spip /
SPIP
@@ -50,11 +50,9 @@ |
||
| 50 | 50 | $port and !is_numeric($socket = $port) |
| 51 | 51 | and (!$host or $host=='localhost')) { |
| 52 | 52 | $link = @mysqli_connect($host, $login, $pass, '', null, $socket); |
| 53 | - } |
|
| 54 | - elseif ($port) { |
|
| 53 | + } elseif ($port) { |
|
| 55 | 54 | $link = @mysqli_connect($host, $login, $pass, '', $port); |
| 56 | - } |
|
| 57 | - else { |
|
| 55 | + } else { |
|
| 58 | 56 | $link = @mysqli_connect($host, $login, $pass); |
| 59 | 57 | } |
| 60 | 58 | |
@@ -1256,8 +1256,9 @@ |
||
| 1256 | 1256 | $http_noproxy = " $http_noproxy "; |
| 1257 | 1257 | $domain = $host; |
| 1258 | 1258 | // si le domaine exact www.example.org est dans les exceptions |
| 1259 | - if (strpos($http_noproxy, " $domain ") !== false) |
|
| 1260 | - return ''; |
|
| 1259 | + if (strpos($http_noproxy, " $domain ") !== false) { |
|
| 1260 | + return ''; |
|
| 1261 | + } |
|
| 1261 | 1262 | |
| 1262 | 1263 | while (strpos($domain, '.') !== false) { |
| 1263 | 1264 | $domain = explode('.', $domain); |
@@ -974,8 +974,9 @@ |
||
| 974 | 974 | static $tables = array(); |
| 975 | 975 | if (!isset($tables[$serveur])){ |
| 976 | 976 | $tables[$serveur] = array(); |
| 977 | - if (!function_exists("sql_alltable")) |
|
| 978 | - include_spip("base/abstract_sql"); |
|
| 977 | + if (!function_exists("sql_alltable")) { |
|
| 978 | + include_spip("base/abstract_sql"); |
|
| 979 | + } |
|
| 979 | 980 | $ts = sql_alltable('%',$serveur); // toutes les tables |
| 980 | 981 | foreach ($ts as $t){ |
| 981 | 982 | $tables[$serveur][$t] = $t; |
@@ -555,11 +555,9 @@ discard block |
||
| 555 | 555 | if (!isset($msg[$p])) { |
| 556 | 556 | if (isset($resume['erreur']) and $resume['erreur']) { |
| 557 | 557 | $msg[$p] = array($resume['erreur']); |
| 558 | - } |
|
| 559 | - elseif (!plugin_version_compatible($k['compatibilite'], $GLOBALS['spip_version_branche'], 'spip')) { |
|
| 558 | + } elseif (!plugin_version_compatible($k['compatibilite'], $GLOBALS['spip_version_branche'], 'spip')) { |
|
| 560 | 559 | $msg[$p] = array(plugin_message_incompatibilite($k['compatibilite'], $GLOBALS['spip_version_branche'], 'SPIP', 'necessite')); |
| 561 | - } |
|
| 562 | - elseif (!$msg[$p] = plugin_necessite($k['necessite'], $liste, 'necessite')) { |
|
| 560 | + } elseif (!$msg[$p] = plugin_necessite($k['necessite'], $liste, 'necessite')) { |
|
| 563 | 561 | $msg[$p] = plugin_necessite($k['utilise'], $liste, 'utilise'); |
| 564 | 562 | } |
| 565 | 563 | } else { |
@@ -1154,10 +1152,12 @@ discard block |
||
| 1154 | 1152 | } |
| 1155 | 1153 | $nom = $nomlower; |
| 1156 | 1154 | // une action vide est une declaration qui ne doit pas etre compilee ! |
| 1157 | - if (!isset($GLOBALS['spip_pipeline'][$nom])) // creer le pipeline eventuel |
|
| 1155 | + if (!isset($GLOBALS['spip_pipeline'][$nom])) { |
|
| 1156 | + // creer le pipeline eventuel |
|
| 1158 | 1157 | { |
| 1159 | 1158 | $GLOBALS['spip_pipeline'][$nom] = ""; |
| 1160 | 1159 | } |
| 1160 | + } |
|
| 1161 | 1161 | if ($action) { |
| 1162 | 1162 | if (strpos($GLOBALS['spip_pipeline'][$nom], "|$prefix$action") === false) { |
| 1163 | 1163 | $GLOBALS['spip_pipeline'][$nom] = preg_replace(",(\|\||$),", "|$prefix$action\\1", |
@@ -1400,8 +1400,7 @@ discard block |
||
| 1400 | 1400 | if (file_exists($nom)) { |
| 1401 | 1401 | if (substr($nom, -4) == '.php') { |
| 1402 | 1402 | $fichier_tmp = substr($nom, 0, -4) . '.tmp.php'; |
| 1403 | - } |
|
| 1404 | - else { |
|
| 1403 | + } else { |
|
| 1405 | 1404 | $fichier_tmp = $nom . '.tmp'; |
| 1406 | 1405 | } |
| 1407 | 1406 | file_put_contents($fichier_tmp, $contenu); |
@@ -351,11 +351,15 @@ discard block |
||
| 351 | 351 | $erreurs = array(); |
| 352 | 352 | $erreurs = auteur_reset_password($res['id_auteur'], $erreurs); |
| 353 | 353 | if (isset($erreurs['message_ok'])) { |
| 354 | - if (!isset($res['message_ok'])) $res['message_ok'] = ''; |
|
| 354 | + if (!isset($res['message_ok'])) { |
|
| 355 | + $res['message_ok'] = ''; |
|
| 356 | + } |
|
| 355 | 357 | $res['message_ok'] = trim($res['message_ok'] . ' ' . $erreurs['message_ok']); |
| 356 | 358 | } |
| 357 | 359 | if (isset($erreurs['message_erreur']) and $erreurs['message_erreur']) { |
| 358 | - if (!isset($res['message_erreur'])) $res['message_erreur'] = ''; |
|
| 360 | + if (!isset($res['message_erreur'])) { |
|
| 361 | + $res['message_erreur'] = ''; |
|
| 362 | + } |
|
| 359 | 363 | $res['message_erreur'] = trim($res['message_erreur'] . ' ' . $erreurs['message_erreur']); |
| 360 | 364 | } |
| 361 | 365 | } |
@@ -439,8 +443,7 @@ discard block |
||
| 439 | 443 | if (!isset($contexte['lang']) or !$contexte['lang']) { |
| 440 | 444 | if (isset($row['lang']) and $row['lang']) { |
| 441 | 445 | $contexte['lang'] = $row['lang']; |
| 442 | - } |
|
| 443 | - else { |
|
| 446 | + } else { |
|
| 444 | 447 | $contexte['lang'] = $GLOBALS['meta']['langue_site']; |
| 445 | 448 | } |
| 446 | 449 | } |
@@ -512,8 +512,7 @@ |
||
| 512 | 512 | $desc = $trouver_table($table_lien); |
| 513 | 513 | if ($desc and isset($desc['field']['rang_lien'])) { |
| 514 | 514 | $triables[$table_lien] = true; |
| 515 | - } |
|
| 516 | - else { |
|
| 515 | + } else { |
|
| 517 | 516 | $triables[$table_lien] = false; |
| 518 | 517 | } |
| 519 | 518 | } |
@@ -283,8 +283,9 @@ |
||
| 283 | 283 | if (isset($GLOBALS[$var][$code])) { |
| 284 | 284 | $desc->code = $code; |
| 285 | 285 | $desc->module = $module; |
| 286 | - if (isset($GLOBALS['lang_' . $var])) |
|
| 287 | - $desc->langue = $GLOBALS['lang_' . $var]; |
|
| 286 | + if (isset($GLOBALS['lang_' . $var])) { |
|
| 287 | + $desc->langue = $GLOBALS['lang_' . $var]; |
|
| 288 | + } |
|
| 288 | 289 | $desc->texte = $GLOBALS[$var][$code]; |
| 289 | 290 | break; |
| 290 | 291 | } |
@@ -14,8 +14,9 @@ discard block |
||
| 14 | 14 | /* |
| 15 | 15 | * Test utilisateur |
| 16 | 16 | */ |
| 17 | -if (isset($_GET['test_ecran_securite'])) |
|
| 17 | +if (isset($_GET['test_ecran_securite'])) { |
|
| 18 | 18 | $ecran_securite_raison = 'test '._ECRAN_SECURITE; |
| 19 | +} |
|
| 19 | 20 | |
| 20 | 21 | /* |
| 21 | 22 | * Monitoring |
@@ -243,18 +244,21 @@ discard block |
||
| 243 | 244 | * (id_base est une variable de la config des widgets de WordPress) |
| 244 | 245 | */ |
| 245 | 246 | $_exceptions = array('id_table','id_base','id_parent','id_article_pdf'); |
| 246 | -foreach ($_GET as $var => $val) |
|
| 247 | +foreach ($_GET as $var => $val) { |
|
| 247 | 248 | if ($_GET[$var] and strncmp($var, "id_", 3) == 0 |
| 248 | 249 | and !in_array($var, $_exceptions)) |
| 249 | 250 | $_GET[$var] = is_array($_GET[$var])?@array_map('intval', $_GET[$var]):intval($_GET[$var]); |
| 250 | -foreach ($_POST as $var => $val) |
|
| 251 | +} |
|
| 252 | +foreach ($_POST as $var => $val) { |
|
| 251 | 253 | if ($_POST[$var] and strncmp($var, "id_", 3) == 0 |
| 252 | 254 | and !in_array($var, $_exceptions)) |
| 253 | 255 | $_POST[$var] = is_array($_POST[$var])?@array_map('intval', $_POST[$var]):intval($_POST[$var]); |
| 254 | -foreach ($GLOBALS as $var => $val) |
|
| 256 | +} |
|
| 257 | +foreach ($GLOBALS as $var => $val) { |
|
| 255 | 258 | if ($GLOBALS[$var] and strncmp($var, "id_", 3) == 0 |
| 256 | 259 | and !in_array($var, $_exceptions)) |
| 257 | 260 | $GLOBALS[$var] = is_array($GLOBALS[$var])?@array_map('intval', $GLOBALS[$var]):intval($GLOBALS[$var]); |
| 261 | +} |
|
| 258 | 262 | |
| 259 | 263 | /* |
| 260 | 264 | * Interdit la variable $cjpeg_command, qui était utilisée sans |
@@ -266,11 +270,13 @@ discard block |
||
| 266 | 270 | * Contrôle de quelques variables (XSS) |
| 267 | 271 | */ |
| 268 | 272 | foreach(array('lang', 'var_recherche', 'aide', 'var_lang_r', 'lang_r', 'var_ajax_ancre', 'nom_fichier') as $var) { |
| 269 | - if (isset($_GET[$var])) |
|
| 270 | - $_REQUEST[$var] = $GLOBALS[$var] = $_GET[$var] = preg_replace(',[^\w\,/#&;-]+,', ' ', (string)$_GET[$var]); |
|
| 271 | - if (isset($_POST[$var])) |
|
| 272 | - $_REQUEST[$var] = $GLOBALS[$var] = $_POST[$var] = preg_replace(',[^\w\,/#&;-]+,', ' ', (string)$_POST[$var]); |
|
| 273 | -} |
|
| 273 | + if (isset($_GET[$var])) { |
|
| 274 | + $_REQUEST[$var] = $GLOBALS[$var] = $_GET[$var] = preg_replace(',[^\w\,/#&;-]+,', ' ', (string)$_GET[$var]); |
|
| 275 | + } |
|
| 276 | + if (isset($_POST[$var])) { |
|
| 277 | + $_REQUEST[$var] = $GLOBALS[$var] = $_POST[$var] = preg_replace(',[^\w\,/#&;-]+,', ' ', (string)$_POST[$var]); |
|
| 278 | + } |
|
| 279 | + } |
|
| 274 | 280 | |
| 275 | 281 | /* |
| 276 | 282 | * Filtre l'accès à spip_acces_doc (injection SQL en 1.8.2x) |
@@ -284,41 +290,49 @@ discard block |
||
| 284 | 290 | */ |
| 285 | 291 | if (isset($_REQUEST['mode']) and isset($_REQUEST['page']) |
| 286 | 292 | and !in_array($_REQUEST['mode'], array("6forum", "1comite")) |
| 287 | -and $_REQUEST['page'] == "identifiants") |
|
| 293 | +and $_REQUEST['page'] == "identifiants") { |
|
| 288 | 294 | $ecran_securite_raison = "identifiants"; |
| 295 | +} |
|
| 289 | 296 | |
| 290 | 297 | /* |
| 291 | 298 | * Agenda joue à l'injection php |
| 292 | 299 | */ |
| 293 | 300 | if (isset($_REQUEST['partie_cal']) |
| 294 | -and $_REQUEST['partie_cal'] !== htmlentities((string)$_REQUEST['partie_cal'])) |
|
| 301 | +and $_REQUEST['partie_cal'] !== htmlentities((string)$_REQUEST['partie_cal'])) { |
|
| 295 | 302 | $ecran_securite_raison = "partie_cal"; |
| 303 | +} |
|
| 296 | 304 | if (isset($_REQUEST['echelle']) |
| 297 | -and $_REQUEST['echelle'] !== htmlentities((string)$_REQUEST['echelle'])) |
|
| 305 | +and $_REQUEST['echelle'] !== htmlentities((string)$_REQUEST['echelle'])) { |
|
| 298 | 306 | $ecran_securite_raison = "echelle"; |
| 307 | +} |
|
| 299 | 308 | |
| 300 | 309 | /* |
| 301 | 310 | * Espace privé |
| 302 | 311 | */ |
| 303 | 312 | if (isset($_REQUEST['exec']) |
| 304 | -and !preg_match(',^[\w-]+$,', (string)$_REQUEST['exec'])) |
|
| 313 | +and !preg_match(',^[\w-]+$,', (string)$_REQUEST['exec'])) { |
|
| 305 | 314 | $ecran_securite_raison = "exec"; |
| 315 | +} |
|
| 306 | 316 | if (isset($_REQUEST['cherche_auteur']) |
| 307 | -and preg_match(',[<],', (string)$_REQUEST['cherche_auteur'])) |
|
| 317 | +and preg_match(',[<],', (string)$_REQUEST['cherche_auteur'])) { |
|
| 308 | 318 | $ecran_securite_raison = "cherche_auteur"; |
| 319 | +} |
|
| 309 | 320 | if (isset($_REQUEST['exec']) |
| 310 | 321 | and $_REQUEST['exec'] == 'auteurs' |
| 311 | -and preg_match(',[<],', (string)$_REQUEST['recherche'])) |
|
| 322 | +and preg_match(',[<],', (string)$_REQUEST['recherche'])) { |
|
| 312 | 323 | $ecran_securite_raison = "recherche"; |
| 324 | +} |
|
| 313 | 325 | if (isset($_REQUEST['exec']) |
| 314 | 326 | and $_REQUEST['exec'] == 'info_plugin' |
| 315 | -and preg_match(',[<],', (string)$_REQUEST['plugin'])) |
|
| 327 | +and preg_match(',[<],', (string)$_REQUEST['plugin'])) { |
|
| 316 | 328 | $ecran_securite_raison = "plugin"; |
| 329 | +} |
|
| 317 | 330 | if (isset($_REQUEST['exec']) |
| 318 | 331 | and $_REQUEST['exec'] == 'puce_statut' |
| 319 | 332 | and isset($_REQUEST['id']) |
| 320 | -and !intval($_REQUEST['id'])) |
|
| 333 | +and !intval($_REQUEST['id'])) { |
|
| 321 | 334 | $ecran_securite_raison = "puce_statut"; |
| 335 | +} |
|
| 322 | 336 | if (isset($_REQUEST['action']) |
| 323 | 337 | and $_REQUEST['action'] == 'configurer') { |
| 324 | 338 | if (@file_exists('inc_version.php') |
@@ -343,21 +357,24 @@ discard block |
||
| 343 | 357 | @get_magic_quotes_gpc() ? |
| 344 | 358 | stripslashes(serialize($_REQUEST)) : serialize($_REQUEST), |
| 345 | 359 | chr(0) |
| 346 | -) !== false) |
|
| 360 | +) !== false) { |
|
| 347 | 361 | $ecran_securite_raison = "%00"; |
| 362 | +} |
|
| 348 | 363 | |
| 349 | 364 | /* |
| 350 | 365 | * Bloque les requêtes fond=formulaire_ |
| 351 | 366 | */ |
| 352 | 367 | if (isset($_REQUEST['fond']) |
| 353 | -and preg_match(',^formulaire_,i', $_REQUEST['fond'])) |
|
| 368 | +and preg_match(',^formulaire_,i', $_REQUEST['fond'])) { |
|
| 354 | 369 | $ecran_securite_raison = "fond=formulaire_"; |
| 370 | +} |
|
| 355 | 371 | |
| 356 | 372 | /* |
| 357 | 373 | * Bloque les requêtes du type ?GLOBALS[type_urls]=toto (bug vieux php) |
| 358 | 374 | */ |
| 359 | -if (isset($_REQUEST['GLOBALS'])) |
|
| 375 | +if (isset($_REQUEST['GLOBALS'])) { |
|
| 360 | 376 | $ecran_securite_raison = "GLOBALS[GLOBALS]"; |
| 377 | +} |
|
| 361 | 378 | |
| 362 | 379 | /* |
| 363 | 380 | * Bloque les requêtes des bots sur: |
@@ -370,29 +387,34 @@ discard block |
||
| 370 | 387 | or (isset($_REQUEST['calendrier_annee']) and strpos((string)$_SERVER['REQUEST_URI'], 'debut_') ) |
| 371 | 388 | or (isset($_REQUEST['calendrier_annee']) and preg_match(',[?&]calendrier_annee=.*&calendrier_annee=,', (string)$_SERVER['REQUEST_URI'])) |
| 372 | 389 | ) |
| 373 | -) |
|
| 390 | +) { |
|
| 374 | 391 | $ecran_securite_raison = "robot agenda/double pagination"; |
| 392 | +} |
|
| 375 | 393 | |
| 376 | 394 | /* |
| 377 | 395 | * Bloque une vieille page de tests de CFG (<1.11) |
| 378 | 396 | * Bloque un XSS sur une page inexistante |
| 379 | 397 | */ |
| 380 | 398 | if (isset($_REQUEST['page'])) { |
| 381 | - if ($_REQUEST['page'] == 'test_cfg') |
|
| 382 | - $ecran_securite_raison = "test_cfg"; |
|
| 383 | - if ($_REQUEST['page'] !== htmlspecialchars((string)$_REQUEST['page'])) |
|
| 384 | - $ecran_securite_raison = "xsspage"; |
|
| 399 | + if ($_REQUEST['page'] == 'test_cfg') { |
|
| 400 | + $ecran_securite_raison = "test_cfg"; |
|
| 401 | + } |
|
| 402 | + if ($_REQUEST['page'] !== htmlspecialchars((string)$_REQUEST['page'])) { |
|
| 403 | + $ecran_securite_raison = "xsspage"; |
|
| 404 | + } |
|
| 385 | 405 | if ($_REQUEST['page'] == '404' |
| 386 | - and isset($_REQUEST['erreur'])) |
|
| 387 | - $ecran_securite_raison = "xss404"; |
|
| 388 | -} |
|
| 406 | + and isset($_REQUEST['erreur'])) { |
|
| 407 | + $ecran_securite_raison = "xss404"; |
|
| 408 | + } |
|
| 409 | + } |
|
| 389 | 410 | |
| 390 | 411 | /* |
| 391 | 412 | * XSS par array |
| 392 | 413 | */ |
| 393 | -foreach (array('var_login') as $var) |
|
| 394 | -if (isset($_REQUEST[$var]) and is_array($_REQUEST[$var])) |
|
| 414 | +foreach (array('var_login') as $var) { |
|
| 415 | + if (isset($_REQUEST[$var]) and is_array($_REQUEST[$var])) |
|
| 395 | 416 | $ecran_securite_raison = "xss ".$var; |
| 417 | +} |
|
| 396 | 418 | |
| 397 | 419 | /* |
| 398 | 420 | * Parade antivirale contre un cheval de troie |
@@ -402,18 +424,21 @@ discard block |
||
| 402 | 424 | function tmp_lkojfghx2($a = 0, $b = 0, $c = 0, $d = 0) { |
| 403 | 425 | // si jamais on est arrivé ici sur une erreur php |
| 404 | 426 | // et qu'un autre gestionnaire d'erreur est défini, l'appeller |
| 405 | - if ($b && $GLOBALS['tmp_xhgfjokl']) |
|
| 406 | - call_user_func($GLOBALS['tmp_xhgfjokl'], $a, $b, $c, $d); |
|
| 427 | + if ($b && $GLOBALS['tmp_xhgfjokl']) { |
|
| 428 | + call_user_func($GLOBALS['tmp_xhgfjokl'], $a, $b, $c, $d); |
|
| 429 | + } |
|
| 407 | 430 | } |
| 408 | 431 | } |
| 409 | -if (isset($_POST['tmp_lkojfghx3'])) |
|
| 432 | +if (isset($_POST['tmp_lkojfghx3'])) { |
|
| 410 | 433 | $ecran_securite_raison = "gumblar"; |
| 434 | +} |
|
| 411 | 435 | |
| 412 | 436 | /* |
| 413 | 437 | * Outils XML mal sécurisés < 2.0.9 |
| 414 | 438 | */ |
| 415 | -if (isset($_REQUEST['transformer_xml'])) |
|
| 439 | +if (isset($_REQUEST['transformer_xml'])) { |
|
| 416 | 440 | $ecran_securite_raison = "transformer_xml"; |
| 441 | +} |
|
| 417 | 442 | |
| 418 | 443 | /* |
| 419 | 444 | * Outils XML mal sécurisés again |
@@ -432,11 +457,13 @@ discard block |
||
| 432 | 457 | * Sauvegarde mal securisée < 2.0.9 |
| 433 | 458 | */ |
| 434 | 459 | if (isset($_REQUEST['nom_sauvegarde']) |
| 435 | -and strstr((string)$_REQUEST['nom_sauvegarde'], '/')) |
|
| 460 | +and strstr((string)$_REQUEST['nom_sauvegarde'], '/')) { |
|
| 436 | 461 | $ecran_securite_raison = 'nom_sauvegarde manipulee'; |
| 462 | +} |
|
| 437 | 463 | if (isset($_REQUEST['znom_sauvegarde']) |
| 438 | -and strstr((string)$_REQUEST['znom_sauvegarde'], '/')) |
|
| 464 | +and strstr((string)$_REQUEST['znom_sauvegarde'], '/')) { |
|
| 439 | 465 | $ecran_securite_raison = 'znom_sauvegarde manipulee'; |
| 466 | +} |
|
| 440 | 467 | |
| 441 | 468 | |
| 442 | 469 | /* |
@@ -444,8 +471,9 @@ discard block |
||
| 444 | 471 | * on vérifie 'page' pour ne pas bloquer ... drupal |
| 445 | 472 | */ |
| 446 | 473 | if (isset($_REQUEST['op']) and isset($_REQUEST['page']) |
| 447 | -and $_REQUEST['op'] !== preg_replace('/[^\-\w]/', '', $_REQUEST['op'])) |
|
| 474 | +and $_REQUEST['op'] !== preg_replace('/[^\-\w]/', '', $_REQUEST['op'])) { |
|
| 448 | 475 | $ecran_securite_raison = 'op'; |
| 476 | +} |
|
| 449 | 477 | |
| 450 | 478 | /* |
| 451 | 479 | * Forms & Table ne se méfiait pas assez des uploads de fichiers |
@@ -453,8 +481,9 @@ discard block |
||
| 453 | 481 | if (count($_FILES)){ |
| 454 | 482 | foreach($_FILES as $k => $v){ |
| 455 | 483 | if (preg_match(',^fichier_\d+$,', $k) |
| 456 | - and preg_match(',\.php,i', $v['name'])) |
|
| 457 | - unset($_FILES[$k]); |
|
| 484 | + and preg_match(',\.php,i', $v['name'])) { |
|
| 485 | + unset($_FILES[$k]); |
|
| 486 | + } |
|
| 458 | 487 | } |
| 459 | 488 | } |
| 460 | 489 | /* |
@@ -471,21 +500,24 @@ discard block |
||
| 471 | 500 | * reinstall=oui un peu trop permissif |
| 472 | 501 | */ |
| 473 | 502 | if (isset($_REQUEST['reinstall']) |
| 474 | -and $_REQUEST['reinstall'] == 'oui') |
|
| 503 | +and $_REQUEST['reinstall'] == 'oui') { |
|
| 475 | 504 | $ecran_securite_raison = 'reinstall=oui'; |
| 505 | +} |
|
| 476 | 506 | |
| 477 | 507 | /* |
| 478 | 508 | * Échappement xss referer |
| 479 | 509 | */ |
| 480 | -if (isset($_SERVER['HTTP_REFERER'])) |
|
| 510 | +if (isset($_SERVER['HTTP_REFERER'])) { |
|
| 481 | 511 | $_SERVER['HTTP_REFERER'] = strtr($_SERVER['HTTP_REFERER'], '<>"\'', '[]##'); |
| 512 | +} |
|
| 482 | 513 | |
| 483 | 514 | |
| 484 | 515 | /* |
| 485 | 516 | * Echappement HTTP_X_FORWARDED_HOST |
| 486 | 517 | */ |
| 487 | -if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) |
|
| 518 | +if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) { |
|
| 488 | 519 | $_SERVER['HTTP_X_FORWARDED_HOST'] = strtr($_SERVER['HTTP_X_FORWARDED_HOST'], "<>?\"\{\}\$'` \r\n", '____________'); |
| 520 | +} |
|
| 489 | 521 | |
| 490 | 522 | |
| 491 | 523 | /* |
@@ -493,9 +525,10 @@ discard block |
||
| 493 | 525 | */ |
| 494 | 526 | if (strpos($_SERVER['REQUEST_URI'], "ecrire/") !== false or isset($_REQUEST['var_memotri'])){ |
| 495 | 527 | $zzzz = implode("", array_keys($_REQUEST)); |
| 496 | - if (strlen($zzzz) != strcspn($zzzz, '<>"\'')) |
|
| 497 | - $ecran_securite_raison = 'Cle incorrecte en $_REQUEST'; |
|
| 498 | -} |
|
| 528 | + if (strlen($zzzz) != strcspn($zzzz, '<>"\'')) { |
|
| 529 | + $ecran_securite_raison = 'Cle incorrecte en $_REQUEST'; |
|
| 530 | + } |
|
| 531 | + } |
|
| 499 | 532 | |
| 500 | 533 | /* |
| 501 | 534 | * Injection par connect |
@@ -544,8 +577,9 @@ discard block |
||
| 544 | 577 | /* |
| 545 | 578 | * Bloque les bots quand le load déborde |
| 546 | 579 | */ |
| 547 | -if (!defined('_ECRAN_SECURITE_LOAD')) |
|
| 580 | +if (!defined('_ECRAN_SECURITE_LOAD')) { |
|
| 548 | 581 | define('_ECRAN_SECURITE_LOAD', 4); |
| 582 | +} |
|
| 549 | 583 | |
| 550 | 584 | if ( |
| 551 | 585 | defined('_ECRAN_SECURITE_LOAD') |
@@ -3385,8 +3385,7 @@ |
||
| 3385 | 3385 | $balise_svg = inserer_attribut($balise_svg, 'aria-labelledby', $id); |
| 3386 | 3386 | $title = "<title id=\"$id\">" . entites_html($alt)."</title>\n"; |
| 3387 | 3387 | $balise_svg .= $title; |
| 3388 | - } |
|
| 3389 | - else { |
|
| 3388 | + } else { |
|
| 3390 | 3389 | $balise_svg = inserer_attribut($balise_svg, 'aria-hidden', 'true'); |
| 3391 | 3390 | } |
| 3392 | 3391 | $svg = str_replace($balise_svg_source, $balise_svg, $svg); |
