IEUrlExtension.php

Go to the documentation of this file.

<?php
class IEUrlExtension {
    public static function areServerVarsBad( $vars, $extWhitelist = array() ) {
        // Check QUERY_STRING or REQUEST_URI
        if ( isset( $vars['SERVER_SOFTWARE'] )
            && isset( $vars['REQUEST_URI'] )
            && self::haveUndecodedRequestUri( $vars['SERVER_SOFTWARE'] ) )
        {
            $urlPart = $vars['REQUEST_URI'];
        } elseif ( isset( $vars['QUERY_STRING'] ) ) {
            $urlPart = $vars['QUERY_STRING'];
        } else {
            $urlPart = '';
        }

        if ( self::isUrlExtensionBad( $urlPart, $extWhitelist ) ) {
            return true;
        }

        // Some servers have PATH_INFO but not REQUEST_URI, so we check both
        // to be on the safe side.
        if ( isset( $vars['PATH_INFO'] )
            && self::isUrlExtensionBad( $vars['PATH_INFO'], $extWhitelist ) )
        {
            return true;
        }

        // All checks passed
        return false;
    }

    public static function isUrlExtensionBad( $urlPart, $extWhitelist = array() ) {
        if ( strval( $urlPart ) === '' ) {
            return false;
        }

        $extension = self::findIE6Extension( $urlPart );
        if ( strval( $extension ) === '' ) {
            // No extension or empty extension
            return false;
        }

        if ( in_array( $extension, array( 'php', 'php5' ) ) ) {
            // Script extension, OK
            return false;
        }
        if ( in_array( $extension, $extWhitelist ) ) {
            // Whitelisted extension
            return false;
        }

        if ( !preg_match( '/^[a-zA-Z0-9_-]+$/', $extension ) ) {
            // Non-alphanumeric extension, unlikely to be registered.
            //
            // The regex above is known to match all registered file extensions
            // in a default Windows XP installation. It's important to allow
            // extensions with ampersands and percent signs, since that reduces
            // the number of false positives substantially.
            return false;
        }

        // Possibly bad extension
        return true;
    }

    public static function fixUrlForIE6( $url, $extWhitelist = array() ) {
        $questionPos = strpos( $url, '?' );
        if ( $questionPos === false ) {
            $beforeQuery = $url . '?';
            $query = '';
        } elseif ( $questionPos === strlen( $url ) - 1 ) {
            $beforeQuery = $url;
            $query = '';
        } else {
            $beforeQuery = substr( $url, 0, $questionPos + 1 );
            $query = substr( $url, $questionPos + 1 );
        }

        // Multiple question marks cause problems. Encode the second and
        // subsequent question mark.
        $query = str_replace( '?', '%3E', $query );
        // Append an invalid path character so that IE6 won't see the end of the
        // query string as an extension
        $query .= '&*';
        // Put the URL back together
        $url = $beforeQuery . $query;
        if ( self::isUrlExtensionBad( $url, $extWhitelist ) ) {
            // Avoid a redirect loop
            return false;
        }
        return $url;
    }

    public static function findIE6Extension( $url ) {
        $pos = 0;
        $hashPos = strpos( $url, '#' );
        if ( $hashPos !== false ) {
            $urlLength = $hashPos;
        } else {
            $urlLength = strlen( $url );
        }
        $remainingLength = $urlLength;
        while ( $remainingLength > 0 ) {
            // Skip ahead to the next dot
            $pos += strcspn( $url, '.', $pos, $remainingLength );
            if ( $pos >= $urlLength ) {
                // End of string, we're done
                return false;
            }

            // We found a dot. Skip past it
            $pos++;
            $remainingLength = $urlLength - $pos;

            // Check for illegal characters in our prospective extension,
            // or for another dot
            $nextPos = $pos + strcspn( $url, "<>\\\"/:|?*.", $pos, $remainingLength );
            if ( $nextPos >= $urlLength ) {
                // No illegal character or next dot
                // We have our extension
                return substr( $url, $pos, $urlLength - $pos );
            }
            if ( $url[$nextPos] === '?' ) {
                // We've found a legal extension followed by a question mark
                // If the extension is NOT exe, dll or cgi, return it
                $extension = substr( $url, $pos, $nextPos - $pos );
                if ( strcasecmp( $extension, 'exe' ) && strcasecmp( $extension, 'dll' ) &&
                    strcasecmp( $extension, 'cgi' ) )
                {
                    return $extension;
                }
                // Else continue looking
            }
            // We found an illegal character or another dot
            // Skip to that character and continue the loop
            $pos = $nextPos;
            $remainingLength = $urlLength - $pos;
        }
        return false;
    }

    public static function haveUndecodedRequestUri( $serverSoftware ) {
        static $whitelist = array(
            'Apache',
            'Zeus',
            'LiteSpeed' );
        if ( preg_match( '/^(.*?)($|\/| )/', $serverSoftware, $m ) ) {
            return in_array( $m[1], $whitelist );
        } else {
            return false;
        }
    }

}