source: admin/csp_report.php @ 3482:19587901f38a

Visit:

Revision 3482:19587901f38a, 3.4 KB checked in by franck <carnet.franck.paul@…>, 9 years ago (diff)
Avoid some PHP notices

Line
1	<?php
2	// From: https://github.com/nico3333fr/CSP-useful
3	//
4	// Note: this script requires PHP ≥ 5.4.
5	// Inspired from https://mathiasbynens.be/notes/csp-reports
6
7	// Dareboost wants it? Not a problem.
8	header('X-Content-Type-Options: "nosniff"');
9
10	require dirname(__FILE__).'/../inc/admin/prepend.php';
11
12	// Specify admin CSP log file if necessary
13	if (!defined('LOGFILE')) {
14	define('LOGFILE',path::real(DC_VAR).'/csp/csp_report.json');
15	}
16
17	// Get the raw POST data
18	$data = file_get_contents('php://input');
19
20	// Only continue if it’s valid JSON that is not just `null`, `0`, `false` or an
21	// empty string, i.e. if it could be a CSP violation report.
22	if ($data = json_decode($data,true)) {
23
24	// get source-file and blocked-URI to perform some tests
25	$source_file = isset($data['csp-report']['source-file']) ? $data['csp-report']['source-file'] : '';
26	$line_number = isset($data['csp-report']['line-number']) ? $data['csp-report']['line-number'] : '';
27	$blocked_uri = isset($data['csp-report']['blocked-uri']) ? $data['csp-report']['blocked-uri'] : '';
28	$document_uri = isset($data['csp-report']['document-uri']) ? $data['csp-report']['document-uri'] : '';
29	$violated_directive = isset($data['csp-report']['violated-directive']) ? $data['csp-report']['violated-directive'] : '';
30
31	if (
32	// avoid false positives notifications coming from Chrome extensions (Wappalyzer, MuteTab, etc.)
33	// bug here https://code.google.com/p/chromium/issues/detail?id=524356
34	strpos($source_file, 'chrome-extension://') === false
35
36	// avoid false positives notifications coming from Safari extensions (diigo, evernote, etc.)
37	&& strpos($source_file, 'safari-extension://') === false
38	&& strpos($blocked_uri, 'safari-extension://') === false
39
40	// search engine extensions ?
41	&& strpos($source_file, 'se-extension://') === false
42
43	// added by browsers in webviews
44	&& strpos($blocked_uri, 'webviewprogressproxy://') === false
45
46	// Google Search App see for details https://github.com/nico3333fr/CSP-useful/commit/ecc8f9b0b379ae643bc754d2db33c8b47e185fd1
47	&& strpos($blocked_uri, 'gsa://onpageload') === false
48
49	) {
50	// Prepare report data (hash => info)
51	$hash = hash('md5',$blocked_uri.$document_uri.$source_file.$line_number.$violated_directive);
52
53	try {
54	// Check report dir (create it if necessary)
55	files::makeDir(dirname(LOGFILE),true);
56
57	// Check if report is not already stored in log file
58	$contents = '';
59	if (file_exists(LOGFILE)) {
60	$contents = file_get_contents(LOGFILE);
61	if ($contents && $contents != '') {
62	if (substr($contents,-1) == ',') {
63	// Remove final comma if present
64	$contents = substr($contents,0,-1);
65	}
66	if ($contents != '') {
67	$list = json_decode('['.$contents.']',true);
68	if (is_array($list)) {
69	foreach ($list as $idx => $value) {
70	if (isset($value['hash']) && $value['hash'] == $hash) {
71	// Already stored, ignore
72	return;
73	}
74	}
75	}
76	}
77	}
78	}
79
80	// Add report to the file
81	if (!($fp = @fopen(LOGFILE,'a'))) {
82	// Unable to open file, ignore
83	return;
84	}
85
86	// Prettify the JSON-formatted data
87	$violation = array_merge(array('hash' => $hash),$data['csp-report']);
88	$output = json_encode($violation,JSON_PRETTY_PRINT \| JSON_UNESCAPED_SLASHES);
89
90	// The file content will have to be enclosed in brackets [] before
91	// beeing decoded with json_decoded(<content>,true);
92	fprintf($fp,($contents != '' ? ',' : '').'%s',$output);
93
94	} catch (Exception $e) {
95	return;
96	}
97	}
98	}

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: admin/csp_report.php @ 3482:19587901f38a

Download in other formats:

Sites map