blob: d68b3cbf474610462181e7074ab4524cc76e22f5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
<?php
/**
* We don't automatically set this up, because it depends on server
* configuration.
*
* This is a sample, it's what I use on mckenzierobotics.org
* So, it may help you to know that I have several systems interacting there.
* http://mckenzierobotics.org/ Base of entire site
* http://mckenzierobotics.org/mm/ WordPress
* http://mckenzierobotics.org/wp/ MessageManager
*
* The 'conf' table for MessageManager has 'baseurl' set to '/mm/'; it does NOT
* include the hostname.
*
* The idea of this approach is we inspect the HTTP_REFERER to decide if the
* user came from an acceptable URL. This is tricky because this isn't
* nescessarily just URLs inside of MessageManager's "baseurl", and URLs from
* inside of "baseurl" might not be trusted (like email body files).
*/
function xss_attack() {
$siteurl_re = '^https?://(www\.)?mckenzierobotics\.org/';// basic trusted base
$mmurl_re = $siteurl.'mm/';// where MessageManager is
if (!isset($_SERVER['HTTP_REFERER']))
return false;
$from = $_SERVER['HTTP_REFERER'];
$method = $_SERVER['REQUEST_METHOD'];
switch ($method) {
case 'PUT': break;
case 'POST': break;
case 'GET': return false; break;
case HEAD: return false; break;
default: break;
}
if (!preg_match('@'.$siteurl_re.'@', $from))
return true;
$messages_re = '@'.preg_quote($mmurl.'messages/','@').'.*/.@';
if (preg_match($messages_re, $from))
// Someone cleverly tried to XSS us from inside a message
return true;
return false;
}
|
