Система безопасности и фильтровки данных

/*задаём основные настройки и стерлизацию*/
 
$usehtaccessbans = 1;# 1 = изменить .htaccess запретить IP-адреса, 0 = не запрещать IP-адреса.
$filterGETvars = 1;# 1 = стерилизовать HTML-теги в GET переменных, 0 = нет
$filterCOOKIEvars = 1; # 1 = стерилизовать HTML-теги в Cookie переменных, 0 = не
$filterPOSTvars = 0; # 1 = стерилизовать HTML-теги в POST переменных, 0 = не
$extraPOSTprotection = 1; # 1 = использовать дополнительную защиту POST, 0 = не
$extraGETprotection = 0; # 1 = использовать дополнительную защиту GET, 0 = не (не рекомендуется!)
$checkmultiPOST = 1; # 1 = разрешить только maxmultiPOST число последовательных сообщений, 0 = не волнует,
$maxmultiPOST = 4; # Максимальное количество операций POST подряд, если checkmultipost включен.
$zipcompress = 0; # 1 = Сжимать-страниц с использованием библиотеки GZIP (меньшую пропускную способность, что выше, CPU), 0 = нет
$compresslevel = 9; # Уровень сжатия для zipcompressing от 1 (низкая) до 9 (максимум)
$cpuloadmonitor = 0; # 1 = блокировать доступ, если в течение определенного загрузки системы, 0 = нет
$cpumaxload = 10,0; # Максимальная 5 минут средняя загрузка системы перед блокированием доступа
$ccisessionpath = ""; # Если не пустой, задает путь к каталогу для хранения файлов сессий.
 
/* шифрования и кодирование переменных*/
$javababble = 0; # 1 = использовать кодировку / Шифрование (должен быть включен любой), 0 = нет
$javaencrypt = 0; # У фактического Шифрование HTML, а не только избежать (предупреждение: может замедлить дисплей)
$preservehead = 0; # 1 = Только кодирования / шифрования между телом теги, 0 = кодирование / шифрование весь документ
/*Проверить в-Script переопределения*/
 
if (isset($zipoverride)) {
  if (!isset($_REQUEST["zipoverride"])) {
    $zipcompress = $zipoverride;
    unset($zipoverride);
  }
}
 
if (isset($babbleoverride)) {
  if (!isset($_REQUEST["babbleoverride"])) {
    $javababble = $babbleoverride;
    unset($babbleoverride);
  }
}
 
##################
#
# Function: CCIJavaBabble
#
# Usage: Takes some HTML, url-encodes it (jumbles it) then returns the javascript needed to display it properly.
#
##################
 
function CCIJavaBabble($myoutput) {
  global $mycrypto, $myalpha2, $javaencrypt, $preservehead;
  $s = $myoutput;
  $s = ereg_replace("\n","",$s);
 
  if ($preservehead) {  
    eregi("(^.+<body[^>]*>)",$s,$chunks);
    $outputstring = $chunks[1];
    eregi_replace($headpart,"",$s);
 
    eregi("(</body[^>]*>.*)",$s,$chunks);
    $outputend = $chunks[1];
    eregi_replace($footpart,"",$s);
  } else {
    $outputstring = "";
    $outputend = "";
  }
 
  if ($javaencrypt) {
    $s = strtr($s,$myalpha2,$mycrypto);
    $s = rawurlencode($s);
    $outputstring .= "<script>var cc=unescape('$s'); ";
    $outputstring .= "var index = document.cookie.indexOf('" . md5($_SERVER["REMOTE_ADDR"] . $_SERVER["SERVER_ADDR"]) . "='); " .
      "var aa = '$myalpha2'; " .
      "if (index > -1) { " .
      "  index = document.cookie.indexOf('=', index) + 1; " .
      "  var endstr = document.cookie.indexOf(';', index); " .
      "  if (endstr == -1) endstr = document.cookie.length; " .
      "  var bb = unescape(document.cookie.substring(index, endstr)); " .
      "} " .
      "cc = cc.replace(/[$myalpha2]/g,function(str) { return aa.substr(bb.indexOf(str),1) }); document.write(cc);";
  } else {
    $outputstring .= "<script>document.write(unescape('" . rawurlencode($s) . "'));";
  }
  $outputstring .= "</script><noscript>You must enable Javascript in order to view this webpage.</noscript>" . $outputend;
 
  return $outputstring;
}
 
##################
#
# Function: CCIClearSession
#
# Format: CCIClearSession()
# Returns: Nothing
#
# Usage: Clears all the data out of the session record other than data used for this script
#
##################
 
function CCIClearSession() {
  $getvariables = array_keys($_SESSION);
  $count = 0;
  while($count < count($getvariables)) {
    if (substr($getvariables[$count],0,7) != "ccisec-") {
      session_unregister($getvariables[$count]); 
      if (ini_get('register_globals')) unset($$getvariables[$count]);
    }
    $count++;
  }
}
 
##################
#
# Function: CCIBanIP
#
# Format: CCIBanIP(IPAddress)
# Returns: Nothing
#
# Usage: Will open and add a deny line to the .htaccess file in the same directory to deny all
#        accessing by a given IP address.
#
##################
 
function CCIBanIP($banip) {
  $filelocation = ".htaccess";
  $limitend = "# End of CCI Security Section\n";
  $newline = "deny from $banip\n";
  if (file_exists($filelocation)) {
    $mybans = file($filelocation);
    $lastline = "";
    if (in_array($newline,$mybans)) exit();
    if (in_array($limitend,$mybans)) {      
      $i = count($mybans)-1;
      while ($mybans[$i] != $limitend) {
        $lastline = array_pop($mybans) . $lastline;
        $i--;
      }
      $lastline = array_pop($mybans) . $lastline;
      $lastline = array_pop($mybans) . $lastline;
      $lastline = array_pop($mybans) . $lastline;
      array_push($mybans,$newline,$lastline);
    } else {
      array_push($mybans,"\n\n# CCI Security Script\n","<Limit GET POST>\n","order allow,deny\n",$newline,"allow from all\n","</Limit>\n",$limitend);
    }
  } else {
    $mybans = array("# CCI Security Script\n","<Limit GET POST>\n","order allow,deny\n",$newline,"allow from all\n","</Limit>\n",$limitend);
  }  
  $myfile = fopen($filelocation,"w");
  fwrite($myfile,implode($mybans,""));
  fclose($myfile);
 
}
 
##################
#
# Function: CCIFloodCheck
#
# Format: CCIFloodCheck("identifier",interval,threshold)
# Returns: 1 if requested without minimum interval, a threshold number of times.  0 if not.
#
# Usage: For functions that require flood control pass a unique identifier, the minimum number of
#        seconds that should be waited between repeats of the function, and a number of times that
#        function can be called too quickly before it sets off the flood trapping.
#
##################
 
function CCIFloodCheck($identifier,$interval,$threshold=1) {
  $myresult = 0;
  if (isset($_SESSION["ccisec-" . $identifier])) {
    if ($_SESSION["ccisec-" . $identifier] > (time()-$interval)) {
      if ($threshold<2) {
        $myresult = 1;
      } else {
        if (!isset($_SESSION["ccisec-" . $identifier . "-counter"])) {
          $_SESSION["ccisec-" . $identifier . "-counter"] = 1;
        } else {
          $_SESSION["ccisec-" . $identifier . "-counter"]++;
          if ($_SESSION["ccisec-" . $identifier . "-counter"] >= $threshold) {
            $myresult = 1;
          }
        }
      }
    }
    $_SESSION["ccisec-" . $identifier] = time();
  }
  return $myresult; 
}
 
################################################################################
 
srand(time());
if (eregi("ccisecurity\.php",$_SERVER["SCRIPT_NAME"])) exit();
 
if ($ccisessionpath != "") session_save_path($ccisessionpath);
session_name(md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"] . "CCI"));
 
ini_set("session.use_only_cookies","1");
ini_set("session.use_trans_sid","0");
 
if (($zipcompress) && (eregi("gzip",$_SERVER["HTTP_ACCEPT_ENCODING"]))) {
  ini_set("zlib.output_compression","On");
  ini_set("zlib.output_compression_level",$compresslevel);
  ob_start("ob_gzhandler"); 
}
if ($javababble) {
  if ($javaencrypt) {
    $myalpha = array_merge(range("a","z"),range("A","Z"),range("0","9"));
    $myalpha2 = implode("",$myalpha);
    shuffle($myalpha);
    $mycrypto = implode("",$myalpha);
    setcookie(md5($_SERVER["REMOTE_ADDR"] . $_SERVER["SERVER_ADDR"]),$mycrypto);
    unset($myalpha);
  }
  ob_start("cciJavaBabble");
}
 
if (substr_count($_SERVER["SERVER_NAME"],".")>1) {
  $cookiedomain = eregi_replace("^[^\.]+\.",".",$_SERVER["SERVER_NAME"]);
} else $cookiedomain = "." . $_SERVER["SERVER_NAME"];
 
$ip = $_SERVER["REMOTE_ADDR"];
$mykeyname = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . "CCI");
$myposthashname = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"] . $_SERVER["PATH"] . "CCI");
 
$myhash = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
$_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . 
$_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] . "X");
 
$mysession = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"]);
session_id($mysession);
session_start();
 
if (!isset($_SESSION["ccisec-errors"])) $_SESSION["ccisec-errors"] = 0;
if ($_SESSION["ccisec-errors"]>=10) {
  CCIBanIP($ip);
  exit();
}
 
if ($_SESSION["ccisec-myhash"] != $myhash) {
  $_SESSION["ccisec-myhash"] = $myhash;
  $_SESSION["ccisec-errors"]++;
  session_write_close();
  Header("Location: http:// . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
  exit();
}
 
if ((!isset($_COOKIE[$mykeyname])) || ($_COOKIE[$mykeyname] != $myhash)) {
 
  if (!isset($_SESSION["ccisec-nocookie"])) {
    $_SESSION["ccisec-nocookie"] = 1;
  } else {
    $_SESSION["ccisec-nocookie"]++;
  }
 
  if (($usehtaccessbans) && ($_SESSION["ccisec-nocookie"]>10)) CCIBanIP($ip);
 
  setcookie($mykeyname,$myhash,0,"/",$cookiedomain);
 
  if ($_SESSION["ccisec-nocookie"]>2) {
    echo "<b><h1>Access Denied</h1><br><br>You must enable cookies in order to access this website.  Please do so before returning, as continued attempts to access without cookies may result in a banning of this ip ($ip).</b>";
    session_write_close();
exit();
  } 
  if ($extraGETprotection) {
    $_SESSION["ccisec-hash"] = md5(uniqid(time()));
    setcookie($myposthashname,$_SESSION["ccisec-hash"],0,"/",$cookiedomain);  
  } 
  CCIClearSession();  
  session_write_close();
  Header("Location: http:// . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
  exit();
} else $_SESSION["ccisec-nocookie"] = 0;
 
if (($usehtaccessbans) && ($_SESSION["ccisec-fastaccesses"]>40)) CCIBanIP($ip);
 
if ($_SESSION["ccisec-fastaccesses"]>10) {
  if ((time()-60) < $_SESSION["ccisec-lastaccess"]) {
    echo "<b><h1>Access Denied</h1><br><br>There have been too many rapid requests from this IP address ($ip).  You must now wait a full 60 seconds before accessing this site again.</b>";
    $_SESSION["ccisec-fastaccesses"]++;
    $_SESSION["ccisec-lastaccess"]=time();
    exit();
  }
}
 
if (!isset($_SESSION["ccisec-lastaccess"])) {
  $_SESSION["ccisec-lastaccess"]=time();
} else {
  if ((time()-2) < $_SESSION["ccisec-lastaccess"]) {
    if (!isset($_SESSION["ccisec-fastaccesses"])) $_SESSION["ccisec-fastaccesses"] = 0;
    $_SESSION["ccisec-fastaccesses"]++;
  } else {
    $_SESSION["ccisec-fastaccesses"] = 0;
  }
  $_SESSION["ccisec-lastaccess"]=time();
}
 
if ($_SERVER["REQUEST_METHOD"] == "POST") {
 
  if ($checkmultiPOST) {
    if (($_SESSION["ccisec-lastoperation"] == "POST") && ($_SESSION["ccisec-opcount"] >= $maxmultiPOST)) {
      echo "<b><h1>Access Denied</h1><br><br>You may not make multiple POST operations in sequence - please return to the website and try again.</b>";
      $_SESSION["ccisec-errors"]++;
      exit(); 
    }
  }     
 
  if ($extraPOSTprotection) {
    if ((!isset($_COOKIE[$myposthashname])) || ($_COOKIE[$myposthashname] != $_SESSION["ccisec-hash"])) {
      echo "<b><h1>Access Denied</h1><br><br>Your browser did not send the correct security data needed to complete a POST operation.  Make sure that you have cookies enabled and then try again, or contact the administration if you feel you are receiving this message in error.</b>";
      $_SESSION["ccisec-errors"]++;
      exit();
    }
  }
} else if (($extraGETprotection) && ($_SERVER["REQUEST_METHOD"] == "GET")) {
  if ((!isset($_COOKIE[$myposthashname])) || ($_COOKIE[$myposthashname] != $_SESSION["ccisec-hash"])) {
    echo "<b><h1>Access Denied</h1><br><br>Your browser did not send the correct security data needed to complete a GET operation.  Make sure that you have cookies enabled and then try again, or contact the administration if you feel you are receiving this message in error.</b>";
    $_SESSION["ccisec-errors"]++;
    exit();
  }
} else if ($_SERVER["REQUEST_METHOD"] != "GET") {
  exit();
}
 
if (($extraPOSTprotection) || ($extraGETprotection)) {
  srand(time());
  $_SESSION["ccisec-hash"] = md5(uniqid(time()));
  setcookie($myposthashname,$_SESSION["ccisec-hash"],0,"/",$cookiedomain);
}
 
if ($_SESSION["ccisec-lastoperation"] == $_SERVER["REQUEST_METHOD"]) {
  if (!isset($_SESSION["ccisec-opcount"])) {
    $_SESSION["ccisec-opcount"] = 1;
  } else {
    $_SESSION["ccisec-opcount"]++;
  }
} else $_SESSION["ccisec-lastoperation"] = $_SERVER["REQUEST_METHOD"];
 
# Make special characters safe in any GET based cgi variables.
 
if ($filterGETvars) {
  $getvariables = array_keys($_GET);
  $count = 0;
  while($count < count($getvariables)) {
    $_GET[$getvariables[$count]] = htmlspecialchars($_GET[$getvariables[$count]]);
    if (ini_get('register_globals')) $$getvariables[$count] = $_GET[$getvariables[$count]];
    $count++;
  }
}
 
if ($filterPOSTvars) {
  $getvariables = array_keys($_POST);
  $count = 0;
  while($count < count($getvariables)) {
    $_POST[$getvariables[$count]] = htmlspecialchars($_POST[$getvariables[$count]]);
    if (ini_get('register_globals')) $$getvariables[$count] = $_POST[$getvariables[$count]];
    $count++;
  }
}
 
if ($filterCOOKIEvars) {
  $getvariables = array_keys($_COOKIE);
  $count = 0;
  while($count < count($getvariables)) {
    $_COOKIE[$getvariables[$count]] = htmlspecialchars($_COOKIE[$getvariables[$count]]);
    if (ini_get('register_globals')) $$getvariables[$count] = $_COOKIE[$getvariables[$count]];
    $count++;
  }
}
 
if ($cpuloadmonitor) {
  $myshelldata = shell_exec("uptime");
  $myshelldata = eregi_replace(".*average.*: ","",$myshelldata);
  $myshelldata = eregi_replace(", .*","",$myshelldata);
  if ($myshelldata >= $cpumaxload) {
    echo "<b><h1>Access Denied</h1><br><br>The server is currently too busy to serve your request.  We apologize for the inconvenience.</b>";  
    exit();
  }
  unset($myshelldata);
}
 
unset($count);
unset($getvariables);
unset($ip);
unset($cookiedomain);
unset($mykeyname);
unset($myposthashname);
unset($myhash);
unset($mysession);
 
$_SESSION["ccisec-errors"] = 0;
if (connection_aborted()) exit();