File Manager

Current Directory: /home/astoriaah/www/old15/plugins/system/admintools/feature
Viewing File: /home/astoriaah/www/old15/plugins/system/admintools/feature/wafblacklist.php
<?php /** * @package AdminTools * @copyright Copyright (c)2010-2015 Nicholas K. Dionysopoulos * @license GNU General Public License version 3, or later */ defined('_JEXEC') or die; class AtsystemFeatureWafblacklist extends AtsystemFeatureAbstract { protected $loadOrder = 25; /** * Is this feature enabled? * * @return bool */ public function isEnabled() { return true; } /** * Filters visitor access using WAF blacklist rules */ public function onAfterInitialise() { $db = $this->db; $method = array($db->q(''), $db->q(strtoupper($_SERVER['REQUEST_METHOD']))); $option = array($db->q('')); $view = array($db->q('')); $task = array($db->q('')); if($this->input->getCmd('option', '')) { $option[] = $db->q($this->input->getCmd('option', '')); } if($this->input->getCmd('view', '')) { $view[] = $db->q($this->input->getCmd('view', '')); } if($this->input->getCmd('task', '')) { $task[] = $db->q($this->input->getCmd('task', '')); } // Let's get the rules for the current input values or the empty ones $query = $db->getQuery(true) ->select('*') ->from($db->qn('#__admintools_wafblacklists')) ->where($db->qn('verb').' IN('.implode(',', $method).')') ->where($db->qn('option').' IN('.implode(',', $option).')') ->where($db->qn('view').' IN('.implode(',', $view).')') ->where($db->qn('task').' IN('.implode(',', $task).')') ->group($db->qn('query')) ->order($db->qn('query') . ' ASC'); ; try { $rules = $db->setQuery($query)->loadObjectList(); } catch(Exception $e) { return; } if(!$rules) { return; } // I can't use JInput since it will fetch data from cookies, too. $get = new F0FInput('get'); $post = new F0FInput('post'); // Ok, let's analyze all the matching rules $block = false; foreach($rules as $rule) { // Empty query => block everything for this VERB/OPTION/VIEW/TASK combination if(!$rule->query) { $block = true; break; } // I have to run two different loops, otherwise I could mask with a valid GET request a malicious POST one // First of all let's check the GET request foreach($get->getData() as $key => $value) { $found = false; if($rule->query_type == 'P') { if(stripos($key, $rule->query) !== false) { $found = true; } } elseif($rule->query_type == 'R') { if(@preg_match($rule->query, $key)) { $found = true; } } else { if($key == $rule->query) { $found = true; } } // Ok, the query parameter is set, do I have any specific rule about the content? if($found) { // Empty => always block, no matter what if(!$rule->query_content) { $block = true; break 2; } // I have to run a regex on the value if(@preg_match($rule->query_content, $value)) { $block = true; break 2; } } } // Now it's time to check the POST request foreach($post->getData() as $key => $value) { $found = false; if($rule->query_type == 'P') { if(stripos($key, $rule->query) !== false) { $found = true; } } elseif($rule->query_type == 'R') { if(@preg_match($rule->query, $key)) { $found = true; } } else { if($key == $rule->query) { $found = true; } } // Ok, the query parameter is set, do I have any specific rule about the content? if($found) { // Empty => always block, no matter what if(!$rule->query_content) { $block = true; break 2; } // I have to run a regex on the value if(@preg_match($rule->query_content, $value)) { $block = true; break 2; } } } } if($block) { $this->exceptionsHandler->blockRequest('wafblacklist'); } } }