mambax7 /
XoopsCore25
| Conditions | 63 |
| Paths | > 20000 |
| Total Lines | 183 |
| Code Lines | 102 |
| Lines | 27 |
| Ratio | 14.75 % |
| Changes | 0 | ||
Small methods make your code easier to understand, in particular if combined with a good name. Besides, if your method is small, finding a good name is usually much easier.
For example, if you find yourself adding comments to a method's body, this is usually a good sign to extract the commented part to a new method, and use the comment as a starting point when coming up with a good name for this new method.
Commonly applied refactorings include:
If many parameters/temporary variables are present:
| 1 | <?php |
||
| 6 | function protector_postcommon() |
||
| 7 | { |
||
| 8 | global $xoopsUser, $xoopsModule; |
||
|
|
|||
| 9 | |||
| 10 | // patch for 2.2.x from xoops.org (I know this is not so beautiful...) |
||
| 11 | if (substr(@XOOPS_VERSION, 6, 3) > 2.0 && false !== stripos(@$_SERVER['REQUEST_URI'], 'modules/system/admin.php?fct=preferences')) { |
||
| 12 | /* @var $module_handler XoopsModuleHandler */ |
||
| 13 | $module_handler = xoops_getHandler('module'); |
||
| 14 | $module = $module_handler->get((int)(@$_GET['mod'])); |
||
| 15 | if (is_object($module)) { |
||
| 16 | $module->getInfo(); |
||
| 17 | } |
||
| 18 | } |
||
| 19 | |||
| 20 | // configs writable check |
||
| 21 | if (@$_SERVER['REQUEST_URI'] === '/admin.php' && !is_writable(dirname(__DIR__) . '/configs')) { |
||
| 22 | trigger_error('You should turn the directory ' . dirname(__DIR__) . '/configs writable', E_USER_WARNING); |
||
| 23 | } |
||
| 24 | |||
| 25 | // Protector object |
||
| 26 | require_once dirname(__DIR__) . '/class/protector.php'; |
||
| 27 | $db = XoopsDatabaseFactory::getDatabaseConnection(); |
||
| 28 | $protector = Protector::getInstance(); |
||
| 29 | $protector->setConn($db->conn); |
||
| 30 | $protector->updateConfFromDb(); |
||
| 31 | $conf = $protector->getConf(); |
||
| 32 | if (empty($conf)) { |
||
| 33 | return true; |
||
| 34 | } // not installed yet |
||
| 35 | |||
| 36 | // phpmailer vulnerability |
||
| 37 | // http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/ |
||
| 38 | if (in_array(substr(XOOPS_VERSION, 0, 12), array('XOOPS 2.0.16', 'XOOPS 2.0.13', 'XOOPS 2.2.4'))) { |
||
| 39 | /* @var $config_handler XoopsConfigHandler */ |
||
| 40 | $config_handler = xoops_getHandler('config'); |
||
| 41 | $xoopsMailerConfig = $config_handler->getConfigsByCat(XOOPS_CONF_MAILER); |
||
| 42 | if ($xoopsMailerConfig['mailmethod'] === 'sendmail' && md5_file(XOOPS_ROOT_PATH . '/class/mail/phpmailer/class.phpmailer.php') === 'ee1c09a8e579631f0511972f929fe36a') { |
||
| 43 | echo '<strong>phpmailer security hole! Change the preferences of mail from "sendmail" to another, or upgrade the core right now! (message by protector)</strong>'; |
||
| 44 | } |
||
| 45 | } |
||
| 46 | |||
| 47 | // global enabled or disabled |
||
| 48 | if (!empty($conf['global_disabled'])) { |
||
| 49 | return true; |
||
| 50 | } |
||
| 51 | |||
| 52 | // group1_ips (groupid=1) |
||
| 53 | if (is_object($xoopsUser) && in_array(1, $xoopsUser->getGroups())) { |
||
| 54 | $group1_ips = $protector->get_group1_ips(true); |
||
| 55 | if (implode('', array_keys($group1_ips))) { |
||
| 56 | $group1_allow = $protector->ip_match($group1_ips); |
||
| 57 | if (empty($group1_allow)) { |
||
| 58 | die('This account is disabled for your IP by Protector.<br>Clear cookie if you want to access this site as a guest.'); |
||
| 59 | } |
||
| 60 | } |
||
| 61 | } |
||
| 62 | |||
| 63 | // reliable ips |
||
| 64 | $reliable_ips = @unserialize(@$conf['reliable_ips']); |
||
| 65 | if (is_array($reliable_ips)) { |
||
| 66 | View Code Duplication | foreach ($reliable_ips as $reliable_ip) { |
|
| 67 | if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $_SERVER['REMOTE_ADDR'])) { |
||
| 68 | return true; |
||
| 69 | } |
||
| 70 | } |
||
| 71 | } |
||
| 72 | |||
| 73 | // user information (uid and can be banned) |
||
| 74 | if (is_object(@$xoopsUser)) { |
||
| 75 | $uid = $xoopsUser->getVar('uid'); |
||
| 76 | $can_ban = count(@array_intersect($xoopsUser->getGroups(), @unserialize(@$conf['bip_except']))) ? false : true; |
||
| 77 | } else { |
||
| 78 | // login failed check |
||
| 79 | if ((!empty($_POST['uname']) && !empty($_POST['pass'])) || (!empty($_COOKIE['autologin_uname']) && !empty($_COOKIE['autologin_pass']))) { |
||
| 80 | $protector->check_brute_force(); |
||
| 81 | } |
||
| 82 | $uid = 0; |
||
| 83 | $can_ban = true; |
||
| 84 | } |
||
| 85 | // CHECK for spammers IPS/EMAILS during POST Actions |
||
| 86 | if (@$conf['stopforumspam_action'] !== 'none') { |
||
| 87 | $protector->stopforumspam($uid); |
||
| 88 | } |
||
| 89 | |||
| 90 | // If precheck has already judged that he should be banned |
||
| 91 | if ($can_ban && $protector->_should_be_banned) { |
||
| 92 | $protector->register_bad_ips(); |
||
| 93 | } elseif ($can_ban && $protector->_should_be_banned_time0) { |
||
| 94 | $protector->register_bad_ips(time() + $protector->_conf['banip_time0']); |
||
| 95 | } |
||
| 96 | |||
| 97 | // DOS/CRAWLER skipping based on 'dirname' or getcwd() |
||
| 98 | $dos_skipping = false; |
||
| 99 | $skip_dirnames = explode('|', @$conf['dos_skipmodules']); |
||
| 100 | if (!is_array($skip_dirnames)) { |
||
| 101 | $skip_dirnames = array(); |
||
| 102 | } |
||
| 103 | if (is_object(@$xoopsModule)) { |
||
| 104 | if (in_array($xoopsModule->getVar('dirname'), $skip_dirnames)) { |
||
| 105 | $dos_skipping = true; |
||
| 106 | } |
||
| 107 | } else { |
||
| 108 | foreach ($skip_dirnames as $skip_dirname) { |
||
| 109 | if ($skip_dirname && false !== strpos(getcwd(), $skip_dirname)) { |
||
| 110 | $dos_skipping = true; |
||
| 111 | break; |
||
| 112 | } |
||
| 113 | } |
||
| 114 | } |
||
| 115 | |||
| 116 | // module can controll DoS skipping |
||
| 117 | if (defined('PROTECTOR_SKIP_DOS_CHECK')) { |
||
| 118 | $dos_skipping = true; |
||
| 119 | } |
||
| 120 | |||
| 121 | // DoS Attack |
||
| 122 | if (empty($dos_skipping) && !$protector->check_dos_attack($uid, $can_ban)) { |
||
| 123 | $protector->output_log($protector->last_error_type, $uid, true, 16); |
||
| 124 | } |
||
| 125 | |||
| 126 | // check session hi-jacking |
||
| 127 | $masks = @$conf['session_fixed_topbit']; |
||
| 128 | $maskArray = explode('/', $masks); |
||
| 129 | $ipv4Mask = empty($maskArray[0]) ? 24 : $maskArray[0]; |
||
| 130 | $ipv6Mask = (!isset($maskArray[1])) ? 56 : $maskArray[1]; |
||
| 131 | $ip = \Xmf\IPAddress::fromRequest(); |
||
| 132 | $maskCheck = true; |
||
| 133 | if (isset($_SESSION['protector_last_ip'])) { |
||
| 134 | $maskCheck = $ip->sameSubnet($_SESSION['protector_last_ip'], $ipv4Mask, $ipv6Mask); |
||
| 135 | } |
||
| 136 | if (!$maskCheck) { |
||
| 137 | if (is_object($xoopsUser) && count(array_intersect($xoopsUser->getGroups(), unserialize($conf['groups_denyipmove'])))) { |
||
| 138 | $protector->purge(true); |
||
| 139 | } |
||
| 140 | } |
||
| 141 | $_SESSION['protector_last_ip'] = $ip->asReadable(); |
||
| 142 | |||
| 143 | // SQL Injection "Isolated /*" |
||
| 144 | View Code Duplication | if (!$protector->check_sql_isolatedcommentin(@$conf['isocom_action'] & 1)) { |
|
| 145 | if (($conf['isocom_action'] & 8) && $can_ban) { |
||
| 146 | $protector->register_bad_ips(); |
||
| 147 | } elseif (($conf['isocom_action'] & 4) && $can_ban) { |
||
| 148 | $protector->register_bad_ips(time() + $protector->_conf['banip_time0']); |
||
| 149 | } |
||
| 150 | $protector->output_log('ISOCOM', $uid, true, 32); |
||
| 151 | if ($conf['isocom_action'] & 2) { |
||
| 152 | $protector->purge(); |
||
| 153 | } |
||
| 154 | } |
||
| 155 | |||
| 156 | // SQL Injection "UNION" |
||
| 157 | View Code Duplication | if (!$protector->check_sql_union(@$conf['union_action'] & 1)) { |
|
| 158 | if (($conf['union_action'] & 8) && $can_ban) { |
||
| 159 | $protector->register_bad_ips(); |
||
| 160 | } elseif (($conf['union_action'] & 4) && $can_ban) { |
||
| 161 | $protector->register_bad_ips(time() + $protector->_conf['banip_time0']); |
||
| 162 | } |
||
| 163 | $protector->output_log('UNION', $uid, true, 32); |
||
| 164 | if ($conf['union_action'] & 2) { |
||
| 165 | $protector->purge(); |
||
| 166 | } |
||
| 167 | } |
||
| 168 | |||
| 169 | if (!empty($_POST)) { |
||
| 170 | // SPAM Check |
||
| 171 | if (is_object($xoopsUser)) { |
||
| 172 | if (!$xoopsUser->isAdmin() && $conf['spamcount_uri4user']) { |
||
| 173 | $protector->spam_check((int)$conf['spamcount_uri4user'], $xoopsUser->getVar('uid')); |
||
| 174 | } |
||
| 175 | } elseif ($conf['spamcount_uri4guest']) { |
||
| 176 | $protector->spam_check((int)$conf['spamcount_uri4guest'], 0); |
||
| 177 | } |
||
| 178 | |||
| 179 | // filter plugins for POST on postcommon stage |
||
| 180 | $protector->call_filter('postcommon_post'); |
||
| 181 | } |
||
| 182 | |||
| 183 | // register.php Protection - both core and profile module have a register.php |
||
| 184 | // There should be an event to trigger this check instead of filename sniffing. |
||
| 185 | if (basename($_SERVER['SCRIPT_FILENAME']) == 'register.php') { |
||
| 186 | $protector->call_filter('postcommon_register'); |
||
| 187 | } |
||
| 188 | return null; |
||
| 189 | } |
||
| 190 |
Loading history...
Instead of relying on
globalstate, we recommend one of these alternatives:1. Pass all data via parameters
2. Create a class that maintains your state