function shDoSecurityChecks($query = '', $fullCheck = true)
{
$sefConfig = Sh404sefFactory::getConfig();
if (!$sefConfig->shSecEnableSecurity) {
return '';
}
$shQuery = empty($query) ? empty($_SERVER['QUERY_STRING']) ? '' : $_SERVER['QUERY_STRING'] : $query;
// IP checks
$ip = empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR'];
$uAgent = empty($_SERVER['HTTP_USER_AGENT']) ? '' : $_SERVER['HTTP_USER_AGENT'];
// ip White/Black listing
$shWhiteListedIp = shCheckIPList($ip, $sefConfig->ipWhiteList);
if (!$shWhiteListedIp) {
if (shCheckIPList($ip, $sefConfig->ipBlackList)) {
shDoRestrictedAccess('Blacklisted IP');
}
}
// UserAgent White/Black listing
$whiteListedUAgent = shCheckUAgentList($uAgent, $sefConfig->uAgentWhiteList);
if (!$whiteListedUAgent) {
if (shCheckUAgentList($uAgent, $sefConfig->uAgentBlackList)) {
shDoRestrictedAccess('BlackListed user agent');
}
}
if (!$shWhiteListedIp && !$whiteListedUAgent && $fullCheck) {
shDoAntiFloodCheck($ip);
}
// url content checks
$halt = 0;
while (true) {
// allow for multiple url decode
$last = $shQuery;
$shQuery = urldecode($shQuery);
// do our tests
$shQuery = str_replace('&', '&', $shQuery);
// bad content in query string
$c = shCheckConfigVars($shQuery);
if ($c) {
shDoRestrictedAccess($c . ' in URL');
}
$c = shCheckBase64($shQuery);
if ($c) {
shDoRestrictedAccess($c . ' in URL');
}
$c = shCheckScripts($shQuery);
if ($c) {
shDoRestrictedAccess($c . ' in URL');
}
$c = shCheckStandardVars($_GET);
if ($c) {
shDoRestrictedAccess($c . ' in URL');
}
$c = shCheckImgTxtCmd($shQuery);
// V x
if ($c) {
shDoRestrictedAccess($c . ' in URL');
}
// Check whether the last decode is equal to the previous one
if ($shQuery == $last) {
// Break out of the while if the URI is stable.
break;
} else {
if (++$halt > 10) {
// Runaway check. URI has been seriously compromised.
shDoRestrictedAccess('Multiple level of url encode');
}
}
}
if (!$fullCheck) {
return;
}
// don't check POST and/or Honey pot if second check
// check POST variables
if ($sefConfig->shSecCheckPOSTData) {
$c = shCheckStandardVars($_POST);
if ($c) {
shDoRestrictedAccess($c . ' in POST');
}
foreach ($_POST as $key => $value) {
$c = shCheckConfigVars($key . '=' . $value);
if ($c) {
shDoRestrictedAccess($c . ' in POST');
}
$c = shCheckBase64($key . '=' . $value);
if ($c) {
shDoRestrictedAccess($c . ' in POST');
}
$c = shCheckScripts($key . '=' . $value);
if ($c) {
shDoRestrictedAccess($c . ' in POST');
}
$c = shCheckImgTxtCmd($key . '=' . $value);
// V x
if ($c) {
shDoRestrictedAccess($c . ' in POST');
}
}
}
// do Project Honey Pot check
if (!$shWhiteListedIp && $sefConfig->shSecCheckHoneyPot) {
shDoHoneyPotCheck($ip);
}
}
function shDoSecurityChecks($query = '', $fullCheck = true)
{
$sefConfig = shRouter::shGetConfig();
if (!$sefConfig->shSecEnableSecurity) {
return '';
}
$shQuery = empty($query) ? empty($_SERVER['QUERY_STRING']) ? '' : urldecode($_SERVER['QUERY_STRING']) : urldecode($query);
$shQuery = str_replace('&', '&', $shQuery);
$ip = empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR'];
$uAgent = empty($_SERVER['HTTP_USER_AGENT']) ? '' : $_SERVER['HTTP_USER_AGENT'];
// ip White/Black listing
$shWhiteListedIp = shCheckIPList($ip, $sefConfig->ipWhiteList);
if (!$shWhiteListedIp) {
if (shCheckIPList($ip, $sefConfig->ipBlackList)) {
shDoRestrictedAccess('Blacklisted IP');
}
}
if (!$shWhiteListedIp && $fullCheck) {
shDoAntiFloodCheck($ip);
}
// bad content in query string
$c = shCheckConfigVars($shQuery);
if ($c) {
shDoRestrictedAccess($c . ' in URL');
}
$c = shCheckBase64($shQuery);
if ($c) {
shDoRestrictedAccess($c . ' in URL');
}
$c = shCheckScripts($shQuery);
if ($c) {
shDoRestrictedAccess($c . ' in URL');
}
$c = shCheckStandardVars($_GET);
if ($c) {
shDoRestrictedAccess($c . ' in URL');
}
$c = shCheckImgTxtCmd($shQuery);
// V x
if ($c) {
shDoRestrictedAccess($c . ' in URL');
}
// UserAgent White/Black listing
if (!shCheckUAgentList($uAgent, $sefConfig->uAgentWhiteList)) {
if (shCheckUAgentList($uAgent, $sefConfig->uAgentBlackList)) {
shDoRestrictedAccess('BlackListed user agent');
}
}
if (!$fullCheck) {
return;
}
// don't check POST and/or Honey pot if second check
// check POST variables
if ($sefConfig->shSecCheckPOSTData) {
foreach ($_POST as $key => $value) {
$c = shCheckConfigVars($key . '=' . $value);
if ($c) {
shDoRestrictedAccess($c . ' in POST');
}
$c = shCheckBase64($key . '=' . $value);
if ($c) {
shDoRestrictedAccess($c . ' in POST');
}
$c = shCheckScripts($key . '=' . $value);
if ($c) {
shDoRestrictedAccess($c . ' in POST');
}
$c = shCheckStandardVars($_POST);
if ($c) {
shDoRestrictedAccess($c . ' in POST');
}
$c = shCheckImgTxtCmd($key . '=' . $value);
// V x
if ($c) {
shDoRestrictedAccess($c . ' in POST');
}
}
}
// do Project Honey Pot check
if (!$shWhiteListedIp && $sefConfig->shSecCheckHoneyPot) {
shDoHoneyPotCheck($ip);
}
}