* ------------------
*/
-define('_ECRAN_SECURITE', '1.1.5'); // 8 mars 2013
+define('_ECRAN_SECURITE', '1.1.8'); // 2013-08-29
/*
* Documentation : http://www.spip.net/fr_article4200.html
if (!defined('_IS_BOT'))
define('_IS_BOT',
isset($_SERVER['HTTP_USER_AGENT'])
- AND preg_match(',bot|slurp|crawler|spider|webvac|yandex|INA dlweb|EC2LinkFinder|80legs,i',
- (string) $_SERVER['HTTP_USER_AGENT'])
+ AND preg_match(
+ // mots generiques
+ ',bot|slurp|crawler|spider|webvac|yandex|'
+ // UA plus cibles
+ . '80legs|accoona|AltaVista|ASPSeek|Baidu|Charlotte|EC2LinkFinder|eStyle|Google|INA dlweb|Java VM|LiteFinder|Lycos|Rambler|Scooter|ScrubbyBloglines|Yahoo|Yeti'
+ . ',i',(string) $_SERVER['HTTP_USER_AGENT'])
);
/*
$file = addslashes((string)$_GET['file']);
}
+/*
+ * Pas d'inscription abusive
+ */
+if (isset($_REQUEST['mode']) AND isset($_REQUEST['page'])
+AND !in_array($_REQUEST['mode'],array("6forum","1comite"))
+AND $_REQUEST['page'] == "identifiants")
+ $ecran_securite_raison = "identifiants";
+
/*
* Agenda joue à l'injection php
*/
if (isset($_REQUEST['connect'])
AND
// cas qui permettent de sortir d'un commentaire PHP
- (strpos($_REQUEST['connect'], "?".">")!==false
+ (strpos($_REQUEST['connect'], "?")!==false
+ OR strpos($_REQUEST['connect'], ">")!==false
OR strpos($_REQUEST['connect'], "\n")!==false
OR strpos($_REQUEST['connect'], "\r")!==false)
) {
- $_REQUEST['connect'] = str_replace(array("?".">", "\r", "\n"), "", $_REQUEST['connect']);
+ $_REQUEST['connect'] = str_replace(array("?", ">", "\r", "\n"), "", $_REQUEST['connect']);
if (isset($_GET['connect'])) $_GET['connect'] = $_REQUEST['connect'];
if (isset($_POST['connect'])) $_POST['connect'] = $_REQUEST['connect'];
}