X-Git-Url: http://git.cyclocoop.org/?p=ptitvelo%2Fweb%2Fwww.git;a=blobdiff_plain;f=www%2Fconfig%2Fecran_securite.php;h=36b00446bc4c9162d14b89b21cb07feb3dbcc0e0;hp=51e48df5a2dd5929c7e220c9637d3d9617d16c76;hb=e847eea4a82a7396dd0abf860f9b30d654f38629;hpb=52cf8ed924d5dcd0c28dde4b6c3196be6ec2d4f7 diff --git a/www/config/ecran_securite.php b/www/config/ecran_securite.php index 51e48df..36b0044 100644 --- a/www/config/ecran_securite.php +++ b/www/config/ecran_securite.php @@ -5,7 +5,7 @@ * ------------------ */ -define('_ECRAN_SECURITE', '1.1.5'); // 8 mars 2013 +define('_ECRAN_SECURITE', '1.1.9'); // 2014-03-13 /* * Documentation : http://www.spip.net/fr_article4200.html @@ -23,8 +23,12 @@ if (isset($_GET['test_ecran_securite'])) if (!defined('_IS_BOT')) define('_IS_BOT', isset($_SERVER['HTTP_USER_AGENT']) - AND preg_match(',bot|slurp|crawler|spider|webvac|yandex|INA dlweb|EC2LinkFinder|80legs,i', - (string) $_SERVER['HTTP_USER_AGENT']) + AND preg_match( + // mots generiques + ',bot|slurp|crawler|spider|webvac|yandex|' + // UA plus cibles + . '80legs|accoona|AltaVista|ASPSeek|Baidu|Charlotte|EC2LinkFinder|eStyle|Google|INA dlweb|Java VM|LiteFinder|Lycos|Rambler|Scooter|ScrubbyBloglines|Yahoo|Yeti' + . ',i',(string) $_SERVER['HTTP_USER_AGENT']) ); /* @@ -66,6 +70,14 @@ if (preg_match(',^(.*/)?spip_acces_doc\.,', (string)$_SERVER['REQUEST_URI'])) { $file = addslashes((string)$_GET['file']); } +/* + * Pas d'inscription abusive + */ +if (isset($_REQUEST['mode']) AND isset($_REQUEST['page']) +AND !in_array($_REQUEST['mode'],array("6forum","1comite")) +AND $_REQUEST['page'] == "identifiants") + $ecran_securite_raison = "identifiants"; + /* * Agenda joue à l'injection php */ @@ -241,13 +253,13 @@ if (strpos($_SERVER['REQUEST_URI'],"ecrire/")!==false){ if (isset($_REQUEST['connect']) AND // cas qui permettent de sortir d'un commentaire PHP - (strpos($_REQUEST['connect'], "?".">")!==false + (strpos($_REQUEST['connect'], "?")!==false + OR strpos($_REQUEST['connect'], "<")!==false + OR strpos($_REQUEST['connect'], ">")!==false OR strpos($_REQUEST['connect'], "\n")!==false OR strpos($_REQUEST['connect'], "\r")!==false) ) { - $_REQUEST['connect'] = str_replace(array("?".">", "\r", "\n"), "", $_REQUEST['connect']); - if (isset($_GET['connect'])) $_GET['connect'] = $_REQUEST['connect']; - if (isset($_POST['connect'])) $_POST['connect'] = $_REQUEST['connect']; + $ecran_securite_raison = "malformed connect argument"; } /* @@ -304,4 +316,4 @@ if ( } -?> +?> \ No newline at end of file