[Mapbender-commits] r10077 - in trunk/mapbender: core http/php
svn_mapbender at osgeo.org
svn_mapbender at osgeo.org
Tue Mar 19 01:19:53 PDT 2019
Author: armin11
Date: 2019-03-19 01:19:53 -0700 (Tue, 19 Mar 2019)
New Revision: 10077
Modified:
trunk/mapbender/core/httpRequestSecurity.php
trunk/mapbender/core/system.php
trunk/mapbender/http/php/mod_showMetadata.php
Log:
Simple extension to test urls of http requests and make them robust against xss attacks
Modified: trunk/mapbender/core/httpRequestSecurity.php
===================================================================
--- trunk/mapbender/core/httpRequestSecurity.php 2019-03-19 08:17:24 UTC (rev 10076)
+++ trunk/mapbender/core/httpRequestSecurity.php 2019-03-19 08:19:53 UTC (rev 10077)
@@ -2,7 +2,7 @@
//some security tests for mapbender php scripts to prevent xss attacks
//TBD - extend them ;-)
if (strpos($_SERVER['PHP_SELF'],'<script>') !== false ) {
- echo "Invested a XSS attack to $phpScriptName - script stopped executing!";
+ echo "Mapbender invested a XSS attack to $phpScriptName - script stopped executing!";
die();
}
//parse url
@@ -16,7 +16,7 @@
//echo $phpScriptName."<br>";
//echo json_encode(endsWith($_SERVER['PHP_SELF'], $phpScriptName))."<br>";
if (!endsWith($_SERVER['PHP_SELF'], $phpScriptName)) {
- echo "Invested a XSS attack to $phpScriptName - script stopped executing!";
+ echo "Mapbender invested a XSS attack to $phpScriptName - script stopped executing!";
die();
}
#https://stackoverflow.com/questions/834303/startswith-and-endswith-functions-in-php
Modified: trunk/mapbender/core/system.php
===================================================================
--- trunk/mapbender/core/system.php 2019-03-19 08:17:24 UTC (rev 10076)
+++ trunk/mapbender/core/system.php 2019-03-19 08:19:53 UTC (rev 10077)
@@ -27,7 +27,7 @@
#
define("MB_VERSION_NUMBER", "2.8trunk");
define("MB_VERSION_APPENDIX", "");
-define("MB_RELEASE_DATE", mktime(0,0,0,8,15,2018));//h, min,sec,month,day,year
+define("MB_RELEASE_DATE", mktime(0,0,0,3,19,2019));//h, min,sec,month,day,year
#
# constants from map.js
@@ -107,6 +107,10 @@
throw new Exception("This path is not allowed! '$path'");
}
}
+/*
+ * @security_patch XSS
+ */
+include_once dirname(__FILE__) . "/httpRequestSecurity.php";
/*
* @security_patch Helper
Modified: trunk/mapbender/http/php/mod_showMetadata.php
===================================================================
--- trunk/mapbender/http/php/mod_showMetadata.php 2019-03-19 08:17:24 UTC (rev 10076)
+++ trunk/mapbender/http/php/mod_showMetadata.php 2019-03-19 08:19:53 UTC (rev 10077)
@@ -26,12 +26,6 @@
require_once(dirname(__FILE__)."/../classes/class_owsConstraints.php");
require_once dirname(__FILE__) . "/../../tools/wms_extent/extent_service.conf";
require_once dirname(__FILE__) . "/../extensions/phpqrcode/phpqrcode.php";
-
-if (strpos($_SERVER['PHP_SELF'],'<script>') !== false ) {
- echo "Invested a XSS attack - script stopped executing!";
- die();
-}
-
//GET:
//resource: wms, layer, wfs, featuretype, wfs-conf, wmc
//id: integer
More information about the Mapbender_commits
mailing list