-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathupdate.php
More file actions
105 lines (86 loc) · 5.08 KB
/
update.php
File metadata and controls
105 lines (86 loc) · 5.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
<?php
// Update-Script für Upkeep AddOn v1.4.0+
// Bindet install.php ein für einheitliche Wartung der Tabellen und Konfiguration
// Installation ausführen (enthält alle Tabellen und Standardkonfiguration)
require_once __DIR__ . '/install.php';
// v2.2.2: Mail Security Patterns verfeinern - zu breite Patterns ersetzen
try {
$sql = rex_sql::factory();
// Alte zu breite Meta-Tag Pattern durch spezifischere ersetzen
$sql->setQuery('SELECT id FROM ' . rex::getTable('upkeep_mail_default_patterns') . '
WHERE pattern LIKE "%<meta[^>]*>%i" AND pattern NOT LIKE "%http-equiv%"');
if ($sql->getRows() > 0) {
$id = $sql->getValue('id');
$updateSql = rex_sql::factory();
$updateSql->setTable(rex::getTable('upkeep_mail_default_patterns'));
$updateSql->setWhere(['id' => $id]);
$updateSql->setValue('pattern', '/<meta[^>]*http-equiv\s*=\s*["\']?(refresh|set-cookie|content-security-policy)["\']?[^>]*>/i');
$updateSql->setValue('description', 'Meta HTTP-Equiv Injection');
$updateSql->setValue('updated_at', date('Y-m-d H:i:s'));
$updateSql->update();
rex_logger::factory()->log('info', 'Mail Security: Meta-Tag Pattern verfeinert (nur gefährliche http-equiv)');
}
// Alte zu breite Link-Tag Pattern durch spezifischere ersetzen
$sql->setQuery('SELECT id FROM ' . rex::getTable('upkeep_mail_default_patterns') . '
WHERE pattern LIKE "%<link[^>]*>%i" AND pattern NOT LIKE "%rel%"');
if ($sql->getRows() > 0) {
$id = $sql->getValue('id');
$updateSql = rex_sql::factory();
$updateSql->setTable(rex::getTable('upkeep_mail_default_patterns'));
$updateSql->setWhere(['id' => $id]);
$updateSql->setValue('pattern', '/<link[^>]*rel\s*=\s*["\']?(import|preload|prefetch)["\']?[^>]*>/i');
$updateSql->setValue('description', 'Link Import Injection');
$updateSql->setValue('updated_at', date('Y-m-d H:i:s'));
$updateSql->update();
rex_logger::factory()->log('info', 'Mail Security: Link-Tag Pattern verfeinert (nur import/preload/prefetch)');
}
// Alte zu breite Form-Tag Pattern durch spezifischere ersetzen
$sql->setQuery('SELECT id FROM ' . rex::getTable('upkeep_mail_default_patterns') . '
WHERE pattern LIKE "%<form[^>]*>%i" AND pattern NOT LIKE "%action%"');
if ($sql->getRows() > 0) {
$id = $sql->getValue('id');
$updateSql = rex_sql::factory();
$updateSql->setTable(rex::getTable('upkeep_mail_default_patterns'));
$updateSql->setWhere(['id' => $id]);
$updateSql->setValue('pattern', '/<form[^>]*action\s*=\s*["\']?https?:\/\/[^"\'>\s]+["\']?[^>]*>/i');
$updateSql->setValue('description', 'External Form Action Injection');
$updateSql->setValue('updated_at', date('Y-m-d H:i:s'));
$updateSql->update();
rex_logger::factory()->log('info', 'Mail Security: Form-Tag Pattern verfeinert (nur externe Actions)');
}
// Alte zu breite Data-URI Pattern durch spezifischere ersetzen
$sql->setQuery('SELECT id FROM ' . rex::getTable('upkeep_mail_default_patterns') . '
WHERE pattern LIKE "%data:%[^,]*,%i" AND pattern NOT LIKE "%text/%"');
if ($sql->getRows() > 0) {
$id = $sql->getValue('id');
$updateSql = rex_sql::factory();
$updateSql->setTable(rex::getTable('upkeep_mail_default_patterns'));
$updateSql->setWhere(['id' => $id]);
$updateSql->setValue('pattern', '/data:\s*text\/(html|javascript)/i');
$updateSql->setValue('description', 'Data URI HTML/JS Injection');
$updateSql->setValue('updated_at', date('Y-m-d H:i:s'));
$updateSql->update();
rex_logger::factory()->log('info', 'Mail Security: Data-URI Pattern verfeinert (nur HTML/JS)');
}
} catch (Exception $e) {
rex_logger::factory()->log('error', 'Mail Security Pattern Update Error: ' . $e->getMessage());
}
// Korrektur für Badwords mit ungültigen Severity-Werten
try {
$sql = rex_sql::factory();
// Prüfen ob es ungültige Einträge gibt
$sql->setQuery('SELECT COUNT(*) as count FROM ' . rex::getTable('upkeep_mail_badwords') . '
WHERE category = "german_spam" AND (severity IS NULL OR severity NOT IN ("low", "medium", "high", "critical"))');
$count = (int) $sql->getValue('count');
if ($count > 0) {
// Ungültige Einträge korrigieren
$sql->setQuery('UPDATE ' . rex::getTable('upkeep_mail_badwords') . '
SET severity = "medium", updated_at = NOW()
WHERE category = "german_spam" AND (severity IS NULL OR severity NOT IN ("low", "medium", "high", "critical"))');
// Log-Eintrag erstellen
rex_logger::factory()->log('info', 'Mail Security: ' . $count . ' Badwords mit ungültigen Severity-Werten korrigiert');
}
} catch (Exception $e) {
// Fehler beim Aktualisieren loggen
rex_logger::factory()->log('error', 'Mail Security Badwords Update Error: ' . $e->getMessage());
}