Protector::output_log()   B
last analyzed

Complexity

Conditions 10
Paths 16

Size

Total Lines 47
Code Lines 29

Duplication

Lines 0
Ratio 0 %

Importance

Changes 0
Metric Value
cc 10
eloc 29
nc 16
nop 4
dl 0
loc 47
rs 7.6666
c 0
b 0
f 0

How to fix   Complexity   

Long Method

Small methods make your code easier to understand, in particular if combined with a good name. Besides, if your method is small, finding a good name is usually much easier.

For example, if you find yourself adding comments to a method's body, this is usually a good sign to extract the commented part to a new method, and use the comment as a starting point when coming up with a good name for this new method.

Commonly applied refactorings include:

1
<?php
2
3
/**
4
 * Class Protector
5
 */
6
class Protector
7
{
8
    public $mydirname;
9
10
    public $_conn;
11
    public $_conf            = array();
12
    public $_conf_serialized = '';
13
14
    public $_bad_globals = array();
15
16
    public $message                = '';
17
    public $warning                = false;
18
    public $error                  = false;
19
    public $_doubtful_requests     = array();
20
    public $_bigumbrella_doubtfuls = array();
21
22
    public $_dblayertrap_doubtfuls        = array();
23
    public $_dblayertrap_doubtful_needles = array(
24
        'information_schema',
25
        'select',
26
        "'",
27
        '"');
28
29
    public $_logged = false;
30
31
    public $_done_badext   = false;
32
    public $_done_intval   = false;
33
    public $_done_dotdot   = false;
34
    public $_done_nullbyte = false;
35
    public $_done_contami  = false;
36
    public $_done_isocom   = false;
37
    public $_done_union    = false;
38
    public $_done_dos      = false;
39
40
    public $_safe_badext  = true;
41
    public $_safe_contami = true;
42
    public $_safe_isocom  = true;
43
    public $_safe_union   = true;
44
45
    public $_spamcount_uri = 0;
46
47
    public $_should_be_banned_time0 = false;
48
    public $_should_be_banned       = false;
49
50
    public $_dos_stage;
51
52
    public $ip_matched_info;
53
54
    public $last_error_type = 'UNKNOWN';
55
56
    /**
57
     * Constructor
58
     */
59
    protected function __construct()
60
    {
61
        $this->mydirname = 'protector';
62
63
        // Preferences from configs/cache
64
        $this->_conf_serialized = @file_get_contents($this->get_filepath4confighcache());
65
        $this->_conf            = @unserialize($this->_conf_serialized, array('allowed_classes' => false));
0 ignored issues
show
Bug introduced by
It seems like $this->_conf_serialized can also be of type false; however, parameter $data of unserialize() does only seem to accept string, maybe add an additional type check? ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-type  annotation

65
        $this->_conf            = @unserialize(/** @scrutinizer ignore-type */ $this->_conf_serialized, array('allowed_classes' => false));
Loading history...
66
        if (empty($this->_conf)) {
67
            $this->_conf = array();
68
        }
69
70
        if (!empty($this->_conf['global_disabled'])) {
71
            return;
72
        }
73
74
        // die if PHP_SELF XSS found (disabled in 2.53)
75
        //    if ( preg_match( '/[<>\'";\n ]/' , @$_SERVER['PHP_SELF'] ) ) {
76
        //        $this->message .= "Invalid PHP_SELF '{$_SERVER['PHP_SELF']}' found.\n" ;
77
        //        $this->output_log( 'PHP_SELF XSS' ) ;
78
        //        die( 'invalid PHP_SELF' ) ;
79
        //    }
80
81
        // sanitize against PHP_SELF/PATH_INFO XSS (disabled in 3.33)
82
        //    $_SERVER['PHP_SELF'] = strtr( @$_SERVER['PHP_SELF'] , array( '<' => '%3C' , '>' => '%3E' , "'" => '%27' , '"' => '%22' ) ) ;
83
        //    if( ! empty( $_SERVER['PATH_INFO'] ) ) $_SERVER['PATH_INFO'] = strtr( @$_SERVER['PATH_INFO'] , array( '<' => '%3C' , '>' => '%3E' , "'" => '%27' , '"' => '%22' ) ) ;
84
85
        $this->_bad_globals = array(
86
            'GLOBALS',
87
            '_SESSION',
88
            'HTTP_SESSION_VARS',
89
            '_GET',
90
            'HTTP_GET_VARS',
91
            '_POST',
92
            'HTTP_POST_VARS',
93
            '_COOKIE',
94
            'HTTP_COOKIE_VARS',
95
            '_SERVER',
96
            'HTTP_SERVER_VARS',
97
            '_REQUEST',
98
            '_ENV',
99
            '_FILES',
100
            'xoopsDB',
101
            'xoopsUser',
102
            'xoopsUserId',
103
            'xoopsUserGroups',
104
            'xoopsUserIsAdmin',
105
            'xoopsConfig',
106
            'xoopsOption',
107
            'xoopsModule',
108
            'xoopsModuleConfig');
109
110
        $this->_initial_recursive($_GET, 'G');
111
        $this->_initial_recursive($_POST, 'P');
112
        $this->_initial_recursive($_COOKIE, 'C');
113
    }
114
115
    /**
116
     * @param $val
117
     * @param $key
118
     */
119
    protected function _initial_recursive($val, $key)
120
    {
121
        if (is_array($val)) {
122
            foreach ($val as $subkey => $subval) {
123
                // check bad globals
124
                if (in_array($subkey, $this->_bad_globals, true)) {
125
                    $this->message .= "Attempt to inject '$subkey' was found.\n";
126
                    $this->_safe_contami   = false;
127
                    $this->last_error_type = 'CONTAMI';
128
                }
129
                $this->_initial_recursive($subval, $key . '_' . base64_encode($subkey));
130
            }
131
        } else {
132
            // check nullbyte attack
133
            if (isset($this->_conf['san_nullbyte']) && $this->_conf['san_nullbyte'] && false !== strpos($val, chr(0))) {
134
                $val = str_replace(chr(0), ' ', $val);
135
                $this->replace_doubtful($key, $val);
136
                $this->message .= "Injecting Null-byte '$val' found.\n";
137
                $this->output_log('NullByte', 0, false, 32);
138
                // $this->purge() ;
139
            }
140
141
            // register as doubtful requests against SQL Injections
142
            if (preg_match('?[\s\'"`/]?', $val)) {
143
                $this->_doubtful_requests["$key"] = $val;
144
            }
145
        }
146
    }
147
148
    /**
149
     * @return Protector
150
     */
151
    public static function getInstance()
152
    {
153
        static $instance;
154
        if (!isset($instance)) {
155
            $instance = new Protector();
156
        }
157
158
        return $instance;
159
    }
160
161
    /**
162
     * @return bool
163
     */
164
    public function updateConfFromDb()
165
    {
166
        $constpref = '_MI_' . strtoupper($this->mydirname);
167
168
        if (empty($this->_conn)) {
169
            return false;
170
        }
171
172
        $result = @mysqli_query($this->_conn, 'SELECT conf_name,conf_value FROM ' . XOOPS_DB_PREFIX . "_config WHERE conf_title like '" . $constpref . "%'");
173
        if (!$result || mysqli_num_rows($result) < 5) {
0 ignored issues
show
Bug introduced by
It seems like $result can also be of type true; however, parameter $result of mysqli_num_rows() does only seem to accept mysqli_result, maybe add an additional type check? ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-type  annotation

173
        if (!$result || mysqli_num_rows(/** @scrutinizer ignore-type */ $result) < 5) {
Loading history...
174
            return false;
175
        }
176
        $db_conf = array();
177
        while (list($key, $val) = mysqli_fetch_row($result)) {
0 ignored issues
show
Bug introduced by
It seems like $result can also be of type true; however, parameter $result of mysqli_fetch_row() does only seem to accept mysqli_result, maybe add an additional type check? ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-type  annotation

177
        while (list($key, $val) = mysqli_fetch_row(/** @scrutinizer ignore-type */ $result)) {
Loading history...
178
            $db_conf[$key] = $val;
179
        }
180
        $db_conf_serialized = serialize($db_conf);
181
182
        // update config cache
183
        if ($db_conf_serialized != $this->_conf_serialized) {
184
            $fp = fopen($this->get_filepath4confighcache(), 'w');
185
            fwrite($fp, $db_conf_serialized);
186
            fclose($fp);
187
            $this->_conf = $db_conf;
188
        }
189
190
        return true;
191
    }
192
193
    /**
194
     * @param $conn
195
     */
196
    public function setConn($conn)
197
    {
198
        $this->_conn = $conn;
199
    }
200
201
    /**
202
     * @return array
203
     */
204
    public function getConf()
205
    {
206
        return $this->_conf;
207
    }
208
209
    /**
210
     * @param bool $redirect_to_top
211
     */
212
    public function purge($redirect_to_top = false)
213
    {
214
        $this->purgeNoExit();
215
216
        if ($redirect_to_top) {
217
            header('Location: ' . XOOPS_URL . '/');
218
            exit;
219
        } else {
220
            $ret = $this->call_filter('prepurge_exit');
221
            if ($ret == false) {
222
                die('Protector detects attacking actions');
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
223
            }
224
        }
225
    }
226
227
    public function purgeSession()
228
    {
229
        // clear all session values
230
        if (isset($_SESSION)) {
231
            foreach ($_SESSION as $key => $val) {
232
                $_SESSION[$key] = '';
233
                if (isset($GLOBALS[$key])) {
234
                    $GLOBALS[$key] = '';
235
                }
236
            }
237
        }
238
    }
239
240
    public function purgeCookies()
241
    {
242
        if (!headers_sent()) {
243
            $domain =  defined(XOOPS_COOKIE_DOMAIN) ? XOOPS_COOKIE_DOMAIN : '';
244
            $past = time() - 3600;
245
            foreach ($_COOKIE as $key => $value) {
246
                setcookie($key, '', $past, '', $domain);
247
                setcookie($key, '', $past, '/', $domain);
248
            }
249
        }
250
    }
251
252
    public function purgeNoExit()
253
    {
254
        $this->purgeSession();
255
        $this->purgeCookies();
256
    }
257
258
    public function deactivateCurrentUser()
259
    {
260
        /** @var XoopsUser $xoopsUser */
261
        global $xoopsUser;
262
263
        if (is_object($xoopsUser)) {
264
            /** @var XoopsMemberHandler */
265
            $userHandler = xoops_getHandler('user');
266
            $xoopsUser->setVar('level', 0);
267
            $actkey = substr(md5(uniqid(mt_rand(), 1)), 0, 8);
268
            $xoopsUser->setVar('actkey', $actkey);
269
            $userHandler->insert($xoopsUser);
270
        }
271
        $this->purgeNoExit();
272
    }
273
274
    /**
275
     * @param string $type
276
     * @param int    $uid
277
     * @param bool   $unique_check
278
     * @param int    $level
279
     *
280
     * @return bool
281
     */
282
    public function output_log($type = 'UNKNOWN', $uid = 0, $unique_check = false, $level = 1)
283
    {
284
        if ($this->_logged) {
285
            return true;
286
        }
287
288
        if (!($this->_conf['log_level'] & $level)) {
289
            return true;
290
        }
291
292
        if (empty($this->_conn)) {
293
            mysqli_report(MYSQLI_REPORT_OFF);
294
            $this->_conn = new mysqli(XOOPS_DB_HOST, XOOPS_DB_USER, XOOPS_DB_PASS);
295
            if (0 !== $this->_conn->connect_errno) {
296
                die('db connection failed.');
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
297
            }
298
            if (!mysqli_select_db($this->_conn, XOOPS_DB_NAME)) {
299
                die('db selection failed.');
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
300
            }
301
        }
302
303
        $ip    = \Xmf\IPAddress::fromRequest()->asReadable();
304
        $agent = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '';
305
306
307
        if ($unique_check) {
308
            $result = mysqli_query($this->_conn, 'SELECT ip,type FROM ' . XOOPS_DB_PREFIX . '_' . $this->mydirname . '_log ORDER BY timestamp DESC LIMIT 1');
309
            list($last_ip, $last_type) = mysqli_fetch_row($result);
0 ignored issues
show
Bug introduced by
It seems like $result can also be of type true; however, parameter $result of mysqli_fetch_row() does only seem to accept mysqli_result, maybe add an additional type check? ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-type  annotation

309
            list($last_ip, $last_type) = mysqli_fetch_row(/** @scrutinizer ignore-type */ $result);
Loading history...
310
            if ($last_ip == $ip && $last_type == $type) {
311
                $this->_logged = true;
312
313
                return true;
314
            }
315
        }
316
317
        mysqli_query(
318
            $this->_conn,
319
            'INSERT INTO ' . XOOPS_DB_PREFIX . '_' . $this->mydirname . "_log SET ip='"
320
            . mysqli_real_escape_string($this->_conn, $ip) . "',agent='"
321
            . mysqli_real_escape_string($this->_conn, $agent) . "',type='"
322
            . mysqli_real_escape_string($this->_conn, $type) . "',description='"
323
            . mysqli_real_escape_string($this->_conn, $this->message) . "',uid='"
324
            . (int)$uid . "',timestamp=NOW()"
325
        );
326
        $this->_logged = true;
327
328
        return true;
329
    }
330
331
    /**
332
     * @param $expire
333
     *
334
     * @return bool
335
     */
336
    public function write_file_bwlimit($expire)
337
    {
338
        $expire = min((int)$expire, time() + 300);
339
340
        $fp = @fopen($this->get_filepath4bwlimit(), 'w');
341
        if ($fp) {
0 ignored issues
show
introduced by
$fp is of type false|resource, thus it always evaluated to false.
Loading history...
342
            @flock($fp, LOCK_EX);
0 ignored issues
show
Security Best Practice introduced by
It seems like you do not handle an error condition for flock(). This can introduce security issues, and is generally not recommended. ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-unhandled  annotation

342
            /** @scrutinizer ignore-unhandled */ @flock($fp, LOCK_EX);

If you suppress an error, we recommend checking for the error condition explicitly:

// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
Loading history...
343
            fwrite($fp, $expire . "\n");
344
            @flock($fp, LOCK_UN);
345
            fclose($fp);
346
347
            return true;
348
        } else {
349
            return false;
350
        }
351
    }
352
353
    /**
354
     * @return mixed
355
     */
356
    public function get_bwlimit()
357
    {
358
        list($expire) = @file(Protector::get_filepath4bwlimit());
359
        $expire = min((int)$expire, time() + 300);
360
361
        return $expire;
362
    }
363
364
    /**
365
     * @return string
366
     */
367
    public static function get_filepath4bwlimit()
368
    {
369
        return XOOPS_VAR_PATH . '/protector/bwlimit' . substr(md5(XOOPS_ROOT_PATH . XOOPS_DB_USER . XOOPS_DB_PREFIX), 0, 6);
370
    }
371
372
    /**
373
     * @param $bad_ips
374
     *
375
     * @return bool
376
     */
377
    public function write_file_badips($bad_ips)
378
    {
379
        asort($bad_ips);
380
381
        $fp = @fopen($this->get_filepath4badips(), 'w');
382
        if ($fp) {
0 ignored issues
show
introduced by
$fp is of type false|resource, thus it always evaluated to false.
Loading history...
383
            @flock($fp, LOCK_EX);
0 ignored issues
show
Security Best Practice introduced by
It seems like you do not handle an error condition for flock(). This can introduce security issues, and is generally not recommended. ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-unhandled  annotation

383
            /** @scrutinizer ignore-unhandled */ @flock($fp, LOCK_EX);

If you suppress an error, we recommend checking for the error condition explicitly:

// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
Loading history...
384
            fwrite($fp, serialize($bad_ips) . "\n");
385
            @flock($fp, LOCK_UN);
386
            fclose($fp);
387
388
            return true;
389
        } else {
390
            return false;
391
        }
392
    }
393
394
    /**
395
     * @param int  $jailed_time
396
     * @param null|string|false $ip
397
     *
398
     * @return bool
399
     */
400
    public function register_bad_ips($jailed_time = 0, $ip = null)
401
    {
402
        if (empty($ip)) {
403
            $ip = \Xmf\IPAddress::fromRequest()->asReadable();
404
        }
405
        if (empty($ip)) {
406
            return false;
407
        }
408
409
        $bad_ips      = $this->get_bad_ips(true);
410
        $bad_ips[$ip] = $jailed_time ?: 0x7fffffff;
411
412
        return $this->write_file_badips($bad_ips);
413
    }
414
415
    /**
416
     * @param bool $with_jailed_time
417
     *
418
     * @return array|mixed
419
     */
420
    public function get_bad_ips($with_jailed_time = false)
421
    {
422
        //        list($bad_ips_serialized) = @file(Protector::get_filepath4badips());
423
        $filepath4badips = @file(Protector::get_filepath4badips());
424
425
        if (is_array($filepath4badips) && isset($filepath4badips[0])) {
426
            list($bad_ips_serialized) = $filepath4badips;
427
        }
428
        $bad_ips = empty($bad_ips_serialized) ? array() : @unserialize($bad_ips_serialized, array('allowed_classes' => false));
429
        if (!is_array($bad_ips) || isset($bad_ips[0])) {
430
            $bad_ips = array();
431
        }
432
433
        // expire jailed_time
434
        $pos = 0;
435
        foreach ($bad_ips as $bad_ip => $jailed_time) {
436
            if ($jailed_time >= time()) {
437
                break;
438
            }
439
            ++$pos;
440
        }
441
        $bad_ips = array_slice($bad_ips, $pos);
442
443
        if ($with_jailed_time) {
444
            return $bad_ips;
445
        } else {
446
            return array_keys($bad_ips);
447
        }
448
    }
449
450
    /**
451
     * @return string
452
     */
453
    public static function get_filepath4badips()
454
    {
455
        return XOOPS_VAR_PATH . '/protector/badips' . substr(md5(XOOPS_ROOT_PATH . XOOPS_DB_USER . XOOPS_DB_PREFIX), 0, 6);
456
    }
457
458
    /**
459
     * @param bool $with_info
460
     *
461
     * @return array|mixed
462
     */
463
    public function get_group1_ips($with_info = false)
464
    {
465
        //        list($group1_ips_serialized) = @file(Protector::get_filepath4group1ips());
466
        $group1_ips = [];
467
        // Check if the file exists before attempting to read it
468
        $filepath = Protector::get_filepath4group1ips();
469
        if (file_exists($filepath)) {
470
            $filepath4group1ips = file($filepath);
471
            if ($filepath4group1ips === false) {
472
                // Handle the error condition when file reading fails
473
            } else {
474
                // Proceed with your logic here
475
                if (is_array($filepath4group1ips) && isset($filepath4group1ips[0])) {
476
                    list($group1_ips_serialized) = $filepath4group1ips;
477
                }
478
479
                $group1_ips = empty($group1_ips_serialized) ? array() : @unserialize($group1_ips_serialized, array('allowed_classes' => false));
480
                if (!is_array($group1_ips)) {
481
                    $group1_ips = array();
482
                }
483
484
                if ($with_info) {
485
                    $group1_ips = array_flip($group1_ips);
486
                }
487
            }
488
        } else {
489
            // File does not exist; handle this condition
490
        }
491
492
        return $group1_ips;
493
    }
494
495
    /**
496
     * @return string
497
     */
498
    public static function get_filepath4group1ips()
499
    {
500
        return XOOPS_VAR_PATH . '/protector/group1ips' . substr(md5(XOOPS_ROOT_PATH . XOOPS_DB_USER . XOOPS_DB_PREFIX), 0, 6);
501
    }
502
503
    /**
504
     * @return string
505
     */
506
    public function get_filepath4confighcache()
507
    {
508
        return XOOPS_VAR_PATH . '/protector/configcache' . substr(md5(XOOPS_ROOT_PATH . XOOPS_DB_USER . XOOPS_DB_PREFIX), 0, 6);
509
    }
510
511
    /**
512
     * @param $ips
513
     *
514
     * @return bool
515
     */
516
    public function ip_match($ips)
517
    {
518
        $requestIp = \Xmf\IPAddress::fromRequest()->asReadable();
519
        if (false === $requestIp) { // nothing to match
0 ignored issues
show
introduced by
The condition false === $requestIp is always false.
Loading history...
520
            $this->ip_matched_info = null;
521
            return false;
522
        }
523
        foreach ($ips as $ip => $info) {
524
            if ($ip) {
525
                switch (strtolower(substr($ip, -1))) {
526
                    case '.' :
527
                    case ':' :
528
                        // foward match
529
                        if (substr($requestIp, 0, strlen($ip)) == $ip) {
530
                            $this->ip_matched_info = $info;
531
                            return true;
532
                        }
533
                        break;
534
                    case '0' :
535
                    case '1' :
536
                    case '2' :
537
                    case '3' :
538
                    case '4' :
539
                    case '5' :
540
                    case '6' :
541
                    case '7' :
542
                    case '8' :
543
                    case '9' :
544
                    case 'a' :
545
                    case 'b' :
546
                    case 'c' :
547
                    case 'd' :
548
                    case 'e' :
549
                    case 'f' :
550
                        // full match
551
                        if ($requestIp == $ip) {
552
                            $this->ip_matched_info = $info;
553
                            return true;
554
                        }
555
                        break;
556
                    default :
557
                        // perl regex
558
                        if (@preg_match($ip, $requestIp)) {
559
                            $this->ip_matched_info = $info;
560
                            return true;
561
                        }
562
                        break;
563
                }
564
            }
565
        }
566
        $this->ip_matched_info = null;
567
        return false;
568
    }
569
570
    /**
571
     * @param null|string|false $ip
572
     *
573
     * @return bool
574
     */
575
    public function deny_by_htaccess($ip = null)
576
    {
577
        if (empty($ip)) {
578
            $ip = \Xmf\IPAddress::fromRequest()->asReadable();
579
        }
580
        if (empty($ip)) {
581
            return false;
582
        }
583
        if (!function_exists('file_get_contents')) {
584
            return false;
585
        }
586
587
        $target_htaccess = XOOPS_ROOT_PATH . '/.htaccess';
588
        $backup_htaccess = XOOPS_ROOT_PATH . '/uploads/.htaccess.bak';
589
590
        $ht_body = file_get_contents($target_htaccess);
591
592
        // make backup as uploads/.htaccess.bak automatically
593
        if ($ht_body && !file_exists($backup_htaccess)) {
594
            $fw = fopen($backup_htaccess, 'w');
595
            fwrite($fw, $ht_body);
596
            fclose($fw);
597
        }
598
599
        // if .htaccess is broken, restore from backup
600
        if (!$ht_body && file_exists($backup_htaccess)) {
601
            $ht_body = file_get_contents($backup_htaccess);
602
        }
603
604
        // new .htaccess
605
        if ($ht_body === false) {
606
            $ht_body = '';
607
        }
608
609
        if (preg_match("/^(.*)#PROTECTOR#\s+(DENY FROM .*)\n#PROTECTOR#\n(.*)$/si", $ht_body, $regs)) {
610
            if (substr($regs[2], -strlen($ip)) == $ip) {
611
                return true;
612
            }
613
            $new_ht_body = $regs[1] . "#PROTECTOR#\n" . $regs[2] . " $ip\n#PROTECTOR#\n" . $regs[3];
614
        } else {
615
            $new_ht_body = "#PROTECTOR#\nDENY FROM $ip\n#PROTECTOR#\n" . $ht_body;
616
        }
617
618
        // error_log( "$new_ht_body\n" , 3 , "/tmp/error_log" ) ;
619
620
        $fw = fopen($target_htaccess, 'w');
621
        @flock($fw, LOCK_EX);
0 ignored issues
show
Security Best Practice introduced by
It seems like you do not handle an error condition for flock(). This can introduce security issues, and is generally not recommended. ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-unhandled  annotation

621
        /** @scrutinizer ignore-unhandled */ @flock($fw, LOCK_EX);

If you suppress an error, we recommend checking for the error condition explicitly:

// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
Loading history...
622
        fwrite($fw, $new_ht_body);
623
        @flock($fw, LOCK_UN);
624
        fclose($fw);
625
626
        return true;
627
    }
628
629
    /**
630
     * @return array
631
     */
632
    public function getDblayertrapDoubtfuls()
633
    {
634
        return $this->_dblayertrap_doubtfuls;
635
    }
636
637
    /**
638
     * @param $val
639
     * @return null
640
     */
641
    protected function _dblayertrap_check_recursive($val)
642
    {
643
        if (is_array($val)) {
644
            foreach ($val as $subval) {
645
                $this->_dblayertrap_check_recursive($subval);
646
            }
647
        } else {
648
            if (strlen($val) < 6) {
649
                return null;
650
            }
651
            if (PHP_VERSION_ID < 50400) {
652
                if (get_magic_quotes_gpc()) {
653
                    $val = stripslashes($val);
654
                }
655
            }
656
            foreach ($this->_dblayertrap_doubtful_needles as $needle) {
657
                if (false !== stripos($val, $needle)) {
658
                    $this->_dblayertrap_doubtfuls[] = $val;
659
                }
660
            }
661
        }
662
    }
663
664
    /**
665
     * @param  bool $force_override
666
     * @return null
667
     */
668
    public function dblayertrap_init($force_override = false)
669
    {
670
        if (!empty($GLOBALS['xoopsOption']['nocommon']) || defined('_LEGACY_PREVENT_EXEC_COMMON_') || defined('_LEGACY_PREVENT_LOAD_CORE_')) {
671
            return null;
672
        } // skip
673
674
        $this->_dblayertrap_doubtfuls = array();
675
        $this->_dblayertrap_check_recursive($_GET);
676
        $this->_dblayertrap_check_recursive($_POST);
677
        $this->_dblayertrap_check_recursive($_COOKIE);
678
        if (empty($this->_conf['dblayertrap_wo_server'])) {
679
            $this->_dblayertrap_check_recursive($_SERVER);
680
        }
681
682
        if (!empty($this->_dblayertrap_doubtfuls) || $force_override) {
683
            @define('XOOPS_DB_ALTERNATIVE', 'ProtectorMysqlDatabase');
0 ignored issues
show
Security Best Practice introduced by
It seems like you do not handle an error condition for define(). This can introduce security issues, and is generally not recommended. ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-unhandled  annotation

683
            /** @scrutinizer ignore-unhandled */ @define('XOOPS_DB_ALTERNATIVE', 'ProtectorMysqlDatabase');

If you suppress an error, we recommend checking for the error condition explicitly:

// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
Loading history...
684
            require_once dirname(__DIR__) . '/class/ProtectorMysqlDatabase.class.php';
685
        }
686
    }
687
688
    /**
689
     * @param $val
690
     */
691
    protected function _bigumbrella_check_recursive($val)
692
    {
693
        if (is_array($val)) {
694
            foreach ($val as $subval) {
695
                $this->_bigumbrella_check_recursive($subval);
696
            }
697
        } else {
698
            if (preg_match('/[<\'"].{15}/s', $val, $regs)) {
699
                $this->_bigumbrella_doubtfuls[] = $regs[0];
700
            }
701
        }
702
    }
703
704
    public function bigumbrella_init()
705
    {
706
        $this->_bigumbrella_doubtfuls = array();
707
        $this->_bigumbrella_check_recursive($_GET);
708
        $this->_bigumbrella_check_recursive(isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] : '');
709
710
711
        if (!empty($this->_bigumbrella_doubtfuls)) {
712
            ob_start(array($this, 'bigumbrella_outputcheck'));
713
        }
714
    }
715
716
    /**
717
     * @param $s
718
     *
719
     * @return string
720
     */
721
    public function bigumbrella_outputcheck($s)
722
    {
723
        if (defined('BIGUMBRELLA_DISABLED')) {
724
            return $s;
725
        }
726
727
        if (function_exists('headers_list')) {
728
            foreach (headers_list() as $header) {
729
                if (false !== stripos($header, 'Content-Type:') && false === stripos($header, 'text/html')) {
730
                    return $s;
731
                }
732
            }
733
        }
734
735
        if (!is_array($this->_bigumbrella_doubtfuls)) {
0 ignored issues
show
introduced by
The condition is_array($this->_bigumbrella_doubtfuls) is always true.
Loading history...
736
            return 'bigumbrella injection found.';
737
        }
738
739
        foreach ($this->_bigumbrella_doubtfuls as $doubtful) {
740
            if (false !== strpos($s, $doubtful)) {
741
                return 'XSS found by Protector.';
742
            }
743
        }
744
745
        return $s;
746
    }
747
748
    /**
749
     * @return bool
750
     */
751
    public function intval_allrequestsendid()
752
    {
753
        global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS;
754
755
        if ($this->_done_intval) {
756
            return true;
757
        } else {
758
            $this->_done_intval = true;
759
        }
760
761
        foreach ($_GET as $key => $val) {
762
            if (substr($key, -2) === 'id' && !is_array($_GET[$key])) {
763
                $newval     = preg_replace('/[^0-9a-zA-Z_-]/', '', $val);
764
                $_GET[$key] = $HTTP_GET_VARS[$key] = $newval;
765
                if ($_REQUEST[$key] == $_GET[$key]) {
766
                    $_REQUEST[$key] = $newval;
767
                }
768
            }
769
        }
770
        foreach ($_POST as $key => $val) {
771
            if (substr($key, -2) === 'id' && !is_array($_POST[$key])) {
772
                $newval      = preg_replace('/[^0-9a-zA-Z_-]/', '', $val);
773
                $_POST[$key] = $HTTP_POST_VARS[$key] = $newval;
774
                if ($_REQUEST[$key] == $_POST[$key]) {
775
                    $_REQUEST[$key] = $newval;
776
                }
777
            }
778
        }
779
        foreach ($_COOKIE as $key => $val) {
780
            if (substr($key, -2) === 'id' && !is_array($_COOKIE[$key])) {
781
                $newval        = preg_replace('/[^0-9a-zA-Z_-]/', '', $val);
782
                $_COOKIE[$key] = $HTTP_COOKIE_VARS[$key] = $newval;
783
                if ($_REQUEST[$key] == $_COOKIE[$key]) {
784
                    $_REQUEST[$key] = $newval;
785
                }
786
            }
787
        }
788
789
        return true;
790
    }
791
792
    /**
793
     * @return bool
794
     */
795
    public function eliminate_dotdot()
796
    {
797
        global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS;
798
799
        if ($this->_done_dotdot) {
800
            return true;
801
        } else {
802
            $this->_done_dotdot = true;
803
        }
804
805
        foreach ($_GET as $key => $val) {
806
            if (is_array($_GET[$key])) {
807
                continue;
808
            }
809
            if (substr(trim($val), 0, 3) === '../' || false !== strpos($val, '/../')) {
810
                $this->last_error_type = 'DirTraversal';
811
                $this->message .= "Directory Traversal '$val' found.\n";
812
                $this->output_log($this->last_error_type, 0, false, 64);
813
                $sanitized_val = str_replace(chr(0), '', $val);
814
                if (substr($sanitized_val, -2) !== ' .') {
815
                    $sanitized_val .= ' .';
816
                }
817
                $_GET[$key] = $HTTP_GET_VARS[$key] = $sanitized_val;
818
                if ($_REQUEST[$key] == $_GET[$key]) {
819
                    $_REQUEST[$key] = $sanitized_val;
820
                }
821
            }
822
        }
823
824
        /*    foreach ($_POST as $key => $val) {
825
                if( is_array( $_POST[ $key ] ) ) continue ;
826
                if ( substr( trim( $val ) , 0 , 3 ) == '../' || false !== strpos( $val , '../../' ) ) {
827
                    $this->last_error_type = 'ParentDir' ;
828
                    $this->message .= "Doubtful file specification '$val' found.\n" ;
829
                    $this->output_log( $this->last_error_type , 0 , false , 128 ) ;
830
                    $sanitized_val = str_replace( chr(0) , '' , $val ) ;
831
                    if( substr( $sanitized_val , -2 ) != ' .' ) $sanitized_val .= ' .' ;
832
                    $_POST[ $key ] = $HTTP_POST_VARS[ $key ] = $sanitized_val ;
833
                    if ($_REQUEST[ $key ] == $_POST[ $key ]) {
834
                        $_REQUEST[ $key ] = $sanitized_val ;
835
                    }
836
                }
837
            }
838
            foreach ($_COOKIE as $key => $val) {
839
                if( is_array( $_COOKIE[ $key ] ) ) continue ;
840
                if ( substr( trim( $val ) , 0 , 3 ) == '../' || false !== strpos( $val , '../../' ) ) {
841
                    $this->last_error_type = 'ParentDir' ;
842
                    $this->message .= "Doubtful file specification '$val' found.\n" ;
843
                    $this->output_log( $this->last_error_type , 0 , false , 128 ) ;
844
                    $sanitized_val = str_replace( chr(0) , '' , $val ) ;
845
                    if( substr( $sanitized_val , -2 ) != ' .' ) $sanitized_val .= ' .' ;
846
                    $_COOKIE[ $key ] = $HTTP_COOKIE_VARS[ $key ] = $sanitized_val ;
847
                    if ($_REQUEST[ $key ] == $_COOKIE[ $key ]) {
848
                        $_REQUEST[ $key ] = $sanitized_val ;
849
                    }
850
                }
851
            }*/
852
853
        return true;
854
    }
855
856
    /**
857
     * @param $current
858
     * @param $indexes
859
     *
860
     * @return bool
861
     */
862
    public function &get_ref_from_base64index(&$current, $indexes)
863
    {
864
        foreach ($indexes as $index) {
865
            $index = base64_decode($index);
866
            if (!is_array($current)) {
867
                return false;
868
            }
869
            $current =& $current[$index];
870
        }
871
872
        return $current;
873
    }
874
875
    /**
876
     * @param $key
877
     * @param $val
878
     */
879
    public function replace_doubtful($key, $val)
880
    {
881
        global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS;
882
883
        $index_expression = '';
0 ignored issues
show
Unused Code introduced by
The assignment to $index_expression is dead and can be removed.
Loading history...
884
        $indexes          = explode('_', $key);
885
        $base_array       = array_shift($indexes);
886
887
        switch ($base_array) {
888
            case 'G' :
889
                $main_ref   =& $this->get_ref_from_base64index($_GET, $indexes);
890
                $legacy_ref =& $this->get_ref_from_base64index($HTTP_GET_VARS, $indexes);
891
                break;
892
            case 'P' :
893
                $main_ref   =& $this->get_ref_from_base64index($_POST, $indexes);
894
                $legacy_ref =& $this->get_ref_from_base64index($HTTP_POST_VARS, $indexes);
895
                break;
896
            case 'C' :
897
                $main_ref   =& $this->get_ref_from_base64index($_COOKIE, $indexes);
898
                $legacy_ref =& $this->get_ref_from_base64index($HTTP_COOKIE_VARS, $indexes);
899
                break;
900
            default :
901
                exit;
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
902
        }
903
        if (!isset($main_ref)) {
904
            exit;
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
905
        }
906
        $request_ref =& $this->get_ref_from_base64index($_REQUEST, $indexes);
907
        if ($request_ref !== false && $main_ref == $request_ref) {
908
            $request_ref = $val;
909
        }
910
        $main_ref   = $val;
911
        $legacy_ref = $val;
912
    }
913
914
    /**
915
     * @return bool
916
     */
917
    public function check_uploaded_files()
918
    {
919
        if ($this->_done_badext) {
920
            return $this->_safe_badext;
921
        } else {
922
            $this->_done_badext = true;
923
        }
924
925
        // extensions never uploaded
926
        $bad_extensions = array('php', 'phtml', 'phtm', 'php3', 'php4', 'cgi', 'pl', 'asp');
927
        // extensions needed image check (anti-IE Content-Type XSS)
928
        $image_extensions = array(
929
            1  => 'gif',
930
            2  => 'jpg',
931
            3  => 'png',
932
            4  => 'swf',
933
            5  => 'psd',
934
            6  => 'bmp',
935
            7  => 'tif',
936
            8  => 'tif',
937
            9  => 'jpc',
938
            10 => 'jp2',
939
            11 => 'jpx',
940
            12 => 'jb2',
941
            13 => 'swc',
942
            14 => 'iff',
943
            15 => 'wbmp',
944
            16 => 'xbm');
945
946
        foreach ($_FILES as $_file) {
947
            if (!empty($_file['error'])) {
948
                continue;
949
            }
950
            if (!empty($_file['name']) && is_string($_file['name'])) {
951
                $ext = strtolower(substr(strrchr($_file['name'], '.'), 1));
952
                if ($ext === 'jpeg') {
953
                    $ext = 'jpg';
954
                } elseif ($ext === 'tiff') {
955
                    $ext = 'tif';
956
                }
957
958
                // anti multiple dot file (Apache mod_mime.c)
959
                if (count(explode('.', str_replace('.tar.gz', '.tgz', $_file['name']))) > 2) {
960
                    $this->message .= "Attempt to multiple dot file {$_file['name']}.\n";
961
                    $this->_safe_badext    = false;
962
                    $this->last_error_type = 'UPLOAD';
963
                }
964
965
                // anti dangerous extensions
966
                if (in_array($ext, $bad_extensions)) {
967
                    $this->message .= "Attempt to upload {$_file['name']}.\n";
968
                    $this->_safe_badext    = false;
969
                    $this->last_error_type = 'UPLOAD';
970
                }
971
972
                // anti camouflaged image file
973
                if (in_array($ext, $image_extensions)) {
974
                    $image_attributes = @getimagesize($_file['tmp_name']);
975
                    if ($image_attributes === false && is_uploaded_file($_file['tmp_name'])) {
976
                        // open_basedir restriction
977
                        $temp_file = XOOPS_ROOT_PATH . '/uploads/protector_upload_temporary' . md5(time());
978
                        move_uploaded_file($_file['tmp_name'], $temp_file);
979
                        $image_attributes = @getimagesize($temp_file);
980
                        @unlink($temp_file);
0 ignored issues
show
Security Best Practice introduced by
It seems like you do not handle an error condition for unlink(). This can introduce security issues, and is generally not recommended. ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-unhandled  annotation

980
                        /** @scrutinizer ignore-unhandled */ @unlink($temp_file);

If you suppress an error, we recommend checking for the error condition explicitly:

// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
Loading history...
981
                    }
982
983
                    if ($image_attributes === false || $image_extensions[(int)$image_attributes[2]] != $ext) {
984
                        $this->message .= "Attempt to upload camouflaged image file {$_file['name']}.\n";
985
                        $this->_safe_badext    = false;
986
                        $this->last_error_type = 'UPLOAD';
987
                    }
988
                }
989
            }
990
        }
991
992
        return $this->_safe_badext;
993
    }
994
995
    /**
996
     * @return bool
997
     */
998
    public function check_contami_systemglobals()
999
    {
1000
        /*    if( $this->_done_contami ) return $this->_safe_contami ;
1001
    else $this->_done_contami = true ; */
1002
1003
        /*    foreach ($this->_bad_globals as $bad_global) {
1004
                if ( isset( $_REQUEST[ $bad_global ] ) ) {
1005
                    $this->message .= "Attempt to inject '$bad_global' was found.\n" ;
1006
                    $this->_safe_contami = false ;
1007
                    $this->last_error_type = 'CONTAMI' ;
1008
                }
1009
            }*/
1010
1011
        return $this->_safe_contami;
1012
    }
1013
1014
    /**
1015
     * @param bool $sanitize
1016
     *
1017
     * @return bool
1018
     */
1019
    public function check_sql_isolatedcommentin($sanitize = true)
1020
    {
1021
        if ($this->_done_isocom) {
1022
            return $this->_safe_isocom;
1023
        } else {
1024
            $this->_done_isocom = true;
1025
        }
1026
1027
        foreach ($this->_doubtful_requests as $key => $val) {
1028
            $str = $val;
1029
            while ($str = strstr($str, '/*')) { /* */
1030
                $str = strstr(substr($str, 2), '*/');
1031
                if ($str === false) {
1032
                    $this->message .= "Isolated comment-in found. ($val)\n";
1033
                    if ($sanitize) {
1034
                        $this->replace_doubtful($key, $val . '*/');
1035
                    }
1036
                    $this->_safe_isocom    = false;
1037
                    $this->last_error_type = 'ISOCOM';
1038
                }
1039
            }
1040
        }
1041
1042
        return $this->_safe_isocom;
1043
    }
1044
1045
    /**
1046
     * @param bool $sanitize
1047
     *
1048
     * @return bool
1049
     */
1050
    public function check_sql_union($sanitize = true)
1051
    {
1052
        if ($this->_done_union) {
1053
            return $this->_safe_union;
1054
        } else {
1055
            $this->_done_union = true;
1056
        }
1057
1058
        foreach ($this->_doubtful_requests as $key => $val) {
1059
            $str = str_replace(array('/*', '*/'), '', preg_replace('?/\*.+\*/?sU', '', $val));
1060
            if (preg_match('/\sUNION\s+(ALL|SELECT)/i', $str)) {
1061
                $this->message .= "Pattern like SQL injection found. ($val)\n";
1062
                if ($sanitize) {
1063
                    //                    $this->replace_doubtful($key, preg_replace('/union/i', 'uni-on', $val));
1064
                    $this->replace_doubtful($key, str_ireplace('union', 'uni-on', $val));
1065
                }
1066
                $this->_safe_union     = false;
1067
                $this->last_error_type = 'UNION';
1068
            }
1069
        }
1070
1071
        return $this->_safe_union;
1072
    }
1073
1074
    /**
1075
     * @param $uid
1076
     *
1077
     * @return bool
1078
     */
1079
    public function stopforumspam($uid)
1080
    {
1081
        if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
1082
            return false;
1083
        }
1084
1085
        $result = $this->stopForumSpamLookup(
1086
            isset($_POST['email']) ? $_POST['email'] : null,
1087
            $_SERVER['REMOTE_ADDR'],
1088
            isset($_POST['uname']) ? $_POST['uname'] : null
1089
        );
1090
1091
        if (false === $result || isset($result['http_code'])) {
1092
            return false;
1093
        }
1094
1095
        $spammer = false;
1096
        if (isset($result['email']) && isset($result['email']['lastseen'])) {
1097
            $spammer = true;
1098
        }
1099
1100
        if (isset($result['ip']) && isset($result['ip']['lastseen'])) {
1101
            $last        = strtotime($result['ip']['lastseen']);
1102
            $oneMonth    = 60 * 60 * 24 * 31;
1103
            $oneMonthAgo = time() - $oneMonth;
1104
            if ($last > $oneMonthAgo) {
1105
                $spammer = true;
1106
            }
1107
        }
1108
1109
        if (!$spammer) {
1110
            return false;
1111
        }
1112
1113
        $this->last_error_type = 'SPAMMER POST';
1114
1115
        switch ($this->_conf['stopforumspam_action']) {
1116
            default :
1117
            case 'log' :
1118
                break;
1119
            case 'san' :
1120
                $_POST = array();
1121
                $this->message .= 'POST deleted for IP:' . $_SERVER['REMOTE_ADDR'];
1122
                break;
1123
            case 'biptime0' :
1124
                $_POST = array();
1125
                $this->message .= 'BAN and POST deleted for IP:' . $_SERVER['REMOTE_ADDR'];
1126
                $this->_should_be_banned_time0 = true;
1127
                break;
1128
            case 'bip' :
1129
                $_POST = array();
1130
                $this->message .= 'Ban and POST deleted for IP:' . $_SERVER['REMOTE_ADDR'];
1131
                $this->_should_be_banned = true;
1132
                break;
1133
        }
1134
1135
        $this->output_log($this->last_error_type, $uid, false, 16);
1136
1137
        return true;
1138
    }
1139
1140
    public function stopForumSpamLookup($email, $ip, $username)
1141
    {
1142
        if (!function_exists('curl_init')) {
1143
            return false;
1144
        }
1145
1146
        $query = '';
1147
        $query .= (empty($ip)) ? '' : '&ip=' . $ip;
1148
        $query .= (empty($email)) ? '' : '&email=' . $email;
1149
        $query .= (empty($username)) ? '' : '&username=' . $username;
1150
1151
        if (empty($query)) {
1152
            return false;
1153
        }
1154
1155
        $url = 'http://www.stopforumspam.com/api?f=json' . $query;
1156
        $ch  = curl_init();
1157
        curl_setopt($ch, CURLOPT_URL, $url);
1158
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
1159
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
1160
        $result = curl_exec($ch);
1161
        if (false === $result) {
1162
            $result = curl_getinfo($ch);
1163
        } else {
1164
            $result = json_decode(curl_exec($ch), true);
0 ignored issues
show
Bug introduced by
It seems like curl_exec($ch) can also be of type true; however, parameter $json of json_decode() does only seem to accept string, maybe add an additional type check? ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-type  annotation

1164
            $result = json_decode(/** @scrutinizer ignore-type */ curl_exec($ch), true);
Loading history...
1165
        }
1166
        curl_close($ch);
1167
1168
        return $result;
1169
    }
1170
1171
    /**
1172
     * @param int  $uid
1173
     * @param bool $can_ban
1174
     *
1175
     * @return bool
1176
     */
1177
    public function check_dos_attack($uid = 0, $can_ban = false)
1178
    {
1179
        global $xoopsDB;
1180
1181
        if ($this->_done_dos) {
1182
            return true;
1183
        }
1184
1185
        $ip      = \Xmf\IPAddress::fromRequest();
1186
        if (false === $ip->asReadable()) {
0 ignored issues
show
introduced by
The condition false === $ip->asReadable() is always false.
Loading history...
1187
            return true;
1188
        }
1189
        $uri = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '';
1190
1191
        $ip4sql  = $xoopsDB->quote($ip->asReadable());
1192
        $uri4sql = $xoopsDB->quote($uri);
1193
1194
        // gargage collection
1195
        $result = $xoopsDB->queryF(
1196
            'DELETE FROM ' . $xoopsDB->prefix($this->mydirname . '_access')
1197
            . ' WHERE expire < UNIX_TIMESTAMP()'
1198
        );
1199
1200
        // for older versions before updating this module
1201
        if ($result === false) {
1202
            $this->_done_dos = true;
1203
1204
            return true;
1205
        }
1206
1207
        // sql for recording access log (INSERT should be placed after SELECT)
1208
        $sql4insertlog = 'INSERT INTO ' . $xoopsDB->prefix($this->mydirname . '_access')
1209
                         . " SET ip={$ip4sql}, request_uri={$uri4sql},"
1210
                         . " expire=UNIX_TIMESTAMP()+'" . (int)$this->_conf['dos_expire'] . "'";
1211
1212
        // bandwidth limitation
1213
        if (isset($this->_conf['bwlimit_count']) && $this->_conf['bwlimit_count'] >= 10) {
1214
            $sql = 'SELECT COUNT(*) FROM ' . $xoopsDB->prefix($this->mydirname . '_access');
1215
            $result = $xoopsDB->query($sql);
1216
            if ($xoopsDB->isResultSet($result)) {
1217
                list($bw_count) = $xoopsDB->fetchRow($result);
1218
                if ($bw_count > $this->_conf['bwlimit_count']) {
1219
                    $this->write_file_bwlimit(time() + $this->_conf['dos_expire']);
1220
                }
1221
            }
1222
        }
1223
1224
        // F5 attack check (High load & same URI)
1225
1226
        $sql = 'SELECT COUNT(*) FROM ' . $xoopsDB->prefix($this->mydirname . '_access') . " WHERE ip={$ip4sql} AND request_uri={$uri4sql}";
1227
        $result = $xoopsDB->query($sql);
1228
        if (!$xoopsDB->isResultSet($result)) {
1229
            throw new \RuntimeException(
1230
                \sprintf(_DB_QUERY_ERROR, $sql) . $xoopsDB->error(), E_USER_ERROR
1231
            );
1232
        }
1233
        list($f5_count) = $xoopsDB->fetchRow($result);
1234
        if ($f5_count > $this->_conf['dos_f5count']) {
1235
1236
            // delayed insert
1237
            $xoopsDB->queryF($sql4insertlog);
1238
1239
            // extends the expires of the IP with 5 minutes at least (pending)
1240
            // $result = $xoopsDB->queryF( "UPDATE ".$xoopsDB->prefix($this->mydirname.'_access')." SET expire=UNIX_TIMESTAMP()+300 WHERE ip='$ip4sql' AND expire<UNIX_TIMESTAMP()+300" ) ;
1241
1242
            // call the filter first
1243
            $ret = $this->call_filter('f5attack_overrun');
0 ignored issues
show
Unused Code introduced by
The assignment to $ret is dead and can be removed.
Loading history...
1244
1245
            // actions for F5 Attack
1246
            $this->_done_dos       = true;
1247
            $this->last_error_type = 'DoS';
1248
            switch ($this->_conf['dos_f5action']) {
1249
                default :
1250
                case 'exit' :
1251
                    $this->output_log($this->last_error_type, $uid, true, 16);
1252
                    exit;
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
1253
                case 'none' :
1254
                    $this->output_log($this->last_error_type, $uid, true, 16);
1255
1256
                    return true;
1257
                case 'biptime0' :
1258
                    if ($can_ban) {
1259
                        $this->register_bad_ips(time() + $this->_conf['banip_time0']);
1260
                    }
1261
                    break;
1262
                case 'bip' :
1263
                    if ($can_ban) {
1264
                        $this->register_bad_ips();
1265
                    }
1266
                    break;
1267
                case 'hta' :
1268
                    if ($can_ban) {
1269
                        $this->deny_by_htaccess();
1270
                    }
1271
                    break;
1272
                case 'sleep' :
1273
                    sleep(5);
1274
                    break;
1275
            }
1276
1277
            return false;
1278
        }
1279
1280
        // Check its Agent
1281
        if (trim($this->_conf['dos_crsafe']) != '' && isset($_SERVER['HTTP_USER_AGENT']) && preg_match($this->_conf['dos_crsafe'], $_SERVER['HTTP_USER_AGENT'])) {
1282
            // welcomed crawler
1283
            $this->_done_dos = true;
1284
1285
            return true;
1286
        }
1287
1288
        // Crawler check (High load & different URI)
1289
        $sql = 'SELECT COUNT(*) FROM ' . $xoopsDB->prefix($this->mydirname . '_access') . " WHERE ip={$ip4sql}";
1290
        $result = $xoopsDB->query($sql);
1291
        if (!$xoopsDB->isResultSet($result)) {
1292
            return false;
1293
        }
1294
        list($crawler_count) = $xoopsDB->fetchRow($result);
1295
1296
        // delayed insert
1297
        $xoopsDB->queryF($sql4insertlog);
1298
1299
        if ($crawler_count > $this->_conf['dos_crcount']) {
1300
1301
            // call the filter first
1302
            $ret = $this->call_filter('crawler_overrun');
1303
1304
            // actions for bad Crawler
1305
            $this->_done_dos       = true;
1306
            $this->last_error_type = 'CRAWLER';
1307
            switch ($this->_conf['dos_craction']) {
1308
                default :
1309
                case 'exit' :
1310
                    $this->output_log($this->last_error_type, $uid, true, 16);
1311
                    exit;
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
1312
                case 'none' :
1313
                    $this->output_log($this->last_error_type, $uid, true, 16);
1314
1315
                    return true;
1316
                case 'biptime0' :
1317
                    if ($can_ban) {
1318
                        $this->register_bad_ips(time() + $this->_conf['banip_time0']);
1319
                    }
1320
                    break;
1321
                case 'bip' :
1322
                    if ($can_ban) {
1323
                        $this->register_bad_ips();
1324
                    }
1325
                    break;
1326
                case 'hta' :
1327
                    if ($can_ban) {
1328
                        $this->deny_by_htaccess();
1329
                    }
1330
                    break;
1331
                case 'sleep' :
1332
                    sleep(5);
1333
                    break;
1334
            }
1335
1336
            return false;
1337
        }
1338
1339
        return true;
1340
    }
1341
1342
    //
1343
    /**
1344
     * @return bool|null
1345
     */
1346
    public function check_brute_force()
1347
    {
1348
        global $xoopsDB;
1349
1350
        $ip      = \Xmf\IPAddress::fromRequest();
1351
        if (false === $ip->asReadable()) {
0 ignored issues
show
introduced by
The condition false === $ip->asReadable() is always false.
Loading history...
1352
            return true;
1353
        }
1354
        $uri     = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '';
1355
        $ip4sql  = $xoopsDB->quote($ip->asReadable());
1356
        $uri4sql = $xoopsDB->quote($uri);
1357
1358
        $victim_uname = empty($_COOKIE['autologin_uname']) ? $_POST['uname'] : $_COOKIE['autologin_uname'];
1359
        // some UA send 'deleted' as a value of the deleted cookie.
1360
        if ($victim_uname === 'deleted') {
1361
            return null;
1362
        }
1363
        $mal4sql = $xoopsDB->quote("BRUTE FORCE: $victim_uname");
1364
1365
        // gargage collection
1366
        $result = $xoopsDB->queryF(
0 ignored issues
show
Unused Code introduced by
The assignment to $result is dead and can be removed.
Loading history...
1367
            'DELETE FROM ' . $xoopsDB->prefix($this->mydirname . '_access') . ' WHERE expire < UNIX_TIMESTAMP()'
1368
        );
1369
1370
        // sql for recording access log (INSERT should be placed after SELECT)
1371
        $sql4insertlog = 'INSERT INTO ' . $xoopsDB->prefix($this->mydirname . '_access')
1372
                         . " SET ip={$ip4sql}, request_uri={$uri4sql}, malicious_actions={$mal4sql}, expire=UNIX_TIMESTAMP()+600";
1373
1374
        // count check
1375
        $bf_count = 0;
0 ignored issues
show
Unused Code introduced by
The assignment to $bf_count is dead and can be removed.
Loading history...
1376
        $sql = 'SELECT COUNT(*) FROM ' . $xoopsDB->prefix($this->mydirname . '_access') . " WHERE ip={$ip4sql} AND malicious_actions like 'BRUTE FORCE:%'";
1377
        $result = $xoopsDB->query($sql);
1378
        if ($xoopsDB->isResultSet($result)) {
1379
            list($bf_count) = $xoopsDB->fetchRow($result);
1380
        } else {
1381
            throw new \RuntimeException(
1382
                \sprintf(_DB_QUERY_ERROR, $sql) . $xoopsDB->error(), E_USER_ERROR
1383
            );
1384
        }
1385
        if ($bf_count > $this->_conf['bf_count']) {
1386
            $this->register_bad_ips(time() + $this->_conf['banip_time0']);
1387
            $this->last_error_type = 'BruteForce';
1388
            $this->message .= "Trying to login as '" . addslashes($victim_uname) . "' found.\n";
1389
            $this->output_log('BRUTE FORCE', 0, true, 1);
1390
            $ret = $this->call_filter('bruteforce_overrun');
1391
            if ($ret == false) {
1392
                exit;
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
1393
            }
1394
        }
1395
        // delayed insert
1396
        $xoopsDB->queryF($sql4insertlog);
1397
        return null;
1398
    }
1399
1400
    /**
1401
     * @param $val
1402
     */
1403
    protected function _spam_check_point_recursive($val)
1404
    {
1405
        if (is_array($val)) {
1406
            foreach ($val as $subval) {
1407
                $this->_spam_check_point_recursive($subval);
1408
            }
1409
        } else {
1410
            // http_host
1411
            $path_array = parse_url(XOOPS_URL);
1412
            $http_host  = empty($path_array['host']) ? 'www.xoops.org' : $path_array['host'];
1413
1414
            // count URI up
1415
            $count = -1;
1416
            foreach (preg_split('#https?\:\/\/#i', $val) as $fragment) {
1417
                if (strncmp($fragment, $http_host, strlen($http_host)) !== 0) {
1418
                    ++$count;
1419
                }
1420
            }
1421
            if ($count > 0) {
1422
                $this->_spamcount_uri += $count;
1423
            }
1424
1425
            // count BBCode likd [url=www....] up (without [url=http://...])
1426
            $this->_spamcount_uri += count(preg_split('/\[url=(?!http|\\"http|\\\'http|' . $http_host . ')/i', $val)) - 1;
1427
        }
1428
    }
1429
1430
    /**
1431
     * @param $points4deny
1432
     * @param $uid
1433
     */
1434
    public function spam_check($points4deny, $uid)
1435
    {
1436
        $this->_spamcount_uri = 0;
1437
        $this->_spam_check_point_recursive($_POST);
1438
1439
        if ($this->_spamcount_uri >= $points4deny) {
1440
            $this->message .= (isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '') . " SPAM POINT: $this->_spamcount_uri\n";
1441
            $this->output_log('URI SPAM', $uid, false, 128);
1442
            $ret = $this->call_filter('spamcheck_overrun');
1443
            if ($ret == false) {
1444
                exit;
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
1445
            }
1446
        }
1447
    }
1448
1449
    public function disable_features()
1450
    {
1451
        global $HTTP_POST_VARS, $HTTP_GET_VARS, $HTTP_COOKIE_VARS;
1452
1453
        // disable "Notice: Undefined index: ..."
1454
        $error_reporting_level = error_reporting(0);
1455
1456
        //
1457
        // bit 1 : disable XMLRPC , criteria bug
1458
        //
1459
        if ($this->_conf['disable_features'] & 1) {
1460
1461
            // zx 2005/1/5 disable xmlrpc.php in root
1462
            if (isset($_SERVER['SCRIPT_NAME']) && substr($_SERVER['SCRIPT_NAME'], -10) === 'xmlrpc.php') {
1463
                $this->output_log('xmlrpc', 0, true, 1);
1464
                exit;
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
1465
            }
1466
1467
            // security bug of class/criteria.php 2005/6/27
1468
            if ((isset($_POST['uname']) && $_POST['uname'] === '0') || (isset($_COOKIE['autologin_pass']) && $_COOKIE['autologin_pass'] === '0')) {
1469
                $this->output_log('CRITERIA');
1470
                exit;
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
1471
            }
1472
        }
1473
1474
        //
1475
        // bit 11 : XSS+CSRFs in XOOPS < 2.0.10
1476
        //
1477
        if ($this->_conf['disable_features'] & 1024) {
1478
1479
            // root controllers
1480
            if (isset($_SERVER['SCRIPT_NAME']) && false === stripos($_SERVER['SCRIPT_NAME'], 'modules')) {
1481
                // zx 2004/12/13 misc.php debug (file check)
1482
                if (substr($_SERVER['SCRIPT_NAME'], -8) === 'misc.php' && ((isset($_GET['type']) && $_GET['type'] === 'debug') || (isset($_POST['type']) && $_POST['type'] === 'debug')) && isset($_GET['file']) && !preg_match('/^dummy_\d+\.html$/', $_GET['file'])) {
1483
                    $this->output_log('misc debug');
1484
                    exit;
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
1485
                }
1486
1487
                // zx 2004/12/13 misc.php smilies
1488
                if (substr($_SERVER['SCRIPT_NAME'], -8) === 'misc.php' && ((isset($_GET['type']) && $_GET['type'] === 'smilies') || (isset($_POST['type']) && $_POST['type'] === 'smilies')) && isset($_GET['target']) && !preg_match('/^[0-9a-z_]*$/i', $_GET['target'])) {
1489
                    $this->output_log('misc smilies');
1490
                    exit;
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
1491
                }
1492
1493
                // zx 2005/1/5 edituser.php avatarchoose
1494
                if (substr($_SERVER['SCRIPT_NAME'], -12) === 'edituser.php' && isset($_POST['op']) && $_POST['op'] === 'avatarchoose' && isset($_POST['user_avatar']) && false !== strpos($_POST['user_avatar'], '..')) {
1495
                    $this->output_log('edituser avatarchoose');
1496
                    exit;
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
1497
                }
1498
            }
1499
1500
            // zx 2005/1/4 findusers
1501
            if (isset($_SERVER['SCRIPT_NAME']) && substr($_SERVER['SCRIPT_NAME'], -24) === 'modules/system/admin.php' && ((isset($_GET['fct']) && $_GET['fct'] === 'findusers') || (isset($_POST['fct']) && $_POST['fct'] === 'findusers'))) {
1502
                foreach ($_POST as $key => $val) {
1503
                    if (false !== strpos($key, "'") || false !== strpos($val, "'")) {
1504
                        $this->output_log('findusers');
1505
                        exit;
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
1506
                    }
1507
                }
1508
            }
1509
1510
            // preview CSRF zx 2004/12/14
1511
            // news submit.php
1512
            if (isset($_SERVER['SCRIPT_NAME']) && substr($_SERVER['SCRIPT_NAME'], -23) === 'modules/news/submit.php' && isset($_POST['preview']) && isset($_SERVER['HTTP_REFERER']) && strpos($_SERVER['HTTP_REFERER'], XOOPS_URL . '/modules/news/submit.php') !== 0) {
1513
                $HTTP_POST_VARS['nohtml'] = $_POST['nohtml'] = 1;
1514
            }
1515
            // news admin/index.php
1516
            if (isset($_SERVER['SCRIPT_NAME']) && substr($_SERVER['SCRIPT_NAME'], -28) === 'modules/news/admin/index.php' && ($_POST['op'] === 'preview' || $_GET['op'] === 'preview') && isset($_SERVER['HTTP_REFERER']) && strpos($_SERVER['HTTP_REFERER'], XOOPS_URL . '/modules/news/admin/index.php') !== 0) {
1517
                $HTTP_POST_VARS['nohtml'] = $_POST['nohtml'] = 1;
1518
            }
1519
            // comment comment_post.php
1520
            if (isset($_POST['com_dopreview']) && isset($_SERVER['HTTP_REFERER']) && false === strpos(substr($_SERVER['HTTP_REFERER'], -16), 'comment_post.php')) {
1521
                $HTTP_POST_VARS['dohtml'] = $_POST['dohtml'] = 0;
1522
            }
1523
            // disable preview of system's blocksadmin
1524
            if (isset($_SERVER['SCRIPT_NAME']) && substr($_SERVER['SCRIPT_NAME'], -24) === 'modules/system/admin.php' && ($_GET['fct'] === 'blocksadmin' || $_POST['fct'] === 'blocksadmin') && isset($_POST['previewblock'])) {
1525
                die("Danger! don't use this preview. Use 'altsys module' instead.(by Protector)");
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
1526
            }
1527
            // tpl preview
1528
            if (isset($_SERVER['SCRIPT_NAME']) && substr($_SERVER['SCRIPT_NAME'], -24) === 'modules/system/admin.php' && ($_GET['fct'] === 'tplsets' || $_POST['fct'] === 'tplsets')) {
1529
                if ($_POST['op'] === 'previewpopup' || $_GET['op'] === 'previewpopup' || isset($_POST['previewtpl'])) {
1530
                    die("Danger! don't use this preview.(by Protector)");
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
1531
                }
1532
            }
1533
        }
1534
1535
        // restore reporting level
1536
        error_reporting($error_reporting_level);
1537
    }
1538
1539
    /**
1540
     * @param string $type
1541
     * @param string $dying_message
1542
     *
1543
     * @return int|mixed
1544
     */
1545
    public function call_filter($type, $dying_message = '')
1546
    {
1547
        require_once __DIR__ . '/ProtectorFilter.php';
1548
        $filter_handler = ProtectorFilterHandler::getInstance();
1549
        $ret            = $filter_handler->execute($type);
1550
        if ($ret == false && $dying_message) {
0 ignored issues
show
Bug Best Practice introduced by
It seems like you are loosely comparing $ret of type integer to the boolean false. If you are specifically checking for 0, consider using something more explicit like === 0 instead.
Loading history...
1551
            die($dying_message);
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
1552
        }
1553
1554
        return $ret;
1555
    }
1556
}
1557