[SPIP] ~maj v3.2.9-->v3.2.11

[lhc/web/www.git] / www / config / ecran_securite.php

diff --git a/www/config/ecran_securite.php b/www/config/ecran_securite.php
index d6c6cea..773ae6c 100644 (file)
--- a/www/config/ecran_securite.php
+++ b/www/config/ecran_securite.php
@@ -5,7 +5,7 @@
  * ------------------
  */
 
-define('_ECRAN_SECURITE', '1.3.11'); // 2019-04-08
+define('_ECRAN_SECURITE', '1.4.1'); // 2021-03-12
 
 /*
  * Documentation : http://www.spip.net/fr_article4200.html
@@ -17,6 +17,10 @@ define('_ECRAN_SECURITE', '1.3.11'); // 2019-04-08
 if (isset($_GET['test_ecran_securite']))
        $ecran_securite_raison = 'test '._ECRAN_SECURITE;
 
+if (file_exists($f = __DIR__ . DIRECTORY_SEPARATOR  . 'ecran_securite_options.php')) {
+       include ($f);
+}
+
 /*
  * Monitoring
  * var_isbot=0 peut etre utilise par un bot de monitoring pour surveiller la disponibilite d'un site vu par les users
@@ -226,12 +230,15 @@ if (!defined('_IS_BOT')){
 if (!defined('_IS_BOT_FRIEND')){
        define('_IS_BOT_FRIEND',
                isset($_SERVER['HTTP_USER_AGENT'])
-               and preg_match(',' . implode ('|', array(
-                       'facebookexternalhit',
-                       'flipboardproxy',
-                       'wordpress'
-               )) . ',i',
-               (string)$_SERVER['HTTP_USER_AGENT'])
+                       and preg_match(
+                               ',' . implode('|', array(
+                                       'facebookexternalhit',
+                                       'twitterbot',
+                                       'flipboardproxy',
+                                       'wordpress'
+                               )) . ',i',
+                               (string)$_SERVER['HTTP_USER_AGENT']
+                       )
        );
 }
 
@@ -335,6 +342,13 @@ and $_REQUEST['action'] == 'configurer') {
                }
        }
 }
+if (isset($_REQUEST['action'])
+and $_REQUEST['action'] == 'ordonner_liens_documents'
+and isset($_REQUEST['ordre'])
+and is_string($_REQUEST['ordre'])){
+       $ecran_securite_raison = "ordre a la chaine";
+}
+
 
 /*
  * Bloque les requêtes contenant %00 (manipulation d'include)
@@ -474,6 +488,13 @@ if (isset($_REQUEST['reinstall'])
 and $_REQUEST['reinstall'] == 'oui')
        $ecran_securite_raison = 'reinstall=oui';
 
+/*
+ * Pas d'action pendant l'install
+ */
+if (isset($_REQUEST['exec']) and $_REQUEST['exec'] === 'install' and isset($_REQUEST['action'])) {
+       $ecran_securite_raison = 'install&action impossibles';
+}
+
 /*
  * Échappement xss referer
  */
@@ -488,6 +509,15 @@ if (isset($_SERVER['HTTP_X_FORWARDED_HOST']))
        $_SERVER['HTTP_X_FORWARDED_HOST'] = strtr($_SERVER['HTTP_X_FORWARDED_HOST'], "<>?\"\{\}\$'` \r\n", '____________');
 
 
+/*
+ * Pas d'erreur dans l'erreur
+ */
+if (isset($_REQUEST['var_erreur']) and isset($_REQUEST['page']) and $_REQUEST['page'] === 'login') {
+       if (strlen($_REQUEST['var_erreur']) !== strcspn($_REQUEST['var_erreur'], '<>'))
+               $ecran_securite_raison = 'var_erreur incorrecte';
+}
+
+
 /*
  * Réinjection des clés en html dans l'admin r19561
  */
@@ -521,6 +551,7 @@ if (isset($ecran_securite_raison)) {
        header("Cache-Control: no-cache, must-revalidate");
        header("Pragma: no-cache");
        header("Content-Type: text/html");
+       header("Connection: close");
        die("<html><title>Error 403: Forbidden</title><body><h1>Error 403</h1><p>You are not authorized to view this page ($ecran_securite_raison)</p></body></html>");
 }
 
@@ -575,5 +606,6 @@ if (
        header("Cache-Control: no-cache, must-revalidate");
        header("Pragma: no-cache");
        header("Content-Type: text/html");
+       header("Connection: close");
        die("<html><title>Status 429: Too Many Requests</title><body><h1>Status 429</h1><p>Too Many Requests (try again soon)</p></body></html>");
 }