blob: bfc79733cf9a4f18de737297049fe6e6ded75412 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
<?php
/**
* We don't automatically set this up, because it depends on server
* configuration.
*
* This is a sample, it's what I use on mckenzierobotics.org
* So, it may help you to know that I have several systems interacting there.
* http://mckenzierobotics.org/ Base of entire site
* http://mckenzierobotics.org/mm/ WordPress
* http://mckenzierobotics.org/wp/ MessageManager
*
* The 'conf' table for MessageManager has 'baseurl' set to '/mm/'; it does NOT
* include the hostname.
*
* The idea of this approach is we inspect the HTTP_REFERER to decide if the
* user came from an acceptable URL. This is tricky because this isn't
* nescessarily just URLs inside of MessageManager's "baseurl", and URLs from
* inside of "baseurl" might not be trusted (like email body files).
*/
function xss_attack() {
$siteurl = 'http://mckenzierobotics.org/';// basic trusted base
$mmurl = $siteurl.'mm/';// where MessageManager is
if (!isset($_SERVER['HTTP_REFERER']))
return false;
$from = $_SERVER['HTTP_REFERER'];
$method = $_SERVER['REQUEST_METHOD'];
switch ($method) {
case 'PUT': break;
case 'POST': break;
case 'GET': return false; break;
case HEAD: return false; break;
default: break;
}
if (substr($from,0,strlen($siteurl)) != $siteurl)
return true;
$messages = '@^'.preg_quote($mmurl.'messages/','@').'.*/.@';
if (preg_match($messages, $from))
// Someone cleverly tried to XSS us from inside a message
return true;
return false;
}
|