* ------------------
*/
-define('_ECRAN_SECURITE', '1.3.1'); // 2017-05-31
+define('_ECRAN_SECURITE', '1.3.8'); // 2018-10-31
/*
* Documentation : http://www.spip.net/fr_article4200.html
if (!defined('_IS_BOT')){
define('_IS_BOT',
isset($_SERVER['HTTP_USER_AGENT'])
- and preg_match(
- // mots generiques
- ',bot|slurp|crawler|spider|webvac|yandex|'
- // MSIE 6.0 est un botnet 99,9% du temps, on traite donc ce USER_AGENT comme un bot
- . 'MSIE 6\.0|'
- // UA plus cibles
- . '80legs|accoona|AltaVista|ASPSeek|Baidu|Charlotte|EC2LinkFinder|eStyle|facebookexternalhit|flipboard|hootsuite|FunWebProducts|Google|Genieo|INA dlweb|InfegyAtlas|Java VM|LiteFinder|Lycos|MegaIndex|MetaURI|Moreover|Rambler|Scrapy|Scooter|ScrubbyBloglines|Yahoo|Yeti'
- . ',i', (string)$_SERVER['HTTP_USER_AGENT'])
+ and preg_match(','
+ . implode ('|', array(
+ // mots generiques
+ 'bot',
+ 'slurp',
+ 'crawler',
+ 'spider',
+ 'webvac',
+ 'yandex',
+ 'MSIE 6\.0', // botnet 99,9% du temps
+ // UA plus cibles
+ '200please',
+ '80legs',
+ 'a6-indexer',
+ 'aboundex',
+ 'accoona',
+ 'addthis',
+ 'adressendeutschland',
+ 'alexa',
+ 'altavista',
+ 'analyticsseo',
+ 'archive',
+ 'aspseek',
+ 'baidu',
+ 'begunadvertising',
+ 'bingpreview',
+ 'bloglines',
+ 'browsershots',
+ 'bubing',
+ 'butterfly',
+ 'changedetection',
+ 'charlotte',
+ 'chilkat',
+ 'china',
+ 'coccoc',
+ 'crowsnest',
+ 'dataminr',
+ 'daumoa',
+ 'dlweb',
+ 'ec2linkfinder',
+ 'estyle',
+ 'ezooms',
+ 'facebookexternalhit',
+ 'facebookplatform',
+ 'fairshare',
+ 'feedfetcher',
+ 'feedfetcher-google',
+ 'feedly',
+ 'fetch',
+ 'flipboardproxy',
+ 'genieo',
+ 'google',
+ 'grapeshot',
+ 'hatena-useragent',
+ 'head',
+ 'hosttracker',
+ 'hubspot',
+ 'ia_archiver',
+ 'ichiro',
+ 'iltrovatore-setaccio',
+ 'immediatenet',
+ 'ina',
+ 'infegyatlas',
+ 'infohelfer',
+ 'instapaper',
+ 'jabse',
+ 'james',
+ 'kumkie',
+ 'linkdex',
+ 'linkfluence',
+ 'linkwalker',
+ 'litefinder',
+ 'loadimpactpageanalyzer',
+ 'luminate',
+ 'lycos',
+ 'lycosa',
+ 'mediapartners-google',
+ 'msai',
+ 'najdi',
+ 'netcraftsurveyagent',
+ 'netestate',
+ 'netseer',
+ 'nuhk',
+ 'owlin',
+ 'panscient',
+ 'parsijoo',
+ 'plukkie',
+ 'proximic',
+ 'qirina',
+ 'qualidator',
+ 'rambler',
+ 'readability',
+ 'sbsearch',
+ 'scooter',
+ 'scrapy',
+ 'scrubby',
+ 'scrubbybloglines',
+ 'shareaholic',
+ 'shopwiki',
+ 'sistrix',
+ 'sitechecker',
+ 'siteexplorer',
+ 'sogou',
+ 'special_archiver',
+ 'speedy',
+ 'spinn3r',
+ 'spreadtrum',
+ 'steeler',
+ 'subscriber',
+ 'suma',
+ 'superdownloads',
+ 'svenska-webbsido',
+ 'teoma',
+ 'thumbshots',
+ 'tineye',
+ 'trendiction',
+ 'tweetedtimes',
+ 'tweetmeme',
+ 'uaslinkchecker',
+ 'undrip',
+ 'unwindfetchor',
+ 'vedma',
+ 'vkshare',
+ 'vm',
+ 'wch',
+ 'webalta',
+ 'webcookies',
+ 'webthumbnail',
+ 'wesee',
+ 'wise-guys',
+ 'woko',
+ 'wotbox',
+ 'y!j-bri',
+ 'y!j-bro',
+ 'y!j-brw',
+ 'y!j-bsc',
+ 'yahoo',
+ 'yahoo!',
+ 'yahooysmcm',
+ 'yats',
+ 'yeti',
+ 'zeerch'
+ )) . ',i',
+ (string)$_SERVER['HTTP_USER_AGENT'])
);
}
if (!defined('_IS_BOT_FRIEND')){
define('_IS_BOT_FRIEND',
isset($_SERVER['HTTP_USER_AGENT'])
- and preg_match(','
- // UA plus cibles
- . 'facebookexternalhit'
- . ',i', (string)$_SERVER['HTTP_USER_AGENT'])
+ and preg_match(',' . implode ('|', array(
+ 'facebookexternalhit',
+ 'flipboardproxy'
+ )) . ',i',
+ (string)$_SERVER['HTTP_USER_AGENT'])
);
}
$url = trim($_REQUEST['var_url']);
if (strncmp($url,'/',1)==0
or (($p=strpos($url,'..'))!==false AND strpos($url,'..',$p+3)!==false)
+ or (($p=strpos($url,'..'))!==false AND strpos($url,'IMG',$p+3)!==false)
or (strpos($url,'://')!==false or strpos($url,':\\')!==false)) {
$ecran_securite_raison = 'URL interdite pour var_url';
}
if (isset($_SERVER['HTTP_REFERER']))
$_SERVER['HTTP_REFERER'] = strtr($_SERVER['HTTP_REFERER'], '<>"\'', '[]##');
+
+/*
+ * Echappement HTTP_X_FORWARDED_HOST
+ */
+if (isset($_SERVER['HTTP_X_FORWARDED_HOST']))
+ $_SERVER['HTTP_X_FORWARDED_HOST'] = strtr($_SERVER['HTTP_X_FORWARDED_HOST'], "<>?\"\{\}\$'` \r\n", '____________');
+
+
/*
* Réinjection des clés en html dans l'admin r19561
*/