Current Directory: /home/astoriaah/www/old15/plugins/system/admintools/feature
Viewing File: /home/astoriaah/www/old15/plugins/system/admintools/feature/wafblacklist.php
<?php
/**
* @package AdminTools
* @copyright Copyright (c)2010-2015 Nicholas K. Dionysopoulos
* @license GNU General Public License version 3, or later
*/
defined('_JEXEC') or die;
class AtsystemFeatureWafblacklist extends AtsystemFeatureAbstract
{
protected $loadOrder = 25;
/**
* Is this feature enabled?
*
* @return bool
*/
public function isEnabled()
{
return true;
}
/**
* Filters visitor access using WAF blacklist rules
*/
public function onAfterInitialise()
{
$db = $this->db;
$method = array($db->q(''), $db->q(strtoupper($_SERVER['REQUEST_METHOD'])));
$option = array($db->q(''));
$view = array($db->q(''));
$task = array($db->q(''));
if($this->input->getCmd('option', ''))
{
$option[] = $db->q($this->input->getCmd('option', ''));
}
if($this->input->getCmd('view', ''))
{
$view[] = $db->q($this->input->getCmd('view', ''));
}
if($this->input->getCmd('task', ''))
{
$task[] = $db->q($this->input->getCmd('task', ''));
}
// Let's get the rules for the current input values or the empty ones
$query = $db->getQuery(true)
->select('*')
->from($db->qn('#__admintools_wafblacklists'))
->where($db->qn('verb').' IN('.implode(',', $method).')')
->where($db->qn('option').' IN('.implode(',', $option).')')
->where($db->qn('view').' IN('.implode(',', $view).')')
->where($db->qn('task').' IN('.implode(',', $task).')')
->group($db->qn('query'))
->order($db->qn('query') . ' ASC');
;
try
{
$rules = $db->setQuery($query)->loadObjectList();
}
catch(Exception $e)
{
return;
}
if(!$rules)
{
return;
}
// I can't use JInput since it will fetch data from cookies, too.
$get = new F0FInput('get');
$post = new F0FInput('post');
// Ok, let's analyze all the matching rules
$block = false;
foreach($rules as $rule)
{
// Empty query => block everything for this VERB/OPTION/VIEW/TASK combination
if(!$rule->query)
{
$block = true;
break;
}
// I have to run two different loops, otherwise I could mask with a valid GET request a malicious POST one
// First of all let's check the GET request
foreach($get->getData() as $key => $value)
{
$found = false;
if($rule->query_type == 'P')
{
if(stripos($key, $rule->query) !== false)
{
$found = true;
}
}
elseif($rule->query_type == 'R')
{
if(@preg_match($rule->query, $key))
{
$found = true;
}
}
else
{
if($key == $rule->query)
{
$found = true;
}
}
// Ok, the query parameter is set, do I have any specific rule about the content?
if($found)
{
// Empty => always block, no matter what
if(!$rule->query_content)
{
$block = true;
break 2;
}
// I have to run a regex on the value
if(@preg_match($rule->query_content, $value))
{
$block = true;
break 2;
}
}
}
// Now it's time to check the POST request
foreach($post->getData() as $key => $value)
{
$found = false;
if($rule->query_type == 'P')
{
if(stripos($key, $rule->query) !== false)
{
$found = true;
}
}
elseif($rule->query_type == 'R')
{
if(@preg_match($rule->query, $key))
{
$found = true;
}
}
else
{
if($key == $rule->query)
{
$found = true;
}
}
// Ok, the query parameter is set, do I have any specific rule about the content?
if($found)
{
// Empty => always block, no matter what
if(!$rule->query_content)
{
$block = true;
break 2;
}
// I have to run a regex on the value
if(@preg_match($rule->query_content, $value))
{
$block = true;
break 2;
}
}
}
}
if($block)
{
$this->exceptionsHandler->blockRequest('wafblacklist');
}
}
}