summaryrefslogtreecommitdiff
path: root/xss-check.php.sample
blob: d68b3cbf474610462181e7074ab4524cc76e22f5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<?php

/**
 * We don't automatically set this up, because it depends on server
 * configuration.
 * 
 * This is a sample, it's what I use on mckenzierobotics.org
 * So, it may help you to know that I have several systems interacting there.
 *   http://mckenzierobotics.org/         Base of entire site
 *   http://mckenzierobotics.org/mm/      WordPress
 *   http://mckenzierobotics.org/wp/      MessageManager
 * 
 * The 'conf' table for MessageManager has 'baseurl' set to '/mm/'; it does NOT
 * include the hostname.
 *
 * The idea of this approach is we inspect the HTTP_REFERER to decide if the
 * user came from an acceptable URL. This is tricky because this isn't
 * nescessarily just URLs inside of MessageManager's "baseurl", and URLs from
 * inside of "baseurl" might not be trusted (like email body files).
 */
function xss_attack() {
	$siteurl_re = '^https?://(www\.)?mckenzierobotics\.org/';// basic trusted base
	$mmurl_re = $siteurl.'mm/';// where MessageManager is

	if (!isset($_SERVER['HTTP_REFERER']))
		return false;
	
	$from = $_SERVER['HTTP_REFERER'];
	$method = $_SERVER['REQUEST_METHOD'];

	switch ($method) {
	case 'PUT': break;
	case 'POST': break;
	case 'GET': return false; break;
	case HEAD: return false; break;
	default: break;
	}

	if (!preg_match('@'.$siteurl_re.'@', $from))
		return true;

	$messages_re = '@'.preg_quote($mmurl.'messages/','@').'.*/.@';
	if (preg_match($messages_re, $from))
		// Someone cleverly tried to XSS us from inside a message
		return true;

	return false;
}