* ------------------
*/
-define('_ECRAN_SECURITE', '1.1.5'); // 8 mars 2013
+define('_ECRAN_SECURITE', '1.1.9'); // 2014-03-13
/*
* Documentation : http://www.spip.net/fr_article4200.html
if (!defined('_IS_BOT'))
define('_IS_BOT',
isset($_SERVER['HTTP_USER_AGENT'])
- AND preg_match(',bot|slurp|crawler|spider|webvac|yandex|INA dlweb|EC2LinkFinder|80legs,i',
- (string) $_SERVER['HTTP_USER_AGENT'])
+ AND preg_match(
+ // mots generiques
+ ',bot|slurp|crawler|spider|webvac|yandex|'
+ // UA plus cibles
+ . '80legs|accoona|AltaVista|ASPSeek|Baidu|Charlotte|EC2LinkFinder|eStyle|Google|INA dlweb|Java VM|LiteFinder|Lycos|Rambler|Scooter|ScrubbyBloglines|Yahoo|Yeti'
+ . ',i',(string) $_SERVER['HTTP_USER_AGENT'])
);
/*
$file = addslashes((string)$_GET['file']);
}
+/*
+ * Pas d'inscription abusive
+ */
+if (isset($_REQUEST['mode']) AND isset($_REQUEST['page'])
+AND !in_array($_REQUEST['mode'],array("6forum","1comite"))
+AND $_REQUEST['page'] == "identifiants")
+ $ecran_securite_raison = "identifiants";
+
/*
* Agenda joue à l'injection php
*/
if (isset($_REQUEST['connect'])
AND
// cas qui permettent de sortir d'un commentaire PHP
- (strpos($_REQUEST['connect'], "?".">")!==false
+ (strpos($_REQUEST['connect'], "?")!==false
+ OR strpos($_REQUEST['connect'], "<")!==false
+ OR strpos($_REQUEST['connect'], ">")!==false
OR strpos($_REQUEST['connect'], "\n")!==false
OR strpos($_REQUEST['connect'], "\r")!==false)
) {
- $_REQUEST['connect'] = str_replace(array("?".">", "\r", "\n"), "", $_REQUEST['connect']);
- if (isset($_GET['connect'])) $_GET['connect'] = $_REQUEST['connect'];
- if (isset($_POST['connect'])) $_POST['connect'] = $_REQUEST['connect'];
+ $ecran_securite_raison = "malformed connect argument";
}
/*
}
-?>
+?>
\ No newline at end of file
dépôts / ptitvelo / web / www.git / blobdiff