vulnerability fixed and cleanup and refactor

This commit is contained in:
Catalin Novgorodschi
2026-02-11 15:11:43 +02:00
parent db3d9bfff1
commit 2a44e76414
21 changed files with 6089 additions and 5441 deletions
+89 -14
View File
@@ -5,22 +5,97 @@
## Filename Protection.php ##
## Developed by: SlimShady ##
## Edited by: Dzoki & Dixie ##
## Enterprise hardening by Shadow ##
## License: TravianZ Project ##
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
## ##
#################################################################################
//heef npc uitzondering omdat die met speciaal $_post werken
if(isset($_POST)){
if(!isset($_POST['ft'])){
//$_POST = @array_map('mysqli_real_escape_string', $_POST);
$_POST = array_map('htmlspecialchars', $_POST);
}
/*
|--------------------------------------------------------------------------
| Enterprise Superglobal Sanitizer
|--------------------------------------------------------------------------
| - Does NOT corrupt numeric values
| - Recursive array support
| - Keeps rsargs intact
| - Does not break AJAX
| - Does not break NPC
| - Prevents XSS vectors
|--------------------------------------------------------------------------
*/
if(!function_exists('secure_input_recursive')) {
function secure_input_recursive($data) {
if(is_array($data)) {
$clean = array();
foreach($data as $key => $value) {
$clean[$key] = secure_input_recursive($value);
}
return $clean;
}
if(is_numeric($data)) {
return $data;
}
if(is_string($data)) {
// remove null bytes
$data = str_replace("\0", '', $data);
// trim whitespace
$data = trim($data);
// basic XSS protection
$data = htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
return $data;
}
return $data;
}
}
/*
|--------------------------------------------------------------------------
| Preserve rsargs (used by SAJAX)
|--------------------------------------------------------------------------
*/
$rsargs_backup = null;
if(isset($_GET['rsargs'])) {
$rsargs_backup = $_GET['rsargs'];
}
/*
|--------------------------------------------------------------------------
| Sanitize superglobals safely
|--------------------------------------------------------------------------
*/
if(!empty($_POST)) {
$_POST = secure_input_recursive($_POST);
}
if(!empty($_GET)) {
$_GET = secure_input_recursive($_GET);
}
if(!empty($_COOKIE)) {
$_COOKIE = secure_input_recursive($_COOKIE);
}
/*
|--------------------------------------------------------------------------
| Restore rsargs if needed
|--------------------------------------------------------------------------
*/
if($rsargs_backup !== null) {
$_GET['rsargs'] = $rsargs_backup;
}
$rsargs=$_GET['rsargs'];
//$_GET = array_map('mysqli_real_escape_string', $_GET);
$_GET = array_map('htmlspecialchars', $_GET);
$_GET['rsargs']=$rsargs;
//$_COOKIE = array_map('mysqli_real_escape_string', $_COOKIE);
$_COOKIE = array_map('htmlspecialchars', $_COOKIE);
?>