[Mapbender-commits] r10076 - trunk/mapbender/core
svn_mapbender at osgeo.org
svn_mapbender at osgeo.org
Tue Mar 19 01:17:24 PDT 2019
Author: armin11
Date: 2019-03-19 01:17:24 -0700 (Tue, 19 Mar 2019)
New Revision: 10076
Added:
trunk/mapbender/core/httpRequestSecurity.php
Log:
Simple extension to test urls of http requests
Added: trunk/mapbender/core/httpRequestSecurity.php
===================================================================
--- trunk/mapbender/core/httpRequestSecurity.php (rev 0)
+++ trunk/mapbender/core/httpRequestSecurity.php 2019-03-19 08:17:24 UTC (rev 10076)
@@ -0,0 +1,26 @@
+<?php
+//some security tests for mapbender php scripts to prevent xss attacks
+//TBD - extend them ;-)
+if (strpos($_SERVER['PHP_SELF'],'<script>') !== false ) {
+ echo "Invested a XSS attack to $phpScriptName - script stopped executing!";
+ die();
+}
+//parse url
+//get pathes and other things after script name that are not path related and kick them off!
+//echo $_SERVER['PHP_SELF']."<br>";
+//echo $_SERVER['REQUEST_URI']."<br>";
+//echo $_SERVER['SCRIPT_NAME']."<br>";
+//test ob php_self auf script_name ended!
+//get last string
+$phpScriptName = end(explode("/", $_SERVER['SCRIPT_NAME']));
+//echo $phpScriptName."<br>";
+//echo json_encode(endsWith($_SERVER['PHP_SELF'], $phpScriptName))."<br>";
+if (!endsWith($_SERVER['PHP_SELF'], $phpScriptName)) {
+ echo "Invested a XSS attack to $phpScriptName - script stopped executing!";
+ die();
+}
+#https://stackoverflow.com/questions/834303/startswith-and-endswith-functions-in-php
+function endsWith($haystack, $needle) {
+ return substr($haystack,-strlen($needle))===$needle;
+}
+?>
More information about the Mapbender_commits
mailing list