mirror of
https://github.com/Shadowss/TravianZ.git
synced 2026-07-01 01:54:22 +00:00
vulnerability fixed and cleanup and refactor
This commit is contained in:
+89
-14
@@ -5,22 +5,97 @@
|
||||
## Filename Protection.php ##
|
||||
## Developed by: SlimShady ##
|
||||
## Edited by: Dzoki & Dixie ##
|
||||
## Enterprise hardening by Shadow ##
|
||||
## License: TravianZ Project ##
|
||||
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
//heef npc uitzondering omdat die met speciaal $_post werken
|
||||
if(isset($_POST)){
|
||||
if(!isset($_POST['ft'])){
|
||||
//$_POST = @array_map('mysqli_real_escape_string', $_POST);
|
||||
$_POST = array_map('htmlspecialchars', $_POST);
|
||||
}
|
||||
/*
|
||||
|--------------------------------------------------------------------------
|
||||
| Enterprise Superglobal Sanitizer
|
||||
|--------------------------------------------------------------------------
|
||||
| - Does NOT corrupt numeric values
|
||||
| - Recursive array support
|
||||
| - Keeps rsargs intact
|
||||
| - Does not break AJAX
|
||||
| - Does not break NPC
|
||||
| - Prevents XSS vectors
|
||||
|--------------------------------------------------------------------------
|
||||
*/
|
||||
|
||||
if(!function_exists('secure_input_recursive')) {
|
||||
|
||||
function secure_input_recursive($data) {
|
||||
|
||||
if(is_array($data)) {
|
||||
|
||||
$clean = array();
|
||||
|
||||
foreach($data as $key => $value) {
|
||||
$clean[$key] = secure_input_recursive($value);
|
||||
}
|
||||
|
||||
return $clean;
|
||||
}
|
||||
|
||||
if(is_numeric($data)) {
|
||||
return $data;
|
||||
}
|
||||
|
||||
if(is_string($data)) {
|
||||
|
||||
// remove null bytes
|
||||
$data = str_replace("\0", '', $data);
|
||||
|
||||
// trim whitespace
|
||||
$data = trim($data);
|
||||
|
||||
// basic XSS protection
|
||||
$data = htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
|
||||
|
||||
return $data;
|
||||
}
|
||||
|
||||
return $data;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
|--------------------------------------------------------------------------
|
||||
| Preserve rsargs (used by SAJAX)
|
||||
|--------------------------------------------------------------------------
|
||||
*/
|
||||
|
||||
$rsargs_backup = null;
|
||||
|
||||
if(isset($_GET['rsargs'])) {
|
||||
$rsargs_backup = $_GET['rsargs'];
|
||||
}
|
||||
|
||||
/*
|
||||
|--------------------------------------------------------------------------
|
||||
| Sanitize superglobals safely
|
||||
|--------------------------------------------------------------------------
|
||||
*/
|
||||
|
||||
if(!empty($_POST)) {
|
||||
$_POST = secure_input_recursive($_POST);
|
||||
}
|
||||
|
||||
if(!empty($_GET)) {
|
||||
$_GET = secure_input_recursive($_GET);
|
||||
}
|
||||
|
||||
if(!empty($_COOKIE)) {
|
||||
$_COOKIE = secure_input_recursive($_COOKIE);
|
||||
}
|
||||
|
||||
/*
|
||||
|--------------------------------------------------------------------------
|
||||
| Restore rsargs if needed
|
||||
|--------------------------------------------------------------------------
|
||||
*/
|
||||
|
||||
if($rsargs_backup !== null) {
|
||||
$_GET['rsargs'] = $rsargs_backup;
|
||||
}
|
||||
$rsargs=$_GET['rsargs'];
|
||||
//$_GET = array_map('mysqli_real_escape_string', $_GET);
|
||||
$_GET = array_map('htmlspecialchars', $_GET);
|
||||
$_GET['rsargs']=$rsargs;
|
||||
//$_COOKIE = array_map('mysqli_real_escape_string', $_COOKIE);
|
||||
$_COOKIE = array_map('htmlspecialchars', $_COOKIE);
|
||||
?>
|
||||
Reference in New Issue
Block a user