result ) ;
874 if( $f5_count > $this->_conf[
'dos_f5count'] ) {
877 $xoopsDB->queryF( $sql4insertlog ) ;
886 $this->_done_dos =
true ;
887 $this->last_error_type =
'DoS' ;
888 switch( $this->_conf[
'dos_f5action'] ) {
897 if( $can_ban ) $this->
register_bad_ips( time() + $this->_conf[
'banip_time0'] ) ;
913 if( trim( $this->_conf[
'dos_crsafe'] ) !=
'' && preg_match( $this->_conf[
'dos_crsafe'] , @
$_SERVER[
'HTTP_USER_AGENT'] ) ) {
915 $this->_done_dos =
true ;
920 $result = $xoopsDB->query(
"SELECT COUNT(*) FROM ".$xoopsDB->prefix($this->mydirname.
"_access").
" WHERE ip='$ip4sql'" ) ;
921 list( $crawler_count ) = $xoopsDB->fetchRow(
$result ) ;
924 $xoopsDB->queryF( $sql4insertlog ) ;
926 if( $crawler_count > $this->_conf[
'dos_crcount'] ) {
932 $this->_done_dos =
true ;
933 $this->last_error_type =
'CRAWLER' ;
934 switch( $this->_conf[
'dos_craction'] ) {
943 if( $can_ban ) $this->
register_bad_ips( time() + $this->_conf[
'banip_time0'] ) ;
969 $ip4sql = addslashes( $ip ) ;
970 $uri4sql = addslashes( $uri ) ;
971 if( empty( $ip ) || $ip ==
'' )
return true ;
973 $victim_uname = empty( $_COOKIE[
'autologin_uname'] ) ?
$_POST[
'uname'] : $_COOKIE[
'autologin_uname'] ;
975 if( $victim_uname ==
'deleted' )
return ;
976 $mal4sql = addslashes(
"BRUTE FORCE: $victim_uname" ) ;
979 $result = $xoopsDB->queryF(
"DELETE FROM ".$xoopsDB->prefix($this->mydirname.
"_access").
" WHERE expire < UNIX_TIMESTAMP()" ) ;
982 $sql4insertlog =
"INSERT INTO ".$xoopsDB->prefix($this->mydirname.
"_access").
" SET ip='$ip4sql',request_uri='$uri4sql',malicious_actions='$mal4sql',expire=UNIX_TIMESTAMP()+600" ;
985 $result = $xoopsDB->query(
"SELECT COUNT(*) FROM ".$xoopsDB->prefix($this->mydirname.
"_access").
" WHERE ip='$ip4sql' AND malicious_actions like 'BRUTE FORCE:%'" ) ;
986 list( $bf_count ) = $xoopsDB->fetchRow(
$result ) ;
987 if( $bf_count > $this->_conf[
'bf_count'] ) {
989 $this->last_error_type =
'BruteForce' ;
990 $this->message .=
"Trying to login as '".addslashes($victim_uname).
"' found.\n" ;
991 $this->
output_log(
'BRUTE FORCE' , 0 ,
true , 1 ) ;
996 $xoopsDB->queryF( $sql4insertlog ) ;
1002 if( is_array( $val ) ) {
1003 foreach( $val as $subval ) {
1008 $path_array = parse_url( XOOPS_URL ) ;
1009 $http_host = empty( $path_array[
'host'] ) ?
'www.xoops.org' : $path_array[
'host'] ;
1013 foreach( preg_split(
'#https?\:\/\/#i' , $val ) as $fragment ) {
1014 if( strncmp( $fragment , $http_host , strlen( $http_host ) ) !== 0 ) {
1018 if( $count > 0 ) $this->_spamcount_uri += $count ;
1021 $this->_spamcount_uri += count( preg_split(
'/\[url=(?!http|\\"http|\\\'http|'.$http_host.
')/i' , $val ) ) - 1 ;
1028 $this->_spamcount_uri = 0 ;
1031 if( $this->_spamcount_uri >= $points4deny ) {
1032 $this->message .= @
$_SERVER[
'REQUEST_URI'].
" SPAM POINT: $this->_spamcount_uri\n" ;
1042 global $HTTP_POST_VARS , $HTTP_GET_VARS , $HTTP_COOKIE_VARS ;
1046 $error_reporting_level = error_reporting( 0 ) ;
1052 if( $this->_conf[
'disable_features'] & 1 ) {
1055 if( substr( @
$_SERVER[
'SCRIPT_NAME'] , -10 ) ==
'xmlrpc.php' ) {
1056 $this->
output_log(
'xmlrpc' , 0 ,
true , 1 ) ;
1061 if(
$_POST[
'uname'] ===
'0' || $_COOKIE[
'autologin_pass'] ===
'0' ) {
1071 if( $this->_conf[
'disable_features'] & 1024 ) {
1074 if( ! stristr( @
$_SERVER[
'SCRIPT_NAME'] ,
'modules' ) ) {
1076 if( substr( @
$_SERVER[
'SCRIPT_NAME'] , -8 ) ==
'misc.php' && (
$_GET[
'type'] ==
'debug' ||
$_POST[
'type'] ==
'debug' ) && ! preg_match(
'/^dummy_[0-9]+\.html$/' ,
$_GET[
'file'] ) ) {
1082 if( substr( @
$_SERVER[
'SCRIPT_NAME'] , -8 ) ==
'misc.php' && (
$_GET[
'type'] ==
'smilies' ||
$_POST[
'type'] ==
'smilies' ) && ! preg_match(
'/^[0-9a-z_]*$/i' ,
$_GET[
'target'] ) ) {
1088 if( substr( @
$_SERVER[
'SCRIPT_NAME'] , -12 ) ==
'edituser.php' &&
$_POST[
'op'] ==
'avatarchoose' && strstr(
$_POST[
'user_avatar'] ,
'..' ) ) {
1089 $this->
output_log(
'edituser avatarchoose' ) ;
1095 if( substr( @
$_SERVER[
'SCRIPT_NAME'] , -24 ) ==
'modules/system/admin.php' && (
$_GET[
'fct'] ==
'findusers' ||
$_POST[
'fct'] ==
'findusers' ) ) {
1096 foreach(
$_POST as $key => $val ) {
1097 if( strstr( $key ,
"'" ) || strstr( $val ,
"'" ) ) {
1106 if( substr( @
$_SERVER[
'SCRIPT_NAME'] , -23 ) ==
'modules/news/submit.php' && isset(
$_POST[
'preview'] ) && strpos( @
$_SERVER[
'HTTP_REFERER'] , XOOPS_URL.
'/modules/news/submit.php' ) !== 0 ) {
1107 $HTTP_POST_VARS[
'nohtml'] =
$_POST[
'nohtml'] = 1 ;
1110 if( substr( @
$_SERVER[
'SCRIPT_NAME'] , -28 ) ==
'modules/news/admin/index.php' && (
$_POST[
'op'] ==
'preview' ||
$_GET[
'op'] ==
'preview' ) && strpos( @
$_SERVER[
'HTTP_REFERER'] , XOOPS_URL.
'/modules/news/admin/index.php' ) !== 0 ) {
1111 $HTTP_POST_VARS[
'nohtml'] =
$_POST[
'nohtml'] = 1 ;
1114 if( isset(
$_POST[
'com_dopreview'] ) && ! strstr( substr( @
$_SERVER[
'HTTP_REFERER'] , -16 ) ,
'comment_post.php' ) ) {
1115 $HTTP_POST_VARS[
'dohtml'] =
$_POST[
'dohtml'] = 0 ;
1118 if( substr( @
$_SERVER[
'SCRIPT_NAME'] , -24 ) ==
'modules/system/admin.php' && (
$_GET[
'fct'] ==
'blocksadmin' ||
$_POST[
'fct'] ==
'blocksadmin') && isset(
$_POST[
'previewblock'] ) ) {
1119 die(
"Danger! don't use this preview. Use 'altsys module' instead.(by Protector)" ) ;
1122 if( substr( @
$_SERVER[
'SCRIPT_NAME'] , -24 ) ==
'modules/system/admin.php' && (
$_GET[
'fct'] ==
'tplsets' ||
$_POST[
'fct'] ==
'tplsets') ) {
1123 if(
$_POST[
'op'] ==
'previewpopup' ||
$_GET[
'op'] ==
'previewpopup' || isset(
$_POST[
'previewtpl'] ) ) {
1124 die(
"Danger! don't use this preview.(by Protector)" ) ;
1132 error_reporting( $error_reporting_level ) ;
1138 require_once dirname(__FILE__).
'/ProtectorFilter.php' ;
1140 $ret = $filter_handler->execute(
$type ) ;
1141 if(
$ret ==
false && $dying_message ) {
1142 die( $dying_message ) ;