PDF rausgenommen

2023-01-23 11:03:31 +01:00
parent 82d562a322
commit a6523903eb
28078 changed files with 4247552 additions and 2 deletions
--- a/msd2/myoos/includes/functions/function_input.php
+++ b/msd2/myoos/includes/functions/function_input.php
@ -0,0 +1,141 @@
+<?php
+/* ----------------------------------------------------------------------
+
+   MyOOS [Shopsystem]
+   https://www.oos-shop.de
+
+   Copyright (c) 2003 - 2019 by the MyOOS Development Team.
+   ----------------------------------------------------------------------
+   Based on:
+
+   Id: pnAPI.php,v 1.41 2003/07/12 21:44:40 markwest Exp
+   ----------------------------------------------------------------------
+   PostNuke Content Management System
+   Copyright (C) 2001 by the Post-Nuke Development Team.
+   http://www.postnuke.com/
+   ----------------------------------------------------------------------
+   LICENSE
+
+   This program is free software; you can redistribute it and/or
+   modify it under the terms of the GNU General Public License (GPL)
+   as published by the Free Software Foundation; either version 2
+   of the License, or (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   To read the license please visit http://www.gnu.org/copyleft/gpl.html
+   ----------------------------------------------------------------------
+   Original Author of file: Jim McDonald
+   Purpose of file: The PostNuke API
+   ----------------------------------------------------------------------
+
+ /**
+  * security
+  *
+  * @link http://www.postnuke.com/
+  * @package security
+  * @version $Revision: 1.2 $ - changed by $Author: r23 $ on $Date: 2008/08/15 16:28:30 $
+  */
+
+  /** ensure this file is being included by a parent file */
+  defined( 'OOS_VALID_MOD' ) OR die( 'Direct Access to this location is not allowed.' );
+
+ /**
+  * Protects better diverse attempts of Cross-Site Scripting
+  * attacks, thanks to webmedic, Timax, larsneo.
+  *
+  * Lets validate the current php version and set globals
+  * accordingly.
+  * Do not change this value unless you know what you are
+  * doing you have been warned!
+  */
+  function oos_secure_input() {
+
+    $aContents = oos_get_content();
+
+	# Cross-Site Scripting attack defense - Sent by larsneo
+   # some syntax checking against injected javascript
+   # extended by Neo
+
+  /**
+   * Lets now sanitize the GET vars
+   */
+    if (count($_GET) > 0) {
+      foreach ($_GET as $secvalue) {
+        if (!is_array($secvalue)) {
+          if ((preg_match("/<[^>]*script*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/.*[[:space:]](or|and)[[:space:]].*(=|like).*/i", $secvalue)) ||
+            (preg_match("/<[^>]*object*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*iframe*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*applet*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*meta*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*style*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*form*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*window.*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*alert*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*img*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*document.*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*cookie*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/\"/i", $secvalue))
+            ) {
+              oos_redirect(oos_href_link($aContents['home']));
+          }
+        }
+      }
+    }
+
+
+   /**
+    * Lets now sanitize the POST vars
+    */
+    if (count($_POST) > 0) {
+      foreach ($_POST as $secvalue) {
+        if (!is_array($secvalue)) {
+          if ((preg_match("/<[^>]*script*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*object*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*iframe*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*applet*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*window.*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*alert*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*document.*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*cookie*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*meta*\"?[^>]*>/i", $secvalue))
+            ) {
+               oos_redirect(oos_href_link($aContents['home']));
+          }
+        }
+      }
+    }
+
+
+   /**
+    * Lets now sanitize the COOKIE vars
+    */
+    if (count($_COOKIE) > 0) {
+      foreach ($_COOKIE as $secvalue) {
+        if (!is_array($secvalue)) {
+          if ((preg_match("/<[^>]*script*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/.*[[:space:]](or|and)[[:space:]].*(=|like).*/i", $secvalue)) ||
+            (preg_match("/<[^>]*object*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*iframe*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*applet*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*meta*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*style*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*form*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*window.*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*alert*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*document.*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*cookie*\"?[^>]*>/i", $secvalue)) ||
+            (preg_match("/<[^>]*img*\"?[^>]*>/i", $secvalue))
+            ) {
+               oos_redirect(oos_href_link($aContents['home']));
+          }
+        }
+      }
+    }
+  }
+
+