X-Git-Url: http://git.cyclocoop.org/?p=lhc%2Fweb%2Fclavette_www.git;a=blobdiff_plain;f=www%2Fconfig%2Fecran_securite.php;h=ba47691976cc7bfe7a84f578fdeb5992c8150a89;hp=bcf617981f1dcf0f61be91278163d1290f8e65be;hb=cc641eb476987612f6d6df1a5417c1c5582a8ab8;hpb=7d84a490677fb716a1fd4df260f8eab35f6a8506 diff --git a/www/config/ecran_securite.php b/www/config/ecran_securite.php index bcf6179..ba47691 100644 --- a/www/config/ecran_securite.php +++ b/www/config/ecran_securite.php @@ -5,7 +5,7 @@ * ------------------ */ -define('_ECRAN_SECURITE', '1.2.2'); // 2014-12-01 +define('_ECRAN_SECURITE', '1.3.0'); // 2017-03-06 /* * Documentation : http://www.spip.net/fr_article4200.html @@ -17,20 +17,29 @@ define('_ECRAN_SECURITE', '1.2.2'); // 2014-12-01 if (isset($_GET['test_ecran_securite'])) $ecran_securite_raison = 'test '._ECRAN_SECURITE; +/* + * Monitoring + * var_isbot=0 peut etre utilise par un bot de monitoring pour surveiller la disponibilite d'un site vu par les users + * var_isbot=1 peut etre utilise pour monitorer la disponibilite pour les bots (sujets a 503 de delestage si + * le load depasse ECRAN_SECURITE_LOAD) + */ +if (!defined('_IS_BOT') and isset($_GET['var_isbot'])) + define('_IS_BOT',$_GET['var_isbot']?true:false); + /* * Détecteur de robot d'indexation */ if (!defined('_IS_BOT')) define('_IS_BOT', isset($_SERVER['HTTP_USER_AGENT']) - AND preg_match( + and preg_match( // mots generiques ',bot|slurp|crawler|spider|webvac|yandex|' // MSIE 6.0 est un botnet 99,9% du temps, on traite donc ce USER_AGENT comme un bot . 'MSIE 6\.0|' // UA plus cibles - . '80legs|accoona|AltaVista|ASPSeek|Baidu|Charlotte|EC2LinkFinder|eStyle|Google|Genieo|INA dlweb|InfegyAtlas|Java VM|LiteFinder|Lycos|Rambler|Scooter|ScrubbyBloglines|Yahoo|Yeti' - . ',i',(string) $_SERVER['HTTP_USER_AGENT']) + . '80legs|accoona|AltaVista|ASPSeek|Baidu|Charlotte|EC2LinkFinder|eStyle|flipboard|hootsuite|FunWebProducts|Google|Genieo|INA dlweb|InfegyAtlas|Java VM|LiteFinder|Lycos|MegaIndex|MetaURI|Moreover|Rambler|Scrapy|Scooter|ScrubbyBloglines|Yahoo|Yeti' + . ',i', (string) $_SERVER['HTTP_USER_AGENT']) ); /* @@ -41,32 +50,32 @@ if (!defined('_IS_BOT')) * (id_base est une variable de la config des widgets de WordPress) */ foreach ($_GET as $var => $val) - if ($_GET[$var] AND strncmp($var,"id_",3)==0 - AND !in_array($var, array('id_table','id_base'))) - $_GET[$var] = is_array($_GET[$var])?@array_map('intval',$_GET[$var]):intval($_GET[$var]); + if ($_GET[$var] and strncmp($var, "id_", 3) == 0 + and !in_array($var, array('id_table', 'id_base'))) + $_GET[$var] = is_array($_GET[$var])?@array_map('intval', $_GET[$var]):intval($_GET[$var]); foreach ($_POST as $var => $val) - if ($_POST[$var] AND strncmp($var,"id_",3)==0 - AND !in_array($var, array('id_table','id_base'))) - $_POST[$var] = is_array($_POST[$var])?@array_map('intval',$_POST[$var]):intval($_POST[$var]); + if ($_POST[$var] and strncmp($var, "id_", 3) == 0 + and !in_array($var, array('id_table', 'id_base'))) + $_POST[$var] = is_array($_POST[$var])?@array_map('intval', $_POST[$var]):intval($_POST[$var]); foreach ($GLOBALS as $var => $val) - if ($GLOBALS[$var] AND strncmp($var,"id_",3)==0 - AND !in_array($var, array('id_table','id_base'))) - $GLOBALS[$var] = is_array($GLOBALS[$var])?@array_map('intval',$GLOBALS[$var]):intval($GLOBALS[$var]); + if ($GLOBALS[$var] and strncmp($var, "id_", 3) == 0 + and !in_array($var, array('id_table', 'id_base'))) + $GLOBALS[$var] = is_array($GLOBALS[$var])?@array_map('intval', $GLOBALS[$var]):intval($GLOBALS[$var]); /* * Interdit la variable $cjpeg_command, qui était utilisée sans * précaution dans certaines versions de dev (1.8b2 -> 1.8b5) */ -$cjpeg_command=''; +$cjpeg_command = ''; /* * Contrôle de quelques variables (XSS) */ -foreach(array('lang', 'var_recherche', 'aide', 'var_lang_r', 'lang_r', 'var_ajax_ancre') as $var) { +foreach(array('lang', 'var_recherche', 'aide', 'var_lang_r', 'lang_r', 'var_ajax_ancre', 'nom_fichier') as $var) { if (isset($_GET[$var])) - $_REQUEST[$var] = $GLOBALS[$var] = $_GET[$var] = preg_replace(',[^\w\,/#&;-]+,',' ',(string)$_GET[$var]); + $_REQUEST[$var] = $GLOBALS[$var] = $_GET[$var] = preg_replace(',[^\w\,/#&;-]+,', ' ', (string)$_GET[$var]); if (isset($_POST[$var])) - $_REQUEST[$var] = $GLOBALS[$var] = $_POST[$var] = preg_replace(',[^\w\,/#&;-]+,',' ',(string)$_POST[$var]); + $_REQUEST[$var] = $GLOBALS[$var] = $_POST[$var] = preg_replace(',[^\w\,/#&;-]+,', ' ', (string)$_POST[$var]); } /* @@ -79,38 +88,47 @@ if (preg_match(',^(.*/)?spip_acces_doc\.,', (string)$_SERVER['REQUEST_URI'])) { /* * Pas d'inscription abusive */ -if (isset($_REQUEST['mode']) AND isset($_REQUEST['page']) -AND !in_array($_REQUEST['mode'],array("6forum","1comite")) -AND $_REQUEST['page'] == "identifiants") +if (isset($_REQUEST['mode']) and isset($_REQUEST['page']) +and !in_array($_REQUEST['mode'], array("6forum", "1comite")) +and $_REQUEST['page'] == "identifiants") $ecran_securite_raison = "identifiants"; /* * Agenda joue à l'injection php */ if (isset($_REQUEST['partie_cal']) -AND $_REQUEST['partie_cal'] !== htmlentities((string)$_REQUEST['partie_cal'])) +and $_REQUEST['partie_cal'] !== htmlentities((string)$_REQUEST['partie_cal'])) $ecran_securite_raison = "partie_cal"; if (isset($_REQUEST['echelle']) -AND $_REQUEST['echelle'] !== htmlentities((string)$_REQUEST['echelle'])) +and $_REQUEST['echelle'] !== htmlentities((string)$_REQUEST['echelle'])) $ecran_securite_raison = "echelle"; /* * Espace privé */ if (isset($_REQUEST['exec']) -AND !preg_match(',^[\w-]+$,', (string)$_REQUEST['exec'])) +and !preg_match(',^[\w-]+$,', (string)$_REQUEST['exec'])) $ecran_securite_raison = "exec"; if (isset($_REQUEST['cherche_auteur']) -AND preg_match(',[<],', (string)$_REQUEST['cherche_auteur'])) +and preg_match(',[<],', (string)$_REQUEST['cherche_auteur'])) $ecran_securite_raison = "cherche_auteur"; if (isset($_REQUEST['exec']) -AND $_REQUEST['exec'] == 'auteurs' -AND preg_match(',[<],', (string)$_REQUEST['recherche'])) +and $_REQUEST['exec'] == 'auteurs' +and preg_match(',[<],', (string)$_REQUEST['recherche'])) $ecran_securite_raison = "recherche"; +if (isset($_REQUEST['exec']) +and $_REQUEST['exec'] == 'info_plugin' +and preg_match(',[<],', (string)$_REQUEST['plugin'])) + $ecran_securite_raison = "plugin"; +if (isset($_REQUEST['exec']) +and $_REQUEST['exec'] == 'puce_statut' +and isset($_REQUEST['id']) +and !intval($_REQUEST['id'])) + $ecran_securite_raison = "puce_statut"; if (isset($_REQUEST['action']) -AND $_REQUEST['action'] == 'configurer') { +and $_REQUEST['action'] == 'configurer') { if (@file_exists('inc_version.php') - OR @file_exists('ecrire/inc_version.php')) { + or @file_exists('ecrire/inc_version.php')) { function action_configurer() { include_spip('inc/autoriser'); if(!autoriser('configurer', _request('configuration'))) { @@ -138,7 +156,7 @@ if (strpos( * Bloque les requêtes fond=formulaire_ */ if (isset($_REQUEST['fond']) -AND preg_match(',^formulaire_,i', $_REQUEST['fond'])) +and preg_match(',^formulaire_,i', $_REQUEST['fond'])) $ecran_securite_raison = "fond=formulaire_"; /* @@ -152,9 +170,9 @@ if (isset($_REQUEST['GLOBALS'])) * les agenda * les paginations entremélées */ -if (_IS_BOT AND ( - (isset($_REQUEST['echelle']) AND isset($_REQUEST['partie_cal']) AND isset($_REQUEST['type'])) - OR (strpos((string)$_SERVER['REQUEST_URI'],'debut_') AND preg_match(',[?&]debut_.*&debut_,', (string)$_SERVER['REQUEST_URI'])) +if (_IS_BOT and ( + (isset($_REQUEST['echelle']) and isset($_REQUEST['partie_cal']) and isset($_REQUEST['type'])) + or (strpos((string)$_SERVER['REQUEST_URI'], 'debut_') and preg_match(',[?&]debut_.*&debut_,', (string)$_SERVER['REQUEST_URI'])) ) ) $ecran_securite_raison = "robot agenda/double pagination"; @@ -164,12 +182,12 @@ if (_IS_BOT AND ( * Bloque un XSS sur une page inexistante */ if (isset($_REQUEST['page'])) { - if ($_REQUEST['page']=='test_cfg') + if ($_REQUEST['page'] == 'test_cfg') $ecran_securite_raison = "test_cfg"; if ($_REQUEST['page'] !== htmlspecialchars((string)$_REQUEST['page'])) $ecran_securite_raison = "xsspage"; if ($_REQUEST['page'] == '404' - AND isset($_REQUEST['erreur'])) + and isset($_REQUEST['erreur'])) $ecran_securite_raison = "xss404"; } @@ -177,7 +195,7 @@ if (isset($_REQUEST['page'])) { * XSS par array */ foreach (array('var_login') as $var) -if (isset($_REQUEST[$var]) AND is_array($_REQUEST[$var])) +if (isset($_REQUEST[$var]) and is_array($_REQUEST[$var])) $ecran_securite_raison = "xss ".$var; /* @@ -185,11 +203,11 @@ if (isset($_REQUEST[$var]) AND is_array($_REQUEST[$var])) */ if (!function_exists('tmp_lkojfghx')) { function tmp_lkojfghx() {} - function tmp_lkojfghx2($a=0, $b=0, $c=0, $d=0) { + function tmp_lkojfghx2($a = 0, $b = 0, $c = 0, $d = 0) { // si jamais on est arrivé ici sur une erreur php // et qu'un autre gestionnaire d'erreur est défini, l'appeller - if ($b&&$GLOBALS['tmp_xhgfjokl']) - call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d); + if ($b && $GLOBALS['tmp_xhgfjokl']) + call_user_func($GLOBALS['tmp_xhgfjokl'], $a, $b, $c, $d); } } if (isset($_POST['tmp_lkojfghx3'])) @@ -201,14 +219,26 @@ if (isset($_POST['tmp_lkojfghx3'])) if (isset($_REQUEST['transformer_xml'])) $ecran_securite_raison = "transformer_xml"; +/* + * Outils XML mal sécurisés again + */ +if (isset($_REQUEST['var_url']) and $_REQUEST['var_url'] and isset($_REQUEST['exec']) and $_REQUEST['exec']=='valider_xml'){ + $url = trim($_REQUEST['var_url']); + if (strncmp($url,'/',1)==0 + or (($p=strpos($url,'..'))!==false AND strpos($url,'..',$p+3)!==false) + or (strpos($url,'://')!==false or strpos($url,':\\')!==false)) { + $ecran_securite_raison = 'URL interdite pour var_url'; + } +} + /* * Sauvegarde mal securisée < 2.0.9 */ if (isset($_REQUEST['nom_sauvegarde']) -AND strstr((string)$_REQUEST['nom_sauvegarde'], '/')) +and strstr((string)$_REQUEST['nom_sauvegarde'], '/')) $ecran_securite_raison = 'nom_sauvegarde manipulee'; if (isset($_REQUEST['znom_sauvegarde']) -AND strstr((string)$_REQUEST['znom_sauvegarde'], '/')) +and strstr((string)$_REQUEST['znom_sauvegarde'], '/')) $ecran_securite_raison = 'znom_sauvegarde manipulee'; @@ -216,17 +246,17 @@ AND strstr((string)$_REQUEST['znom_sauvegarde'], '/')) * op permet des inclusions arbitraires ; * on vérifie 'page' pour ne pas bloquer ... drupal */ -if (isset($_REQUEST['op']) AND isset($_REQUEST['page']) -AND $_REQUEST['op'] !== preg_replace('/[^\-\w]/', '', $_REQUEST['op'])) +if (isset($_REQUEST['op']) and isset($_REQUEST['page']) +and $_REQUEST['op'] !== preg_replace('/[^\-\w]/', '', $_REQUEST['op'])) $ecran_securite_raison = 'op'; /* * Forms & Table ne se méfiait pas assez des uploads de fichiers */ if (count($_FILES)){ - foreach($_FILES as $k=>$v){ - if (preg_match(',^fichier_\d+$,',$k) - AND preg_match(',\.php,i',$v['name'])) + foreach($_FILES as $k => $v){ + if (preg_match(',^fichier_\d+$,', $k) + and preg_match(',\.php,i', $v['name'])) unset($_FILES[$k]); } } @@ -234,7 +264,7 @@ if (count($_FILES)){ * et Contact trop laxiste avec une variable externe * on bloque pas le post pour eviter de perdre des donnees mais on unset la variable et c'est tout */ -if (isset($_REQUEST['pj_enregistrees_nom']) AND $_REQUEST['pj_enregistrees_nom']){ +if (isset($_REQUEST['pj_enregistrees_nom']) and $_REQUEST['pj_enregistrees_nom']){ unset($_REQUEST['pj_enregistrees_nom']); unset($_GET['pj_enregistrees_nom']); unset($_POST['pj_enregistrees_nom']); @@ -244,7 +274,7 @@ if (isset($_REQUEST['pj_enregistrees_nom']) AND $_REQUEST['pj_enregistrees_nom'] * reinstall=oui un peu trop permissif */ if (isset($_REQUEST['reinstall']) -AND $_REQUEST['reinstall'] == 'oui') +and $_REQUEST['reinstall'] == 'oui') $ecran_securite_raison = 'reinstall=oui'; /* @@ -256,9 +286,9 @@ if (isset($_SERVER['HTTP_REFERER'])) /* * Réinjection des clés en html dans l'admin r19561 */ -if (strpos($_SERVER['REQUEST_URI'],"ecrire/")!==false){ - $zzzz=implode("",array_keys($_REQUEST)); - if (strlen($zzzz)!=strcspn($zzzz,'<>"\'')) +if (strpos($_SERVER['REQUEST_URI'], "ecrire/") !== false){ + $zzzz = implode("", array_keys($_REQUEST)); + if (strlen($zzzz) != strcspn($zzzz, '<>"\'')) $ecran_securite_raison = 'Cle incorrecte en $_REQUEST'; } @@ -266,13 +296,13 @@ if (strpos($_SERVER['REQUEST_URI'],"ecrire/")!==false){ * Injection par connect */ if (isset($_REQUEST['connect']) - AND + and // cas qui permettent de sortir d'un commentaire PHP - (strpos($_REQUEST['connect'], "?")!==false - OR strpos($_REQUEST['connect'], "<")!==false - OR strpos($_REQUEST['connect'], ">")!==false - OR strpos($_REQUEST['connect'], "\n")!==false - OR strpos($_REQUEST['connect'], "\r")!==false) + (strpos($_REQUEST['connect'], "?") !== false + or strpos($_REQUEST['connect'], "<") !== false + or strpos($_REQUEST['connect'], ">") !== false + or strpos($_REQUEST['connect'], "\n") !== false + or strpos($_REQUEST['connect'], "\r") !== false) ) { $ecran_securite_raison = "malformed connect argument"; } @@ -289,6 +319,17 @@ if (isset($ecran_securite_raison)) { die("Error 403: Forbidden

Error 403

You are not authorized to view this page ($ecran_securite_raison)

"); } +/* + * Un filtre filtrer_entites securise + */ +if (!function_exists('filtre_filtrer_entites_dist')) { + function filtre_filtrer_entites_dist($t) { + include_spip('inc/texte'); + return interdire_scripts(filtrer_entites($t)); + } +} + + /* * Fin sécurité */ @@ -303,23 +344,23 @@ if (!defined('_ECRAN_SECURITE_LOAD')) if ( defined('_ECRAN_SECURITE_LOAD') - AND _ECRAN_SECURITE_LOAD>0 - AND _IS_BOT - AND $_SERVER['REQUEST_METHOD'] === 'GET' - AND ( + and _ECRAN_SECURITE_LOAD > 0 + and _IS_BOT + and $_SERVER['REQUEST_METHOD'] === 'GET' + and ( (function_exists('sys_getloadavg') - AND $load = sys_getloadavg() - AND is_array($load) - AND $load = array_shift($load) + and $load = sys_getloadavg() + and is_array($load) + and $load = array_shift($load) ) - OR + or (@is_readable('/proc/loadavg') - AND $load = file_get_contents('/proc/loadavg') - AND $load = floatval($load) + and $load = file_get_contents('/proc/loadavg') + and $load = floatval($load) ) ) - AND $load > _ECRAN_SECURITE_LOAD // eviter l'evaluation suivante si de toute facon le load est inferieur a la limite - AND rand(0, $load*$load) > _ECRAN_SECURITE_LOAD*_ECRAN_SECURITE_LOAD + and $load > _ECRAN_SECURITE_LOAD // eviter l'evaluation suivante si de toute facon le load est inferieur a la limite + and rand(0, $load * $load) > _ECRAN_SECURITE_LOAD * _ECRAN_SECURITE_LOAD ) { header("HTTP/1.0 503 Service Unavailable"); header("Retry-After: 300"); @@ -329,6 +370,3 @@ if ( header("Content-Type: text/html"); die("Status 503: Site temporarily unavailable

Status 503

Site temporarily unavailable (load average $load)

"); } - - -?> \ No newline at end of file