1: <?php
2:
3: 4: 5:
6: function protector_postcommon()
7: {
8: global $xoopsUser, $xoopsModule;
9:
10:
11: if (substr(@XOOPS_VERSION, 6, 3) > 2.0 && false !== stripos(@$_SERVER['REQUEST_URI'], 'modules/system/admin.php?fct=preferences')) {
12:
13: $module_handler = xoops_getHandler('module');
14: $module = $module_handler->get((int)(@$_GET['mod']));
15: if (is_object($module)) {
16: $module->getInfo();
17: }
18: }
19:
20:
21: if (@$_SERVER['REQUEST_URI'] === '/admin.php' && !is_writable(dirname(__DIR__) . '/configs')) {
22: trigger_error('You should turn the directory ' . dirname(__DIR__) . '/configs writable', E_USER_WARNING);
23: }
24:
25:
26: require_once dirname(__DIR__) . '/class/protector.php';
27: $db = XoopsDatabaseFactory::getDatabaseConnection();
28: $protector = Protector::getInstance();
29: $protector->setConn($db->conn);
30: $protector->updateConfFromDb();
31: $conf = $protector->getConf();
32: if (empty($conf)) {
33: return true;
34: }
35:
36:
37:
38: if (in_array(substr(XOOPS_VERSION, 0, 12), array('XOOPS 2.0.16', 'XOOPS 2.0.13', 'XOOPS 2.2.4'))) {
39:
40: $config_handler = xoops_getHandler('config');
41: $xoopsMailerConfig = $config_handler->getConfigsByCat(XOOPS_CONF_MAILER);
42: if ($xoopsMailerConfig['mailmethod'] === 'sendmail' && md5_file(XOOPS_ROOT_PATH . '/class/mail/phpmailer/class.phpmailer.php') === 'ee1c09a8e579631f0511972f929fe36a') {
43: echo '<strong>phpmailer security hole! Change the preferences of mail from "sendmail" to another, or upgrade the core right now! (message by protector)</strong>';
44: }
45: }
46:
47:
48: if (!empty($conf['global_disabled'])) {
49: return true;
50: }
51:
52:
53: if (is_object($xoopsUser) && in_array(1, $xoopsUser->getGroups())) {
54: $group1_ips = $protector->get_group1_ips(true);
55: if (implode('', array_keys($group1_ips))) {
56: $group1_allow = $protector->ip_match($group1_ips);
57: if (empty($group1_allow)) {
58: die('This account is disabled for your IP by Protector.<br>Clear cookie if you want to access this site as a guest.');
59: }
60: }
61: }
62:
63:
64: $reliable_ips = @unserialize(@$conf['reliable_ips']);
65: if (is_array($reliable_ips)) {
66: foreach ($reliable_ips as $reliable_ip) {
67: if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $_SERVER['REMOTE_ADDR'])) {
68: return true;
69: }
70: }
71: }
72:
73:
74: if (is_object(@$xoopsUser)) {
75: $uid = $xoopsUser->getVar('uid');
76: $can_ban = count(@array_intersect($xoopsUser->getGroups(), @unserialize(@$conf['bip_except']))) ? false : true;
77: } else {
78:
79: if ((!empty($_POST['uname']) && !empty($_POST['pass'])) || (!empty($_COOKIE['autologin_uname']) && !empty($_COOKIE['autologin_pass']))) {
80: $protector->check_brute_force();
81: }
82: $uid = 0;
83: $can_ban = true;
84: }
85:
86: if (@$conf['stopforumspam_action'] !== 'none') {
87: $protector->stopforumspam($uid);
88: }
89:
90:
91: if ($can_ban && $protector->_should_be_banned) {
92: $protector->register_bad_ips();
93: } elseif ($can_ban && $protector->_should_be_banned_time0) {
94: $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
95: }
96:
97:
98: $dos_skipping = false;
99: $skip_dirnames = explode('|', @$conf['dos_skipmodules']);
100: if (!is_array($skip_dirnames)) {
101: $skip_dirnames = array();
102: }
103: if (is_object(@$xoopsModule)) {
104: if (in_array($xoopsModule->getVar('dirname'), $skip_dirnames)) {
105: $dos_skipping = true;
106: }
107: } else {
108: foreach ($skip_dirnames as $skip_dirname) {
109: if ($skip_dirname && false !== strpos(getcwd(), $skip_dirname)) {
110: $dos_skipping = true;
111: break;
112: }
113: }
114: }
115:
116:
117: if (defined('PROTECTOR_SKIP_DOS_CHECK')) {
118: $dos_skipping = true;
119: }
120:
121:
122: if (empty($dos_skipping) && !$protector->check_dos_attack($uid, $can_ban)) {
123: $protector->output_log($protector->last_error_type, $uid, true, 16);
124: }
125:
126:
127: $masks = @$conf['session_fixed_topbit'];
128: $maskArray = explode('/', $masks);
129: $ipv4Mask = empty($maskArray[0]) ? 24 : $maskArray[0];
130: $ipv6Mask = (!isset($maskArray[1])) ? 56 : $maskArray[1];
131: $ip = \Xmf\IPAddress::fromRequest();
132: $maskCheck = true;
133: if (isset($_SESSION['protector_last_ip'])) {
134: $maskCheck = $ip->sameSubnet($_SESSION['protector_last_ip'], $ipv4Mask, $ipv6Mask);
135: }
136: if (!$maskCheck) {
137: if (is_object($xoopsUser) && count(array_intersect($xoopsUser->getGroups(), unserialize($conf['groups_denyipmove'])))) {
138: $protector->purge(true);
139: }
140: }
141: $_SESSION['protector_last_ip'] = $ip->asReadable();
142:
143:
144: if (!$protector->check_sql_isolatedcommentin(@$conf['isocom_action'] & 1)) {
145: if (($conf['isocom_action'] & 8) && $can_ban) {
146: $protector->register_bad_ips();
147: } elseif (($conf['isocom_action'] & 4) && $can_ban) {
148: $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
149: }
150: $protector->output_log('ISOCOM', $uid, true, 32);
151: if ($conf['isocom_action'] & 2) {
152: $protector->purge();
153: }
154: }
155:
156:
157: if (!$protector->check_sql_union(@$conf['union_action'] & 1)) {
158: if (($conf['union_action'] & 8) && $can_ban) {
159: $protector->register_bad_ips();
160: } elseif (($conf['union_action'] & 4) && $can_ban) {
161: $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
162: }
163: $protector->output_log('UNION', $uid, true, 32);
164: if ($conf['union_action'] & 2) {
165: $protector->purge();
166: }
167: }
168:
169: if (!empty($_POST)) {
170:
171: if (is_object($xoopsUser)) {
172: if (!$xoopsUser->isAdmin() && $conf['spamcount_uri4user']) {
173: $protector->spam_check((int)$conf['spamcount_uri4user'], $xoopsUser->getVar('uid'));
174: }
175: } elseif ($conf['spamcount_uri4guest']) {
176: $protector->spam_check((int)$conf['spamcount_uri4guest'], 0);
177: }
178:
179:
180: $protector->call_filter('postcommon_post');
181: }
182:
183:
184:
185: if (basename($_SERVER['SCRIPT_FILENAME']) == 'register.php') {
186: $protector->call_filter('postcommon_register');
187: }
188: return null;
189: }
190: