[SPIP] v3.0.22-->v3.0.24

[lhc/web/www.git] / www / config / ecran_securite.php

diff --git a/www/config/ecran_securite.php b/www/config/ecran_securite.php
index 0bd8e65..826d3c3 100644 (file)
--- a/www/config/ecran_securite.php
+++ b/www/config/ecran_securite.php
@@ -5,7 +5,7 @@
  * ------------------
  */
 
-define('_ECRAN_SECURITE', '1.2.4'); // 2016-03-10
+define('_ECRAN_SECURITE', '1.2.7'); // 2016-09-30
 
 /*
  * Documentation : http://www.spip.net/fr_article4200.html
@@ -38,7 +38,7 @@ if (!defined('_IS_BOT'))
            // MSIE 6.0 est un botnet 99,9% du temps, on traite donc ce USER_AGENT comme un bot
            . 'MSIE 6\.0|'
            // UA plus cibles
-           . '80legs|accoona|AltaVista|ASPSeek|Baidu|Charlotte|EC2LinkFinder|eStyle|facebook|flipboard|hootsuite|FunWebProducts|Google|Genieo|INA dlweb|InfegyAtlas|Java VM|LiteFinder|Lycos|MetaURI|Moreover|Rambler|Scooter|ScrubbyBloglines|Yahoo|Yeti'
+           . '80legs|accoona|AltaVista|ASPSeek|Baidu|Charlotte|EC2LinkFinder|eStyle|flipboard|hootsuite|FunWebProducts|Google|Genieo|INA dlweb|InfegyAtlas|Java VM|LiteFinder|Lycos|MetaURI|Moreover|Rambler|Scooter|ScrubbyBloglines|Yahoo|Yeti'
            . ',i', (string) $_SERVER['HTTP_USER_AGENT'])
        );
 
@@ -210,6 +210,18 @@ if (isset($_POST['tmp_lkojfghx3']))
 if (isset($_REQUEST['transformer_xml']))
        $ecran_securite_raison = "transformer_xml";
 
+/*
+ * Outils XML mal sécurisés again
+ */
+if (isset($_REQUEST['var_url']) and $_REQUEST['var_url'] and isset($_REQUEST['exec']) and $_REQUEST['exec']=='valider_xml'){
+       $url = trim($_REQUEST['var_url']);
+       if (strncmp($url,'/',1)==0
+         or (($p=strpos($url,'..'))!==false AND strpos($url,'..',$p+3)!==false)
+               or (strpos($url,'://')!==false or strpos($url,':\\')!==false)) {
+               $ecran_securite_raison = 'URL interdite pour var_url';
+       }
+}
+
 /*
  * Sauvegarde mal securisée < 2.0.9
  */