From 514d9393ff9d7752426aaaa9b840ee1f94229491 Mon Sep 17 00:00:00 2001
From: Luke Shumaker <lukeshu@sbcglobal.net>
Date: Sun, 25 Sep 2011 16:13:34 -0700
Subject: add a quick hack for XSS protection

---
 .gitignore           |  1 +
 index.php            |  9 +++++++++
 xss-check.php.sample | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 58 insertions(+)
 create mode 100644 xss-check.php.sample

diff --git a/.gitignore b/.gitignore
index 5df2997..3d2b2cd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 msg/*
 conf.php
 
+xss-check.php
 .htaccess
 
 *.bak
diff --git a/index.php b/index.php
index 1148b1d..ad16995 100644
--- a/index.php
+++ b/index.php
@@ -2,6 +2,15 @@
 // What directory are we in on the server.
 define('BASEPATH', dirname(__FILE__));
 
+$xss_file = BASEPATH.'/xss-check.php';
+if (file_exists($xss_file)) {
+	require($xss_file);
+	if (xss_attack()) {
+		echo "execution halted to prevent XSS attack.";
+		exit();
+	}
+}
+
 // Decide where to look for things
 define('LIBPATH',        BASEPATH.'/src/lib'.PATH_SEPARATOR.BASEPATH.'/src/ext');
 define('MODELPATH',      BASEPATH.'/src/models');
diff --git a/xss-check.php.sample b/xss-check.php.sample
new file mode 100644
index 0000000..bfc7973
--- /dev/null
+++ b/xss-check.php.sample
@@ -0,0 +1,48 @@
+<?php
+
+/**
+ * We don't automatically set this up, because it depends on server
+ * configuration.
+ * 
+ * This is a sample, it's what I use on mckenzierobotics.org
+ * So, it may help you to know that I have several systems interacting there.
+ *   http://mckenzierobotics.org/         Base of entire site
+ *   http://mckenzierobotics.org/mm/      WordPress
+ *   http://mckenzierobotics.org/wp/      MessageManager
+ * 
+ * The 'conf' table for MessageManager has 'baseurl' set to '/mm/'; it does NOT
+ * include the hostname.
+ *
+ * The idea of this approach is we inspect the HTTP_REFERER to decide if the
+ * user came from an acceptable URL. This is tricky because this isn't
+ * nescessarily just URLs inside of MessageManager's "baseurl", and URLs from
+ * inside of "baseurl" might not be trusted (like email body files).
+ */
+function xss_attack() {
+	$siteurl = 'http://mckenzierobotics.org/';// basic trusted base
+	$mmurl = $siteurl.'mm/';// where MessageManager is
+
+	if (!isset($_SERVER['HTTP_REFERER']))
+		return false;
+	
+	$from = $_SERVER['HTTP_REFERER'];
+	$method = $_SERVER['REQUEST_METHOD'];
+
+	switch ($method) {
+	case 'PUT': break;
+	case 'POST': break;
+	case 'GET': return false; break;
+	case HEAD: return false; break;
+	default: break;
+	}
+
+	if (substr($from,0,strlen($siteurl)) != $siteurl)
+		return true;
+
+	$messages = '@^'.preg_quote($mmurl.'messages/','@').'.*/.@';
+	if (preg_match($messages, $from))
+		// Someone cleverly tried to XSS us from inside a message
+		return true;
+
+	return false;
+}
\ No newline at end of file
-- 
cgit v1.2.3