-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathboot.php
360 lines (299 loc) · 16.8 KB
/
boot.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
<?php
/*
Redaxo-Addon HTTP-Header
Boot (weitere Konfigurationen)
v1.1.3
by Falko Müller @ 2021-2023
package: redaxo5
*/
//Variablen deklarieren
$mypage = $this->getProperty('package');
//$this->setProperty('name', 'Wert');
//Berechtigungen deklarieren
if (rex::isBackend() && is_object(rex::getUser())):
rex_perm::register($mypage.'[]');
//rex_perm::register($mypage.'[admin]');
endif;
//Userrechte prüfen
$isAdmin = ( is_object(rex::getUser()) AND (rex::getUser()->hasPerm($mypage.'[admin]') OR rex::getUser()->isAdmin()) ) ? true : false;
//Addon Einstellungen
$config = rex_addon::get($mypage)->getConfig('config'); //Addon-Konfig einladen
//Funktionen einladen/definieren
//Backendfunktionen
if (rex::isBackend() && rex::getUser()):
require_once(rex_path::addon($mypage)."/functions/functions.inc.php");
endif;
//alle Header ausgeben
$fe = rex::isFrontend();
$be = rex::isBackend();
//Connection keep-alive
if (@$config['h_connection'] == 'checked'):
if ($fe || ($be && @$config['h_connection_be'] == 'checked')) { rex_response::setHeader('Connection', 'keep-alive'); }
endif;
//Vary Accept-Encoding
if (@$config['h_vary'] == 'checked'):
if ($fe || ($be && @$config['h_vary_be'] == 'checked')) { rex_response::setHeader('Vary', 'Accept-Encoding'); }
endif;
//Remove Server
if (@$config['h_server'] == 'checked'):
if ($fe || ($be && @$config['h_server_be'] == 'checked')) { header_remove("Server"); rex_response::setHeader('Server', 'always unset'); }
endif;
//Remove X-Powered-By
if (@$config['h_poweredby'] == 'checked'):
if ($fe || ($be && @$config['h_poweredby_be'] == 'checked')) { header_remove("X-Powered-By"); rex_response::setHeader('X-Powered-By', 'always unset'); }
endif;
//X-Content-Type-Options
if (@$config['h_contenttype'] == 'checked'):
if ($fe || ($be && @$config['h_contenttype_be'] == 'checked')) { rex_response::setHeader('X-Content-Type-Options', 'nosniff'); }
endif;
//X-Frame-Options
if (@$config['h_frame'] == 'checked'):
if ($fe || ($be && @$config['h_frame_be'] == 'checked')) { rex_response::setHeader('X-Frame-Options', ''.@$config['h_frame_option'].''); }
endif;
//X-XSS-Protection
if (@$config['h_xss'] == 'checked'):
$opt = (@$config['h_xss_block'] == 'checked') ? '; mode=block' : '';
if ($fe || ($be && @$config['h_xss_be'] == 'checked')) { rex_response::setHeader('X-XSS-Protection', '1'.$opt); }
endif;
//Referrer-Policy
if (@$config['h_referer'] == 'checked'):
if ($fe || ($be && @$config['h_referer_be'] == 'checked')) { rex_response::setHeader('Referrer-Policy', ''.@$config['h_referer_option'].''); }
endif;
//Strict-Transport-Security
if (@$config['h_transport'] == 'checked'):
$max = intval(@$config['h_transport_maxage']);
$opt = ($max > 0) ? $max : '31536000';
$opt .= (@$config['h_transport_subdomains'] == 'checked') ? '; includeSubDomains' : '';
if ($fe || ($be && @$config['h_transport_be'] == 'checked')) { rex_response::setHeader('Strict-Transport-Security', 'max-age='.$opt); }
endif;
//Content-Security-Policy
if (@$config['h_csp'] == 'checked'):
$opt = "";
$def = @$config['h_csp_definition'];
if (@$config['h_csp_noeditor'] == 'checked' && !empty($def)):
//eigene Definition wird genutzt
$opt .= trim(preg_replace('/^Content-Security-Policy:/i', '', $def));
else:
//Editor-Auswahl wird genutzt
//default
$tmp = "";
$tmp .= (@$config['h_csp_default_https'] == 'checked') ? " https:" : '';
$tmp .= (@$config['h_csp_default_data'] == 'checked') ? " data:" : '';
$tmp .= (@$config['h_csp_default_blob'] == 'checked') ? " blob:" : '';
$tmp .= (@$config['h_csp_default_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_csp_default_inline'] == 'checked') ? " 'unsafe-inline'" : '';
$tmp .= (@$config['h_csp_default_eval'] == 'checked') ? " 'unsafe-eval'" : '';
$tmp .= (@$config['h_csp_default_hashes'] == 'checked') ? " 'unsafe-hashes'" : '';
$tmp .= (@$config['h_csp_default_none'] == 'checked') ? " 'none'" : '';
$tmp .= (!empty(@$config['h_csp_default_url'])) ? " ".@$config['h_csp_default_url'] : '';
$opt .= (!empty($tmp)) ? ' default-src'.$tmp.';' : '';
//img
$tmp = "";
$tmp .= (@$config['h_csp_img_https'] == 'checked') ? " https:" : '';
$tmp .= (@$config['h_csp_img_data'] == 'checked') ? " data:" : '';
$tmp .= (@$config['h_csp_img_blob'] == 'checked') ? " blob:" : '';
$tmp .= (@$config['h_csp_img_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_csp_img_inline'] == 'checked') ? " 'unsafe-inline'" : '';
$tmp .= (@$config['h_csp_img_eval'] == 'checked') ? " 'unsafe-eval'" : '';
$tmp .= (@$config['h_csp_img_hashes'] == 'checked') ? " 'unsafe-hashes'" : '';
$tmp .= (@$config['h_csp_img_none'] == 'checked') ? " 'none'" : '';
$tmp .= (!empty(@$config['h_csp_img_url'])) ? " ".@$config['h_csp_img_url'] : '';
$opt .= (!empty($tmp)) ? ' img-src'.$tmp.';' : '';
//media
$tmp = "";
$tmp .= (@$config['h_csp_media_https'] == 'checked') ? " https:" : '';
$tmp .= (@$config['h_csp_media_data'] == 'checked') ? " data:" : '';
$tmp .= (@$config['h_csp_media_blob'] == 'checked') ? " blob:" : '';
$tmp .= (@$config['h_csp_media_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_csp_media_inline'] == 'checked') ? " 'unsafe-inline'" : '';
$tmp .= (@$config['h_csp_media_eval'] == 'checked') ? " 'unsafe-eval'" : '';
$tmp .= (@$config['h_csp_media_hashes'] == 'checked') ? " 'unsafe-hashes'" : '';
$tmp .= (@$config['h_csp_media_none'] == 'checked') ? " 'none'" : '';
$tmp .= (!empty(@$config['h_csp_media_url'])) ? " ".@$config['h_csp_media_url'] : '';
$opt .= (!empty($tmp)) ? ' media-src'.$tmp.';' : '';
//font
$tmp = "";
$tmp .= (@$config['h_csp_font_https'] == 'checked') ? " https:" : '';
$tmp .= (@$config['h_csp_font_data'] == 'checked') ? " data:" : '';
$tmp .= (@$config['h_csp_font_blob'] == 'checked') ? " blob:" : '';
$tmp .= (@$config['h_csp_font_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_csp_font_inline'] == 'checked') ? " 'unsafe-inline'" : '';
$tmp .= (@$config['h_csp_font_eval'] == 'checked') ? " 'unsafe-eval'" : '';
$tmp .= (@$config['h_csp_font_hashes'] == 'checked') ? " 'unsafe-hashes'" : '';
$tmp .= (@$config['h_csp_font_none'] == 'checked') ? " 'none'" : '';
$tmp .= (!empty(@$config['h_csp_font_url'])) ? " ".@$config['h_csp_font_url'] : '';
$opt .= (!empty($tmp)) ? ' font-src'.$tmp.';' : '';
//script
$tmp = "";
$tmp .= (@$config['h_csp_script_https'] == 'checked') ? " https:" : '';
$tmp .= (@$config['h_csp_script_data'] == 'checked') ? " data:" : '';
$tmp .= (@$config['h_csp_script_blob'] == 'checked') ? " blob:" : '';
$tmp .= (@$config['h_csp_script_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_csp_script_inline'] == 'checked') ? " 'unsafe-inline'" : '';
$tmp .= (@$config['h_csp_script_eval'] == 'checked') ? " 'unsafe-eval'" : '';
$tmp .= (@$config['h_csp_script_hashes'] == 'checked') ? " 'unsafe-hashes'" : '';
$tmp .= (@$config['h_csp_script_none'] == 'checked') ? " 'none'" : '';
$tmp .= (!empty(@$config['h_csp_script_url'])) ? " ".@$config['h_csp_script_url'] : '';
$opt .= (!empty($tmp)) ? ' script-src'.$tmp.';' : '';
//style
$tmp = "";
$tmp .= (@$config['h_csp_style_https'] == 'checked') ? " https:" : '';
$tmp .= (@$config['h_csp_style_data'] == 'checked') ? " data:" : '';
$tmp .= (@$config['h_csp_style_blob'] == 'checked') ? " blob:" : '';
$tmp .= (@$config['h_csp_style_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_csp_style_inline'] == 'checked') ? " 'unsafe-inline'" : '';
$tmp .= (@$config['h_csp_style_eval'] == 'checked') ? " 'unsafe-eval'" : '';
$tmp .= (@$config['h_csp_style_hashes'] == 'checked') ? " 'unsafe-hashes'" : '';
$tmp .= (@$config['h_csp_style_none'] == 'checked') ? " 'none'" : '';
$tmp .= (!empty(@$config['h_csp_style_url'])) ? " ".@$config['h_csp_style_url'] : '';
$opt .= (!empty($tmp)) ? ' style-src'.$tmp.';' : '';
//object
$tmp = "";
$tmp .= (@$config['h_csp_object_https'] == 'checked') ? " https:" : '';
$tmp .= (@$config['h_csp_object_data'] == 'checked') ? " data:" : '';
$tmp .= (@$config['h_csp_object_blob'] == 'checked') ? " blob:" : '';
$tmp .= (@$config['h_csp_object_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_csp_object_inline'] == 'checked') ? " 'unsafe-inline'" : '';
$tmp .= (@$config['h_csp_object_eval'] == 'checked') ? " 'unsafe-eval'" : '';
$tmp .= (@$config['h_csp_object_hashes'] == 'checked') ? " 'unsafe-hashes'" : '';
$tmp .= (@$config['h_csp_object_none'] == 'checked') ? " 'none'" : '';
$tmp .= (!empty(@$config['h_csp_object_url'])) ? " ".@$config['h_csp_object_url'] : '';
$opt .= (!empty($tmp)) ? ' object-src'.$tmp.';' : '';
//form-action
$tmp = "";
$tmp .= (@$config['h_csp_form_https'] == 'checked') ? " https:" : '';
$tmp .= (@$config['h_csp_form_data'] == 'checked') ? " data:" : '';
$tmp .= (@$config['h_csp_form_blob'] == 'checked') ? " blob:" : '';
$tmp .= (@$config['h_csp_form_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_csp_form_inline'] == 'checked') ? " 'unsafe-inline'" : '';
$tmp .= (@$config['h_csp_form_eval'] == 'checked') ? " 'unsafe-eval'" : '';
$tmp .= (@$config['h_csp_form_hashes'] == 'checked') ? " 'unsafe-hashes'" : '';
$tmp .= (@$config['h_csp_form_none'] == 'checked') ? " 'none'" : '';
$tmp .= (!empty(@$config['h_csp_form_url'])) ? " ".@$config['h_csp_form_url'] : '';
$opt .= (!empty($tmp)) ? ' form-action'.$tmp.';' : '';
//frame
$tmp = "";
$tmp .= (@$config['h_csp_frame_https'] == 'checked') ? " https:" : '';
$tmp .= (@$config['h_csp_frame_data'] == 'checked') ? " data:" : '';
$tmp .= (@$config['h_csp_frame_blob'] == 'checked') ? " blob:" : '';
$tmp .= (@$config['h_csp_frame_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_csp_frame_inline'] == 'checked') ? " 'unsafe-inline'" : '';
$tmp .= (@$config['h_csp_frame_eval'] == 'checked') ? " 'unsafe-eval'" : '';
$tmp .= (@$config['h_csp_frame_hashes'] == 'checked') ? " 'unsafe-hashes'" : '';
$tmp .= (@$config['h_csp_frame_none'] == 'checked') ? " 'none'" : '';
$tmp .= (!empty(@$config['h_csp_frame_url'])) ? " ".@$config['h_csp_frame_url'] : '';
$opt .= (!empty($tmp)) ? ' frame-src'.$tmp.';' : '';
//frame-ancestors
$tmp = "";
$tmp .= (@$config['h_csp_frameanc_https'] == 'checked') ? " https:" : '';
$tmp .= (@$config['h_csp_frameanc_data'] == 'checked') ? " data:" : '';
$tmp .= (@$config['h_csp_frameanc_blob'] == 'checked') ? " blob:" : '';
$tmp .= (@$config['h_csp_frameanc_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_csp_frameanc_none'] == 'checked') ? " 'none'" : '';
$tmp .= (!empty(@$config['h_csp_frameanc_url'])) ? " ".@$config['h_csp_frameanc_url'] : '';
$opt .= (!empty($tmp)) ? ' frame-ancestors'.$tmp.';' : '';
//connect
$tmp = "";
$tmp .= (@$config['h_csp_connect_https'] == 'checked') ? " https:" : '';
$tmp .= (@$config['h_csp_connect_data'] == 'checked') ? " data:" : '';
$tmp .= (@$config['h_csp_connect_blob'] == 'checked') ? " blob:" : '';
$tmp .= (@$config['h_csp_connect_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_csp_connect_inline'] == 'checked') ? " 'unsafe-inline'" : '';
$tmp .= (@$config['h_csp_connect_eval'] == 'checked') ? " 'unsafe-eval'" : '';
$tmp .= (@$config['h_csp_connect_hashes'] == 'checked') ? " 'unsafe-hashes'" : '';
$tmp .= (@$config['h_csp_connect_none'] == 'checked') ? " 'none'" : '';
$tmp .= (!empty(@$config['h_csp_connect_url'])) ? " ".@$config['h_csp_connect_url'] : '';
$opt .= (!empty($tmp)) ? ' connect-src'.$tmp.';' : '';
//manifest
$tmp = "";
$tmp .= (@$config['h_csp_manifest_https'] == 'checked') ? " https:" : '';
$tmp .= (@$config['h_csp_manifest_data'] == 'checked') ? " data:" : '';
$tmp .= (@$config['h_csp_manifest_blob'] == 'checked') ? " blob:" : '';
$tmp .= (@$config['h_csp_manifest_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_csp_manifest_inline'] == 'checked') ? " 'unsafe-inline'" : '';
$tmp .= (@$config['h_csp_manifest_eval'] == 'checked') ? " 'unsafe-eval'" : '';
$tmp .= (@$config['h_csp_manifest_hashes'] == 'checked') ? " 'unsafe-hashes'" : '';
$tmp .= (@$config['h_csp_manifest_none'] == 'checked') ? " 'none'" : '';
$tmp .= (!empty(@$config['h_csp_manifest_url'])) ? " ".@$config['h_csp_manifest_url'] : '';
$opt .= (!empty($tmp)) ? ' manifest-src'.$tmp.';' : '';
endif;
if ($fe || ($be && @$config['h_csp_be'] == 'checked')):
rex_response::setHeader('X-Content-Security-Policy', $opt);
rex_response::setHeader('X-WebKit-CSP', $opt);
rex_response::setHeader('Content-Security-Policy', $opt);
endif;
endif;
//Featuer-/Permissions-Policy
if (@$config['h_fpp'] == 'checked'):
$opt_f = $opt_p = "";
$def_f = @$config['h_fpp_definition_f'];
$def_p = @$config['h_fpp_definition_p'];
if (@$config['h_fpp_noeditor'] == 'checked' && (!empty($def_f) || !empty($def_p))):
//eigene Definition wird genutzt
$opt_f .= trim(preg_replace('/^Feature-Policy:/i', '', $def_f));
$opt_p .= trim(preg_replace('/^Permissions-Policy:/i', '', $def_p));
else:
//Editor-Auswahl wird genutzt
//camera
$tmp = "";
$tmp .= (@$config['h_fpp_cam_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_fpp_cam_none'] == 'checked') ? " 'none'" : '';
$opt_f .= (!empty($tmp)) ? ' camera'.$tmp.';' : '';
$opt_p .= (!empty($tmp)) ? ' camera=('.trim(str_replace(array(" 'none'", "'"), '', $tmp)).'),' : '';
//geo
$tmp = "";
$tmp .= (@$config['h_fpp_geo_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_fpp_geo_none'] == 'checked') ? " 'none'" : '';
$opt_f .= (!empty($tmp)) ? ' geolocation'.$tmp.';' : '';
$opt_p .= (!empty($tmp)) ? ' geolocation=('.trim(str_replace(array(" 'none'", "'"), '', $tmp)).'),' : '';
//gyro
$tmp = "";
$tmp .= (@$config['h_fpp_gyro_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_fpp_gyro_none'] == 'checked') ? " 'none'" : '';
$opt_f .= (!empty($tmp)) ? ' gyroscope'.$tmp.';' : '';
$opt_p .= (!empty($tmp)) ? ' gyroscope=('.trim(str_replace(array(" 'none'", "'"), '', $tmp)).'),' : '';
//mag
$tmp = "";
$tmp .= (@$config['h_fpp_mag_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_fpp_mag_none'] == 'checked') ? " 'none'" : '';
$opt_f .= (!empty($tmp)) ? ' magnetometer'.$tmp.';' : '';
$opt_p .= (!empty($tmp)) ? ' magnetometer=('.trim(str_replace(array(" 'none'", "'"), '', $tmp)).'),' : '';
//mic
$tmp = "";
$tmp .= (@$config['h_fpp_mic_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_fpp_mic_none'] == 'checked') ? " 'none'" : '';
$opt_f .= (!empty($tmp)) ? ' microphone'.$tmp.';' : '';
$opt_p .= (!empty($tmp)) ? ' microphone=('.trim(str_replace(array(" 'none'", "'"), '', $tmp)).'),' : '';
//usb
$tmp = "";
$tmp .= (@$config['h_fpp_usb_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_fpp_usb_none'] == 'checked') ? " 'none'" : '';
$opt_f .= (!empty($tmp)) ? ' usb'.$tmp.';' : '';
$opt_p .= (!empty($tmp)) ? ' usb=('.trim(str_replace(array(" 'none'", "'"), '', $tmp)).'),' : '';
//docdom
$tmp = "";
$tmp .= (@$config['h_fpp_docdom_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_fpp_docdom_none'] == 'checked') ? " 'none'" : '';
$opt_f .= (!empty($tmp)) ? ' document-domain'.$tmp.';' : '';
$opt_p .= (!empty($tmp)) ? ' document-domain=('.trim(str_replace(array(" 'none'", "'"), '', $tmp)).'),' : '';
//full
$tmp = "";
$tmp .= (@$config['h_fpp_full_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_fpp_full_none'] == 'checked') ? " 'none'" : '';
$opt_f .= (!empty($tmp)) ? ' fullscreen'.$tmp.';' : '';
$opt_p .= (!empty($tmp)) ? ' fullscreen=('.trim(str_replace(array(" 'none'", "'"), '', $tmp)).'),' : '';
//pay
$tmp = "";
$tmp .= (@$config['h_fpp_pay_self'] == 'checked') ? " 'self'" : '';
$tmp .= (@$config['h_fpp_pay_none'] == 'checked') ? " 'none'" : '';
$opt_f .= (!empty($tmp)) ? ' payment'.$tmp.';' : '';
$opt_p .= (!empty($tmp)) ? ' payment=('.trim(str_replace(array(" 'none'", "'"), '', $tmp)).'),' : '';
//letztes Komma entfernen
$opt_p = preg_replace("/,$/i", '', $opt_p);
endif;
if ($fe || ($be && @$config['h_fpp_be'] == 'checked')):
rex_response::setHeader('Feature-Policy', $opt_f);
rex_response::setHeader('Permissions-Policy', $opt_p);
endif;
endif;
?>