Webshell defence

git-svn-id: http://xe-core.googlecode.com/svn/branches/1.5.3.2@12300 201d5d3c-b55e-5fd7-737f-ddc643e51545
This commit is contained in:
ovclas 2012-11-26 12:22:28 +00:00
parent d5f055d4f1
commit a83a5406bc
2 changed files with 28 additions and 3 deletions

View file

@ -113,6 +113,11 @@ class Context {
* @var bool true if attached file exists
*/
var $is_uploaded = false;
/**
* Check init
* @var bool false if init fail
*/
var $isSuccessInit = true;
/**
* returns static context object (Singleton). It's to use Context without declaration of an object
@ -802,6 +807,12 @@ class Context {
function _setRequestArgument() {
if(!count($_REQUEST)) return;
$pattern = array(
'/<\?/iUsm',
'/<\%/iUsm',
'/<script(\s|\S)*language[\s]*=("|\')php("|\')(\s|\S)*/iUsm'
);
foreach($_REQUEST as $key => $val) {
if($val === '' || Context::get($key)) continue;
$val = $this->_filterRequestVar($key, $val);
@ -812,9 +823,15 @@ class Context {
if($set_to_vars)
{
$val = preg_replace('/<\?.*(\?>)?/iUsm', '', $val);
$val = preg_replace('/<\%.*(\%>)?/iUsm', '', $val);
$val = preg_replace('/<script(\s|\S)*language[\s]*=("|\')php("|\')(\s|\S)*>.*<[\s]*\/[\s]*script[\s]*>/iUsm', '', $val);
foreach($pattern AS $key2=>$value2)
{
$result = preg_match($value2, $val);
if($result)
{
$this->isSuccessInit = false;
break;
}
}
}
$this->set($key, $val, $set_to_vars);

View file

@ -38,6 +38,14 @@
$this->act = Context::get('act');
return;
}
$oContext = Context::getInstance();
if($oContext->isSuccessInit == false)
{
$this->error = 'msg_invalid_request';
return;
}
// Set variables from request arguments
$this->module = $module?$module:Context::get('module');
$this->act = $act?$act:Context::get('act');