From 1a7fa4c29f240d48338f45caa2346f59a699cb7b Mon Sep 17 00:00:00 2001 From: alopexc0de Date: Fri, 28 Sep 2012 01:36:03 -0400 Subject: [PATCH] Added PHPROXY as a service --- pox/ChangeLog.txt | 102 ++++ pox/LICENSE.txt | 340 +++++++++++++ pox/README.txt | 324 +++++++++++++ pox/TODO.txt | 17 + pox/index.inc.php | 107 ++++ pox/index.php | 1181 +++++++++++++++++++++++++++++++++++++++++++++ pox/style.css | 144 ++++++ 7 files changed, 2215 insertions(+) create mode 100644 pox/ChangeLog.txt create mode 100644 pox/LICENSE.txt create mode 100644 pox/README.txt create mode 100644 pox/TODO.txt create mode 100644 pox/index.inc.php create mode 100644 pox/index.php create mode 100644 pox/style.css diff --git a/pox/ChangeLog.txt b/pox/ChangeLog.txt new file mode 100644 index 0000000..faf55c4 --- /dev/null +++ b/pox/ChangeLog.txt @@ -0,0 +1,102 @@ +* Release 0.5b2 January 20th, 2007 +_____________________________________________________________________ + +- Moved hotlinking prevention further down in the code +- upon_hotlink option 1 behavior changed to show the URL form using show_report() instead of a buggy HTTP redirect +- Default value for upon_hotlink is now 1 (show URL form page w/ error) instead of 2 (404 Error) +- Fixed XSS vulnerbility in the address box in index.inc.php (Thanks Ryan from http://proxy.gd) +- Removed .htaccess file because of "Internal Server Error" on several Apache installations +- Fixed "prev_dir" in url_parse(). It didn't show the Website's address if there were no "previous dirs" (Thanks Rayan) + + +* Release 0.5b January 19th, 2007 +_____________________________________________________________________ + +- Reworked the script into a procedural programming code style instead of OO. Everything should be more streamlined and faster now. +- Reworked extraction and processing of HTTP response headers. Doesn't depend on regex as much as before. +- Flags are now encoded in base 16 instead of base 2. +- Merged banned_hosts, allowed_hosts into one "hosts" array with each entry being a seperate regex piece of code. +- Sped up HTML proxification decently by optimizing the regex +- Introduced new system for showing errors, reports, and forms. It doesn't depend on HTTP redirects as in 0.4 and below. +- Prevented more private networks from being allowed to be browsed through the proxy +- Dropped the dependency on JavaScript for submitting the URL form +- Entry form now uses POST instead of GET +- Added support for inline CSS proxification +- Added support for connections over SSL (requires PHP >= 4.3.0 and OpenSSL) +- Added support for compressing output using Zlib +- Added hotlinking protection, with options on what to do upon detecting hotlinking +- Added support for flag freezing (i.e. users cannot change the value of frozen flags) +- Added stripslashing for GPC for those with magic_quotes_gpc on +- Added support for P3P and various other response headers +- Fixed mini URL-form not being included on every HTML page +- Fixed issues with POST data +- Fixed the Host request header. The port is only added if necessary +- Fixed Referer request header. It should reflect the actual referer now +- Fixed max_file_size bug +- Fixed the "script_url" variable. It should reflect the port if necessary and whether it's https or not +- Improved file upload support +- Improved URL parsing. It's not perfect, but it's better than before. +- Improved Basic authentication. It also now supports multiple realms per domain and different ports on the same domain +- Improved the usability of URL forms +- Improved cookie support +- Improved URL error notifications +- Improved removal of scripts +- Improved handling of frames and iframes to not display URL forms. This is still extremely buggy however. +- Various other fixes and speed improvements + + +* Release 0.4 September 7th, 2005 +_____________________________________________________________________ + +- Support for GET forms. Things like Google work now. +- Complete overhaul of the URL modifying function. Now supports + nearly all HTML tags +- Support for CSS proxifying +- New browsing options +- New layout +- Other fixes + + +* Release 0.3 July 22nd, 2004 +_____________________________________________________________________ + +- Script can now only work for PHP 4.2.0 and newer. +- Support for HTTP file uploads. +- Support for Basic HTTP authorization. Only one relam per domain is + currently supported. +- $this->url_segments['prefix'] should be have been + $this->url_segments['base'] in the follow_location method. +- err_no and err_msg variables are now passed by value in fsockopen + like they should've been. +- mailto: links are now not proxified. +- New helper method: stripslashes() +- All files except HTML are now passed immediately to the user without + first being stored in the script. +- Fixed problem with opening files if the path contained spaces. +- Fixed cookies being passed with the response headers in addition to + the PHProxy cookies +- Fixed problem if the URL started with a question mark. +- New configurable variable: banned_hosts +- A dot at the beginning of domain names in banned_hosts and + allowed_hosts matches all subdomains. + + +* Release 0.2 June 22nd, 2004: +_____________________________________________________________________ + +- Fixed bug in set_post_body: $name should have been $parent_key +- New logic for index.php +- Updated some HTML and CSS +- Changed xml to xhtml in public method: return_response() when checking + if we should update the HTML +- Added 7 gTLDs (.aero, .biz, .coop, .info, .museum, .name, .pro) for the regexp when + validating a cookie against a domain +- Updated index.php, url_form.inc to be compatible with short_open_tag = Off +- Anchors now work +- Made the mini URL-form more user friendly + + +* Release 0.1-alpha June 16th, 2004: +_____________________________________________________________________ + +Initial release. \ No newline at end of file diff --git a/pox/LICENSE.txt b/pox/LICENSE.txt new file mode 100644 index 0000000..0138fa8 --- /dev/null +++ b/pox/LICENSE.txt @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. \ No newline at end of file diff --git a/pox/README.txt b/pox/README.txt new file mode 100644 index 0000000..e8f2993 --- /dev/null +++ b/pox/README.txt @@ -0,0 +1,324 @@ +PHProxy Source Code README +_____________________________________________________________________ + +Source Code Version 0.5b2 - January 20th 2007 +Latest Version: http://www.sourceforge.net/projects/poxy/ + +Copyright 2002-2007 Abdullah Arif + + +Contact +_____________________________________________________________________ + +Email: phproxy.support@gmail.com +Website: http://whitefyre.com/ + + +Support and Bug Reports +_____________________________________________________________________ + +http://whitefyre.com/forums/ +phproxy.support@gmail.com + + +Table of Contents +_____________________________________________________________________ + +1. License +2. What is PHProxy? +3. How it Works +4. Requirements +5. Installation +6. Configurable Script Variables +7. Available Options +8. Disclaimer +9. Bugs and Limitations +10. ChangeLog, FAQ, TODO, LICENSE, Bugs, Limitations +11. Credits + + +1. License +_____________________________________________________________________ + +This source code is released under the GPL. +A copy of the license in provided in this package in the file + named LICENSE.txt + + +2. What is PHProxy? +_____________________________________________________________________ + + +PHProxy is a web HTTP proxy +designed to bypass proxy restrictions through +a web interface very similar to the popular CGIProxy +(http://www.jmarshall.com/tools/cgiproxy/). For example, in my +university, the IT department blocks a lot of harmless websites +simply because of their popularity. So I use this porgram to access +those websites. The only thing that PHProxy needs is a web server +with PHP installed (see Requirements below). +Be aware though, that the sever has to be able to access those +resources to deliver them to you. + + + +3. How it Works +_____________________________________________________________________ + +You simply supply a URL to the form and click Browse. The script then +accesses that URL, and if it has any HTML contents, it modifies +any URLs so that they point back to the script. Of course, there is more +to it than this, but if you would like to know more in +detail, view the source code. +Comments have yet to be added. + + +4. Requirements +_____________________________________________________________________ + +- PHP version >= 4.2.0 +- safe_mode turned off or at least having the fsockopen() function not disabled +- PHP version >= 4.3.0 and OpenSSL for support for secure connections (https) +- Zlib for output compression +- file_uploads turned On for HTTP file uploads. + + +5. Installation +_____________________________________________________________________ + +Simply upload these files to a directory of your liking (prefrebly in its own directory): + +- index.php +- index.inc.php +- style.css + +You can rename index.php without any problems, but not index.inc.php. + +A good idea is to change these PHP settings in your php.ini file +or for instance Apache's httpd.conf or per directory .htaccess files: + +- register_globals = Off (safer for your script) +- magic_quotes_gpc = Off (avoids unnecessary, slow stripslashing in the script) +- always_populate_raw_post_data = Off (no need for this extraneous data) +- zlib.output_compression = On (to enable output compression, better than doing it inside the script) + +Your script will still function normally without these settings though. + +All you need to do now is to access index.php and start browsing! + + +6. Configurable Script Variables +_____________________________________________________________________ + +These variables are available at the beginning of the index.php file: + +- $_config: +___________ + +url_var_name: name of the variable the contains the url + to be passed to the script. default: 'q' +flags_var_name: name of the variables the contains the flags + to be passed to the script. default: 'hl' +get_form_name: name of the GET forms in case they were + passed through the proxy. + default: '____pgfa' +basic_auth_var_name: name of the variable when prompted for Basic + authentication. default: '____pbavn' +max_file_size: maximum file size in BYTES that can be + downloaded through the proxy. + Use -1 for unlimited. default: -1 +allow_hotlinking: whether to allow hotlinking or not. + default is not unless in $_hotlink_domains. + default:0 +upon_hotlink: what to do if a website hotlinks through your + proxy. Possible values: + - 1: show the URL form (homepage) + - 2: issue a HTTP 404 Not Found error + - any web address which the user will be + redirected to (e.g. goatse pic) + default: 1 +compress_output: whether to use gzip compression or not. + This may or may not work depending on whether + your PHP installation has Zlib loaded, and + whether the user's browser supports gzip + content encoding. Turn this on if you're + worried about bandwidth. This might be a + bit taxing on your server if you have any kind of + substantial traffic. It is also better to enable + output compression through php.ini than here. + default: 0 + + +- $_flags: +__________ + +This array contains the default values for the browsing options which + are explained in section 7. + + +- $_frozen_flags: +_________________ + +When a flag is frozen, it is no longer shown in the URL forms, and the + user won't be able to change its value. A frozen flag will always + assume its value given in $_flags. This is useful for forcing + a specific URL encoding, or forcing the mini URL form to always be + there for instance. +0 is for not frozen. 1 is for frozen. default: all are unfrozen. + + +- $_labels: +___________ + +The labels on flags. + + +- $_hosts: +__________ + +Each entry in this array is a seperate piece of regular expression +code that is matched against the host part of the currently browsed URL. +If it evaluates to true, the user will not be allowed to access +that URL. +The first default entry contains the regular expression for private +networks which are not supposed to be shown on the Internet. + + +- $_hotlink_domains: +____________________ + +This array holds entries of domain names which are allowed to hotlink +through your proxy when allow_hotlinking is 0. + +To allow "example.com" and "example2.com" to hotlink: + +$_hotlink_domains = array('example.com', 'example2.com'); + +You don't need to include the "www" part as it is automatically +accounted for. Your website's domain name is also automatically included +in this array. + + +- $_insert: +___________ + +This does nothing yet. + + +7. Available Options +_____________________________________________________________________ + +These options are available to you through the web interface. +You can also edit the default values in the $_flags in index.php +Values can either be 1 (true) or 0 (false). + ++-------------------------------------------------------------------+ +| Option | Explanation | ++-------------------------------------------------------------------+ +| Include Form | Includes a mini URL-form on every HTML page for | +| | easier browsing. | +| Remove Scripts | Remove all sorts of client-side scripting | +| | (i.e. JavaScript). Removal is not perfect. Some | +| | scripts might slip by here and there. | +| Accept Cookies | Accept HTTP cookies | +| Show Images | Show images. You might want to turn this off if | +| | you want to save your server's bandwith. | +| Show Referer | Show referring website in HTTP headers. This | +| | will show the base URL for the website you're | +| | currently viewing. Because many website disable | +| | HotLinking, this can be quite useful. | +| Rotate13 | Use rotate13 encoding on the URL. * | +| Base64 | Use base64 encoding on the URL. * | +| Strip Meta | Strip meta HTML tags | +| Strip Title | Strip Website title | +| Session Cookies| Store cookies for this current session only | ++-------------------------------------------------------------------+ + +* only one type of encoding will be used even if both are selected + + +8. Disclaimer +_____________________________________________________________________ + +Since this script basically bypasses restrictions that were imposed +on you, using it might be illegal in your country, school, office, +or whatever. Even your host might not allow you to run it. Use it at +your own risk. I will not be responsible for any damages done or any + harm that might result from using this script. + + + +9. Bugs and Limitations +_____________________________________________________________________ + +PHP is retarded by nature, and as such, some problems arise that +would have not if this script were otherwise coded in another programming +language. The first example of this is dots in incoming variable names +from POST and GET. In a normal programming language, this wouldn't be +a problem as these variables could be accessed normally as they are +supplied, with dots included. In PHP, however, dots in GET, POST, and +COOKIE variable names are magically transformed into underscores +because of the stupid shit that is register_globals. Things like Yahoo! +Mail which has dots in variable names will not work. There's no easy way +around this, but luckily, I have provided the solutions right here: + + 1. I've already taken care of cookies by manually transforming + the underscores manually into dots when needed. + 2. For GET variables, this shouldn't be a huge problem since the URLs + are URL-encoded into the url_var_name. The only time this should be + an issue is when a GET form uses dots in input names, and this could + be recitified by using $_SERVER['QUERY_STRING'], and parsing that + variable. But this, luckily, doesn't happen too often. + 3. As for POST data, one solution is to use $HTTP_RAW_POST_DATA. But then, + this variable might not be available in certain PHP configurations, + and it would need further parsing, and it still doesn't account + for uploaded FILES. This is extremely impractical and ugly. + +The best thing you could do if you have enough control over your Web server + and can compile custom builds of PHP is to delete a single line in a PHP source +code file called "php_variables.c" located in the "main" directory. + The function in question is called "php_register_variable_ex". I've only checked + this with PHP v4.4.4 and the exact line to delete is 117th line which basically + consists of this: + + case '.': + +Now just compile and install PHP and everything should be fine. Just make +sure that you have register_globals off or something might get messed up. +I've done this on my demo install on http://grab.cc/ and it's working +flawlessly. + + +Another problem facing many Web proxies is support for JavaScript. +Currently, therse is no such thing in PHProxy 0.5 but hopefully basic +support will be introduced for version 0.6. The best thing you could do +right now is to have the JavaScript disabled on your browsing options +as most sites degrade gracefully, such as Gmail. + +A third limitation for Web proxies is content accessed from within proxied +Flash and Java applications and such. Since the proxy script doesn't have access +to the source code of these applications, the links which they may decide + to stream or access will not be proxified. There's no easy solution for this + right now. + +PHProxy also doesn't support FTP. This may or may not be introduced +in future releases, but there are no current plans for FTP support. + + +10. ChangeLog, TODO, LICENSE +_____________________________________________________________________ + +Refer to the accompanying files. + + + +11. Credits +_____________________________________________________________________ + +James Marshall (http://www.jmarshall.com/) for his excellent CGIProxy +script which was a high inspiration and guide for me. The HTML +modification section is based off his script. + +Also massive thanks to everyone who emailed me or posted on forums bugs, + suggestions, and feedback. I really appreciate it. + diff --git a/pox/TODO.txt b/pox/TODO.txt new file mode 100644 index 0000000..7b1deb7 --- /dev/null +++ b/pox/TODO.txt @@ -0,0 +1,17 @@ +- Cookie managment +- JavaScript support +- Support for external proxies +- Frames and iframes shouldn't include the URL form +- Caching options +- More URL encoding methods +- More browsing options +- Support HTTP resuming +- Support HTTP 1.1 +- Support more response headers appropriately +- Better "hosts" control +- Improve URL proxification +- Inspect gzip compression furthermore +- Look into proxification of XML files +- Support for multiple languages +- IDN support +- FTP support \ No newline at end of file diff --git a/pox/index.inc.php b/pox/index.inc.php new file mode 100644 index 0000000..b301f58 --- /dev/null +++ b/pox/index.inc.php @@ -0,0 +1,107 @@ +'; + +?> + + + + + Pox Systems + + + +
+

Pox Systems

+ + +

+ Enter your username and password for "" on +

+ + +

+

'; + + switch ($data['group']) + { + case 'url': + echo 'URL Error (' . $data['error'] . '): '; + switch ($data['type']) + { + case 'internal': + $message = 'Failed to connect to the specified host. ' + . 'Possible problems are that the server was not found, the connection timed out, or the connection refused by the host. ' + . 'Try connecting again and check if the address is correct.'; + break; + case 'external': + switch ($data['error']) + { + case 1: + $message = 'The URL you\'re attempting to access is blacklisted by this server. Please select another URL.'; + break; + case 2: + $message = 'The URL you entered is malformed. Please check whether you entered the correct URL or not.'; + break; + } + break; + } + break; + case 'resource': + echo 'Resource Error: '; + switch ($data['type']) + { + case 'file_size': + $message = 'The file your are attempting to download is too large.
' + . 'Maxiumum permissible file size is ' . number_format($GLOBALS['_config']['max_file_size']/1048576, 2) . ' MB
' + . 'Requested file size is ' . number_format($GLOBALS['_content_length']/1048576, 2) . ' MB'; + break; + case 'hotlinking': + $message = 'It appears that you are trying to access a resource through this proxy from a remote Website.
' + . 'For security reasons, please use the form below to do so.'; + break; + } + break; + } + + echo 'An error has occured while trying to browse through the proxy.
' . $message . '

'; + break; +} +?> +
+
    +
    • + $flag_value) + { + if (!$GLOBALS['_frozen_flags'][$flag_name]) + { + echo '
    • ' . "\n"; + } + } + ?> +
+
+ + + + + diff --git a/pox/index.php b/pox/index.php new file mode 100644 index 0000000..8b75d98 --- /dev/null +++ b/pox/index.php @@ -0,0 +1,1181 @@ + 'q', + 'flags_var_name' => 'hl', + 'get_form_name' => '____pgfa', + 'basic_auth_var_name' => '____pbavn', + 'max_file_size' => -1, + 'allow_hotlinking' => 1, + 'upon_hotlink' => 1, + 'compress_output' => 0 + ); +$_flags = array + ( + 'include_form' => 1, + 'remove_scripts' => 1, + 'accept_cookies' => 1, + 'show_images' => 1, + 'show_referer' => 1, + 'rotate13' => 0, + 'base64_encode' => 1, + 'strip_meta' => 1, + 'strip_title' => 0, + 'session_cookies' => 1 + ); +$_frozen_flags = array + ( + 'include_form' => 0, + 'remove_scripts' => 0, + 'accept_cookies' => 0, + 'show_images' => 0, + 'show_referer' => 0, + 'rotate13' => 0, + 'base64_encode' => 0, + 'strip_meta' => 0, + 'strip_title' => 0, + 'session_cookies' => 0 + ); +$_labels = array + ( + 'include_form' => array('Include Form', 'Include mini URL-form on every page'), + 'remove_scripts' => array('Remove Scripts', 'Remove client-side scripting (i.e JavaScript)'), + 'accept_cookies' => array('Accept Cookies', 'Allow cookies to be stored'), + 'show_images' => array('Show Images', 'Show images on browsed pages'), + 'show_referer' => array('Show Referer', 'Show actual referring Website'), + 'rotate13' => array('Rotate13', 'Use ROT13 encoding on the address'), + 'base64_encode' => array('Base64', 'Use base64 encodng on the address'), + 'strip_meta' => array('Strip Meta', 'Strip meta information tags from pages'), + 'strip_title' => array('Strip Title', 'Strip page title'), + 'session_cookies' => array('Session Cookies', 'Store cookies for this session only') + ); + +$_hosts = array + ( + '#^127\.|192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[01])\.|localhost#i' + ); +$_hotlink_domains = array(); +$_insert = array(); + +// +// END CONFIGURABLE OPTIONS. The ride for you ends here. Close the file. +// + +$_iflags = ''; +$_system = array + ( + 'ssl' => extension_loaded('openssl') && version_compare(PHP_VERSION, '4.3.0', '>='), + 'uploads' => ini_get('file_uploads'), + 'gzip' => extension_loaded('zlib') && !ini_get('zlib.output_compression'), + 'stripslashes' => get_magic_quotes_gpc() + ); +$_proxify = array('text/html' => 1, 'application/xml+xhtml' => 1, 'application/xhtml+xml' => 1, 'text/css' => 1); +$_version = '0.5b2'; +$_http_host = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : (isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : 'localhost'); +$_script_url = 'http' . ((isset($_ENV['HTTPS']) && $_ENV['HTTPS'] == 'on') || $_SERVER['SERVER_PORT'] == 443 ? 's' : '') . '://' . $_http_host . ($_SERVER['SERVER_PORT'] != 80 && $_SERVER['SERVER_PORT'] != 443 ? ':' . $_SERVER['SERVER_PORT'] : '') . $_SERVER['PHP_SELF']; +$_script_base = substr($_script_url, 0, strrpos($_script_url, '/')+1); +$_url = ''; +$_url_parts = array(); +$_base = array(); +$_socket = null; +$_request_method = $_SERVER['REQUEST_METHOD']; +$_request_headers = ''; +$_cookie = ''; +$_post_body = ''; +$_response_headers = array(); +$_response_keys = array(); +$_http_version = ''; +$_response_code = 0; +$_content_type = 'text/html'; +$_content_length = false; +$_content_disp = ''; +$_set_cookie = array(); +$_retry = false; +$_quit = false; +$_basic_auth_header = ''; +$_basic_auth_realm = ''; +$_auth_creds = array(); +$_response_body = ''; + +// +// FUNCTION DECLARATIONS +// + +function show_report($data) +{ + include $data['which'] . '.inc.php'; + exit(0); +} + +function add_cookie($name, $value, $expires = 0) +{ + return rawurlencode(rawurlencode($name)) . '=' . rawurlencode(rawurlencode($value)) . (empty($expires) ? '' : '; expires=' . gmdate('D, d-M-Y H:i:s \G\M\T', $expires)) . '; path=/; domain=.' . $GLOBALS['_http_host']; +} + +function set_post_vars($array, $parent_key = null) +{ + $temp = array(); + + foreach ($array as $key => $value) + { + $key = isset($parent_key) ? sprintf('%s[%s]', $parent_key, urlencode($key)) : urlencode($key); + if (is_array($value)) + { + $temp = array_merge($temp, set_post_vars($value, $key)); + } + else + { + $temp[$key] = urlencode($value); + } + } + + return $temp; +} + +function set_post_files($array, $parent_key = null) +{ + $temp = array(); + + foreach ($array as $key => $value) + { + $key = isset($parent_key) ? sprintf('%s[%s]', $parent_key, urlencode($key)) : urlencode($key); + if (is_array($value)) + { + $temp = array_merge_recursive($temp, set_post_files($value, $key)); + } + else if (preg_match('#^([^\[\]]+)\[(name|type|tmp_name)\]#', $key, $m)) + { + $temp[str_replace($m[0], $m[1], $key)][$m[2]] = $value; + } + } + + return $temp; +} + +function url_parse($url, & $container) +{ + $temp = @parse_url($url); + + if (!empty($temp)) + { + $temp['port_ext'] = ''; + $temp['base'] = $temp['scheme'] . '://' . $temp['host']; + + if (isset($temp['port'])) + { + $temp['base'] .= $temp['port_ext'] = ':' . $temp['port']; + } + else + { + $temp['port'] = $temp['scheme'] === 'https' ? 443 : 80; + } + + $temp['path'] = isset($temp['path']) ? $temp['path'] : '/'; + $path = array(); + $temp['path'] = explode('/', $temp['path']); + + foreach ($temp['path'] as $dir) + { + if ($dir === '..') + { + array_pop($path); + } + else if ($dir !== '.') + { + for ($dir = rawurldecode($dir), $new_dir = '', $i = 0, $count_i = strlen($dir); $i < $count_i; $new_dir .= strspn($dir{$i}, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$-_.+!*\'(),?:@&;=') ? $dir{$i} : rawurlencode($dir{$i}), ++$i); + $path[] = $new_dir; + } + } + + $temp['path'] = str_replace('/%7E', '/~', '/' . ltrim(implode('/', $path), '/')); + $temp['file'] = substr($temp['path'], strrpos($temp['path'], '/')+1); + $temp['dir'] = substr($temp['path'], 0, strrpos($temp['path'], '/')); + $temp['base'] .= $temp['dir']; + $temp['prev_dir'] = substr_count($temp['path'], '/') > 1 ? substr($temp['base'], 0, strrpos($temp['base'], '/')+1) : $temp['base'] . '/'; + $container = $temp; + + return true; + } + + return false; +} + +function complete_url($url, $proxify = true) +{ + $url = trim($url); + + if ($url === '') + { + return ''; + } + + $hash_pos = strrpos($url, '#'); + $fragment = $hash_pos !== false ? '#' . substr($url, $hash_pos) : ''; + $sep_pos = strpos($url, '://'); + + if ($sep_pos === false || $sep_pos > 5) + { + switch ($url{0}) + { + case '/': + $url = substr($url, 0, 2) === '//' ? $GLOBALS['_base']['scheme'] . ':' . $url : $GLOBALS['_base']['scheme'] . '://' . $GLOBALS['_base']['host'] . $GLOBALS['_base']['port_ext'] . $url; + break; + case '?': + $url = $GLOBALS['_base']['base'] . '/' . $GLOBALS['_base']['file'] . $url; + break; + case '#': + $proxify = false; + break; + case 'm': + if (substr($url, 0, 7) == 'mailto:') + { + $proxify = false; + break; + } + default: + $url = $GLOBALS['_base']['base'] . '/' . $url; + } + } + + return $proxify ? "{$GLOBALS['_script_url']}?{$GLOBALS['_config']['url_var_name']}=" . encode_url($url) . $fragment : $url; +} + +function proxify_inline_css($css) +{ + preg_match_all('#url\s*\(\s*(([^)]*(\\\))*[^)]*)(\)|$)?#i', $css, $matches, PREG_SET_ORDER); + + for ($i = 0, $count = count($matches); $i < $count; ++$i) + { + $css = str_replace($matches[$i][0], 'url(' . proxify_css_url($matches[$i][1]) . ')', $css); + } + + return $css; +} + +function proxify_css($css) +{ + $css = proxify_inline_css($css); + + preg_match_all("#@import\s*(?:\"([^\">]*)\"?|'([^'>]*)'?)([^;]*)(;|$)#i", $css, $matches, PREG_SET_ORDER); + + for ($i = 0, $count = count($matches); $i < $count; ++$i) + { + $delim = '"'; + $url = $matches[$i][2]; + + if (isset($matches[$i][3])) + { + $delim = "'"; + $url = $matches[$i][3]; + } + + $css = str_replace($matches[$i][0], '@import ' . $delim . proxify_css_url($matches[$i][1]) . $delim . (isset($matches[$i][4]) ? $matches[$i][4] : ''), $css); + } + + return $css; +} + +function proxify_css_url($url) +{ + $url = trim($url); + $delim = strpos($url, '"') === 0 ? '"' : (strpos($url, "'") === 0 ? "'" : ''); + + return $delim . preg_replace('#([\(\),\s\'"\\\])#', '\\$1', complete_url(trim(preg_replace('#\\\(.)#', '$1', trim($url, $delim))))) . $delim; +} + +// +// SET FLAGS +// + +if (isset($_POST[$_config['url_var_name']]) && !isset($_GET[$_config['url_var_name']]) && isset($_POST[$_config['flags_var_name']])) +{ + foreach ($_flags as $flag_name => $flag_value) + { + $_iflags .= isset($_POST[$_config['flags_var_name']][$flag_name]) ? (string)(int)(bool)$_POST[$_config['flags_var_name']][$flag_name] : ($_frozen_flags[$flag_name] ? $flag_value : '0'); + } + + $_iflags = base_convert(($_iflags != '' ? $_iflags : '0'), 2, 16); +} +else if (isset($_GET[$_config['flags_var_name']]) && !isset($_GET[$_config['get_form_name']]) && ctype_alnum($_GET[$_config['flags_var_name']])) +{ + $_iflags = $_GET[$_config['flags_var_name']]; +} +else if (isset($_COOKIE['flags']) && ctype_alnum($_COOKIE['flags'])) +{ + $_iflags = $_COOKIE['flags']; +} + +if ($_iflags !== '') +{ + $_set_cookie[] = add_cookie('flags', $_iflags, time()+2419200); + $_iflags = str_pad(base_convert($_iflags, 16, 2), count($_flags), '0', STR_PAD_LEFT); + $i = 0; + + foreach ($_flags as $flag_name => $flag_value) + { + $_flags[$flag_name] = $_frozen_flags[$flag_name] ? $flag_value : (int)(bool)$_iflags{$i}; + $i++; + } +} + +// +// DETERMINE URL-ENCODING BASED ON FLAGS +// + +if ($_flags['rotate13']) +{ + function encode_url($url) + { + return rawurlencode(str_rot13($url)); + } + function decode_url($url) + { + return str_replace(array('&', '&'), '&', str_rot13(rawurldecode($url))); + } +} +else if ($_flags['base64_encode']) +{ + function encode_url($url) + { + return rawurlencode(base64_encode($url)); + } + function decode_url($url) + { + return str_replace(array('&', '&'), '&', base64_decode(rawurldecode($url))); + } +} +else +{ + function encode_url($url) + { + return rawurlencode($url); + } + function decode_url($url) + { + return str_replace(array('&', '&'), '&', rawurldecode($url)); + } +} + +// +// COMPRESS OUTPUT IF INSTRUCTED +// + +if ($_config['compress_output'] && $_system['gzip']) +{ + ob_start('ob_gzhandler'); +} + +// +// STRIP SLASHES FROM GPC IF NECESSARY +// + +if ($_system['stripslashes']) +{ + function _stripslashes($value) + { + return is_array($value) ? array_map('_stripslashes', $value) : (is_string($value) ? stripslashes($value) : $value); + } + + $_GET = _stripslashes($_GET); + $_POST = _stripslashes($_POST); + $_COOKIE = _stripslashes($_COOKIE); +} + +// +// FIGURE OUT WHAT TO DO (POST URL-form submit, GET form request, regular request, basic auth, cookie manager, show URL-form) +// + +if (isset($_POST[$_config['url_var_name']]) && !isset($_GET[$_config['url_var_name']])) +{ + header('Location: ' . $_script_url . '?' . $_config['url_var_name'] . '=' . encode_url($_POST[$_config['url_var_name']]) . '&' . $_config['flags_var_name'] . '=' . base_convert($_iflags, 2, 16)); + exit(0); +} + +if (isset($_GET[$_config['get_form_name']])) +{ + $_url = decode_url($_GET[$_config['get_form_name']]); + $qstr = strpos($_url, '?') !== false ? (strpos($_url, '?') === strlen($_url)-1 ? '' : '&') : '?'; + $arr = explode('&', $_SERVER['QUERY_STRING']); + + if (preg_match('#^\Q' . $_config['get_form_name'] . '\E#', $arr[0])) + { + array_shift($arr); + } + + $_url .= $qstr . implode('&', $arr); +} +else if (isset($_GET[$_config['url_var_name']])) +{ + $_url = decode_url($_GET[$_config['url_var_name']]); +} +else if (isset($_GET['action']) && $_GET['action'] == 'cookies') +{ + show_report(array('which' => 'cookies')); +} +else +{ + show_report(array('which' => 'index', 'category' => 'entry_form')); +} + +if (isset($_GET[$_config['url_var_name']], $_POST[$_config['basic_auth_var_name']], $_POST['username'], $_POST['password'])) +{ + $_request_method = 'GET'; + $_basic_auth_realm = base64_decode($_POST[$_config['basic_auth_var_name']]); + $_basic_auth_header = base64_encode($_POST['username'] . ':' . $_POST['password']); +} + +// +// SET URL +// + +if (strpos($_url, '://') === false) +{ + $_url = 'http://' . $_url; +} + +if (url_parse($_url, $_url_parts)) +{ + $_base = $_url_parts; + + if (!empty($_hosts)) + { + foreach ($_hosts as $host) + { + if (preg_match($host, $_url_parts['host'])) + { + show_report(array('which' => 'index', 'category' => 'error', 'group' => 'url', 'type' => 'external', 'error' => 1)); + } + } + } +} +else +{ + show_report(array('which' => 'index', 'category' => 'error', 'group' => 'url', 'type' => 'external', 'error' => 2)); +} + +// +// HOTLINKING PREVENTION +// + +if (!$_config['allow_hotlinking'] && isset($_SERVER['HTTP_REFERER'])) +{ + $_hotlink_domains[] = $_http_host; + $is_hotlinking = true; + + foreach ($_hotlink_domains as $host) + { + if (preg_match('#^https?\:\/\/(www)?\Q' . $host . '\E(\/|\:|$)#i', trim($_SERVER['HTTP_REFERER']))) + { + $is_hotlinking = false; + break; + } + } + + if ($is_hotlinking) + { + switch ($_config['upon_hotlink']) + { + case 1: + show_report(array('which' => 'index', 'category' => 'error', 'group' => 'resource', 'type' => 'hotlinking')); + break; + case 2: + header('HTTP/1.0 404 Not Found'); + exit(0); + default: + header('Location: ' . $_config['upon_hotlink']); + exit(0); + } + } +} + +// +// OPEN SOCKET TO SERVER +// + +do +{ + $_retry = false; + $_socket = @fsockopen(($_url_parts['scheme'] === 'https' && $_system['ssl'] ? 'ssl://' : 'tcp://') . $_url_parts['host'], $_url_parts['port'], $err_no, $err_str, 30); + + if ($_socket === false) + { + show_report(array('which' => 'index', 'category' => 'error', 'group' => 'url', 'type' => 'internal', 'error' => $err_no)); + } + + // + // SET REQUEST HEADERS + // + + $_request_headers = $_request_method . ' ' . $_url_parts['path']; + + if (isset($_url_parts['query'])) + { + $_request_headers .= '?'; + $query = preg_split('#([&;])#', $_url_parts['query'], -1, PREG_SPLIT_DELIM_CAPTURE); + for ($i = 0, $count = count($query); $i < $count; $_request_headers .= implode('=', array_map('urlencode', array_map('urldecode', explode('=', $query[$i])))) . (isset($query[++$i]) ? $query[$i] : ''), $i++); + } + + $_request_headers .= " HTTP/1.0\r\n"; + $_request_headers .= 'Host: ' . $_url_parts['host'] . $_url_parts['port_ext'] . "\r\n"; + + if (isset($_SERVER['HTTP_USER_AGENT'])) + { + $_request_headers .= 'User-Agent: ' . $_SERVER['HTTP_USER_AGENT'] . "\r\n"; + } + if (isset($_SERVER['HTTP_ACCEPT'])) + { + $_request_headers .= 'Accept: ' . $_SERVER['HTTP_ACCEPT'] . "\r\n"; + } + else + { + $_request_headers .= "Accept: */*;q=0.1\r\n"; + } + if ($_flags['show_referer'] && isset($_SERVER['HTTP_REFERER']) && preg_match('#^\Q' . $_script_url . '?' . $_config['url_var_name'] . '=\E([^&]+)#', $_SERVER['HTTP_REFERER'], $matches)) + { + $_request_headers .= 'Referer: ' . decode_url($matches[1]) . "\r\n"; + } + if (!empty($_COOKIE)) + { + $_cookie = ''; + $_auth_creds = array(); + + foreach ($_COOKIE as $cookie_id => $cookie_content) + { + $cookie_id = explode(';', rawurldecode($cookie_id)); + $cookie_content = explode(';', rawurldecode($cookie_content)); + + if ($cookie_id[0] === 'COOKIE') + { + $cookie_id[3] = str_replace('_', '.', $cookie_id[3]); //stupid PHP can't have dots in var names + + if (count($cookie_id) < 4 || ($cookie_content[1] == 'secure' && $_url_parts['scheme'] != 'https')) + { + continue; + } + + if ((preg_match('#\Q' . $cookie_id[3] . '\E$#i', $_url_parts['host']) || strtolower($cookie_id[3]) == strtolower('.' . $_url_parts['host'])) && preg_match('#^\Q' . $cookie_id[2] . '\E#', $_url_parts['path'])) + { + $_cookie .= ($_cookie != '' ? '; ' : '') . (empty($cookie_id[1]) ? '' : $cookie_id[1] . '=') . $cookie_content[0]; + } + } + else if ($cookie_id[0] === 'AUTH' && count($cookie_id) === 3) + { + $cookie_id[2] = str_replace('_', '.', $cookie_id[2]); + + if ($_url_parts['host'] . ':' . $_url_parts['port'] === $cookie_id[2]) + { + $_auth_creds[$cookie_id[1]] = $cookie_content[0]; + } + } + } + + if ($_cookie != '') + { + $_request_headers .= "Cookie: $_cookie\r\n"; + } + } + if (isset($_url_parts['user'], $_url_parts['pass'])) + { + $_basic_auth_header = base64_encode($_url_parts['user'] . ':' . $_url_parts['pass']); + } + if (!empty($_basic_auth_header)) + { + $_set_cookie[] = add_cookie("AUTH;{$_basic_auth_realm};{$_url_parts['host']}:{$_url_parts['port']}", $_basic_auth_header); + $_request_headers .= "Authorization: Basic {$_basic_auth_header}\r\n"; + } + else if (!empty($_basic_auth_realm) && isset($_auth_creds[$_basic_auth_realm])) + { + $_request_headers .= "Authorization: Basic {$_auth_creds[$_basic_auth_realm]}\r\n"; + } + else if (list($_basic_auth_realm, $_basic_auth_header) = each($_auth_creds)) + { + $_request_headers .= "Authorization: Basic {$_basic_auth_header}\r\n"; + } + if ($_request_method == 'POST') + { + if (!empty($_FILES) && $_system['uploads']) + { + $_data_boundary = '----' . md5(uniqid(rand(), true)); + $array = set_post_vars($_POST); + + foreach ($array as $key => $value) + { + $_post_body .= "--{$_data_boundary}\r\n"; + $_post_body .= "Content-Disposition: form-data; name=\"$key\"\r\n\r\n"; + $_post_body .= urldecode($value) . "\r\n"; + } + + $array = set_post_files($_FILES); + + foreach ($array as $key => $file_info) + { + $_post_body .= "--{$_data_boundary}\r\n"; + $_post_body .= "Content-Disposition: form-data; name=\"$key\"; filename=\"{$file_info['name']}\"\r\n"; + $_post_body .= 'Content-Type: ' . (empty($file_info['type']) ? 'application/octet-stream' : $file_info['type']) . "\r\n\r\n"; + + if (is_readable($file_info['tmp_name'])) + { + $handle = fopen($file_info['tmp_name'], 'rb'); + $_post_body .= fread($handle, filesize($file_info['tmp_name'])); + fclose($handle); + } + + $_post_body .= "\r\n"; + } + + $_post_body .= "--{$_data_boundary}--\r\n"; + $_request_headers .= "Content-Type: multipart/form-data; boundary={$_data_boundary}\r\n"; + $_request_headers .= "Content-Length: " . strlen($_post_body) . "\r\n\r\n"; + $_request_headers .= $_post_body; + } + else + { + $array = set_post_vars($_POST); + + foreach ($array as $key => $value) + { + $_post_body .= !empty($_post_body) ? '&' : ''; + $_post_body .= $key . '=' . $value; + } + $_request_headers .= "Content-Type: application/x-www-form-urlencoded\r\n"; + $_request_headers .= "Content-Length: " . strlen($_post_body) . "\r\n\r\n"; + $_request_headers .= $_post_body; + $_request_headers .= "\r\n"; + } + + $_post_body = ''; + } + else + { + $_request_headers .= "\r\n"; + } + + fwrite($_socket, $_request_headers); + + // + // PROCESS RESPONSE HEADERS + // + + $_response_headers = $_response_keys = array(); + + $line = fgets($_socket, 8192); + + while (strspn($line, "\r\n") !== strlen($line)) + { + @list($name, $value) = explode(':', $line, 2); + $name = trim($name); + $_response_headers[strtolower($name)][] = trim($value); + $_response_keys[strtolower($name)] = $name; + $line = fgets($_socket, 8192); + } + + sscanf(current($_response_keys), '%s %s', $_http_version, $_response_code); + + if (isset($_response_headers['content-type'])) + { + list($_content_type, ) = explode(';', str_replace(' ', '', strtolower($_response_headers['content-type'][0])), 2); + } + if (isset($_response_headers['content-length'])) + { + $_content_length = $_response_headers['content-length'][0]; + unset($_response_headers['content-length'], $_response_keys['content-length']); + } + if (isset($_response_headers['content-disposition'])) + { + $_content_disp = $_response_headers['content-disposition'][0]; + unset($_response_headers['content-disposition'], $_response_keys['content-disposition']); + } + if (isset($_response_headers['set-cookie']) && $_flags['accept_cookies']) + { + foreach ($_response_headers['set-cookie'] as $cookie) + { + $name = $value = $expires = $path = $domain = $secure = $expires_time = ''; + + preg_match('#^\s*([^=;,\s]*)\s*=?\s*([^;]*)#', $cookie, $match) && list(, $name, $value) = $match; + preg_match('#;\s*expires\s*=\s*([^;]*)#i', $cookie, $match) && list(, $expires) = $match; + preg_match('#;\s*path\s*=\s*([^;,\s]*)#i', $cookie, $match) && list(, $path) = $match; + preg_match('#;\s*domain\s*=\s*([^;,\s]*)#i', $cookie, $match) && list(, $domain) = $match; + preg_match('#;\s*(secure\b)#i', $cookie, $match) && list(, $secure) = $match; + + $expires_time = empty($expires) ? 0 : intval(@strtotime($expires)); + $expires = ($_flags['session_cookies'] && !empty($expires) && time()-$expires_time < 0) ? '' : $expires; + $path = empty($path) ? '/' : $path; + + if (empty($domain)) + { + $domain = $_url_parts['host']; + } + else + { + $domain = '.' . strtolower(str_replace('..', '.', trim($domain, '.'))); + + if ((!preg_match('#\Q' . $domain . '\E$#i', $_url_parts['host']) && $domain != '.' . $_url_parts['host']) || (substr_count($domain, '.') < 2 && $domain{0} == '.')) + { + continue; + } + } + if (count($_COOKIE) >= 15 && time()-$expires_time <= 0) + { + $_set_cookie[] = add_cookie(current($_COOKIE), '', 1); + } + + $_set_cookie[] = add_cookie("COOKIE;$name;$path;$domain", "$value;$secure", $expires_time); + } + } + if (isset($_response_headers['set-cookie'])) + { + unset($_response_headers['set-cookie'], $_response_keys['set-cookie']); + } + if (!empty($_set_cookie)) + { + $_response_keys['set-cookie'] = 'Set-Cookie'; + $_response_headers['set-cookie'] = $_set_cookie; + } + if (isset($_response_headers['p3p']) && preg_match('#policyref\s*=\s*[\'"]?([^\'"\s]*)[\'"]?#i', $_response_headers['p3p'][0], $matches)) + { + $_response_headers['p3p'][0] = str_replace($matches[0], 'policyref="' . complete_url($matches[1]) . '"', $_response_headers['p3p'][0]); + } + if (isset($_response_headers['refresh']) && preg_match('#([0-9\s]*;\s*URL\s*=)\s*(\S*)#i', $_response_headers['refresh'][0], $matches)) + { + $_response_headers['refresh'][0] = $matches[1] . complete_url($matches[2]); + } + if (isset($_response_headers['location'])) + { + $_response_headers['location'][0] = complete_url($_response_headers['location'][0]); + } + if (isset($_response_headers['uri'])) + { + $_response_headers['uri'][0] = complete_url($_response_headers['uri'][0]); + } + if (isset($_response_headers['content-location'])) + { + $_response_headers['content-location'][0] = complete_url($_response_headers['content-location'][0]); + } + if (isset($_response_headers['connection'])) + { + unset($_response_headers['connection'], $_response_keys['connection']); + } + if (isset($_response_headers['keep-alive'])) + { + unset($_response_headers['keep-alive'], $_response_keys['keep-alive']); + } + if ($_response_code == 401 && isset($_response_headers['www-authenticate']) && preg_match('#basic\s+(?:realm="(.*?)")?#i', $_response_headers['www-authenticate'][0], $matches)) + { + if (isset($_auth_creds[$matches[1]]) && !$_quit) + { + $_basic_auth_realm = $matches[1]; + $_basic_auth_header = ''; + $_retry = $_quit = true; + } + else + { + show_report(array('which' => 'index', 'category' => 'auth', 'realm' => $matches[1])); + } + } +} +while ($_retry); + +// +// OUTPUT RESPONSE IF NO PROXIFICATION IS NEEDED +// + +if (!isset($_proxify[$_content_type])) +{ + @set_time_limit(0); + + $_response_keys['content-disposition'] = 'Content-Disposition'; + $_response_headers['content-disposition'][0] = empty($_content_disp) ? ($_content_type == 'application/octet_stream' ? 'attachment' : 'inline') . '; filename="' . $_url_parts['file'] . '"' : $_content_disp; + + if ($_content_length !== false) + { + if ($_config['max_file_size'] != -1 && $_content_length > $_config['max_file_size']) + { + show_report(array('which' => 'index', 'category' => 'error', 'group' => 'resource', 'type' => 'file_size')); + } + + $_response_keys['content-length'] = 'Content-Length'; + $_response_headers['content-length'][0] = $_content_length; + } + + $_response_headers = array_filter($_response_headers); + $_response_keys = array_filter($_response_keys); + + header(array_shift($_response_keys)); + array_shift($_response_headers); + + foreach ($_response_headers as $name => $array) + { + foreach ($array as $value) + { + header($_response_keys[$name] . ': ' . $value, false); + } + } + + do + { + $data = fread($_socket, 8192); + echo $data; + } + while (isset($data{0})); + + fclose($_socket); + exit(0); +} + +do +{ + $data = @fread($_socket, 8192); // silenced to avoid the "normal" warning by a faulty SSL connection + $_response_body .= $data; +} +while (isset($data{0})); + +unset($data); +fclose($_socket); + +// +// MODIFY AND DUMP RESOURCE +// + +if ($_content_type == 'text/css') +{ + $_response_body = proxify_css($_response_body); +} +else +{ + if ($_flags['strip_title']) + { + $_response_body = preg_replace('#(<\s*title[^>]*>)(.*?)(<\s*/title[^>]*>)#is', '$1$3', $_response_body); + } + if ($_flags['remove_scripts']) + { + $_response_body = preg_replace('#<\s*script[^>]*?>.*?<\s*/\s*script\s*>#si', '', $_response_body); + $_response_body = preg_replace("#(\bon[a-z]+)\s*=\s*(?:\"([^\"]*)\"?|'([^']*)'?|([^'\"\s>]*))?#i", '', $_response_body); + $_response_body = preg_replace('##si', "$1", $_response_body); + } + if (!$_flags['show_images']) + { + $_response_body = preg_replace('#<(img|image)[^>]*?>#si', '', $_response_body); + } + + // + // PROXIFY HTML RESOURCE + // + + $tags = array + ( + 'a' => array('href'), + 'img' => array('src', 'longdesc'), + 'image' => array('src', 'longdesc'), + 'body' => array('background'), + 'base' => array('href'), + 'frame' => array('src', 'longdesc'), + 'iframe' => array('src', 'longdesc'), + 'head' => array('profile'), + 'layer' => array('src'), + 'input' => array('src', 'usemap'), + 'form' => array('action'), + 'area' => array('href'), + 'link' => array('href', 'src', 'urn'), + 'meta' => array('content'), + 'param' => array('value'), + 'applet' => array('codebase', 'code', 'object', 'archive'), + 'object' => array('usermap', 'codebase', 'classid', 'archive', 'data'), + 'script' => array('src'), + 'select' => array('src'), + 'hr' => array('src'), + 'table' => array('background'), + 'tr' => array('background'), + 'th' => array('background'), + 'td' => array('background'), + 'bgsound' => array('src'), + 'blockquote' => array('cite'), + 'del' => array('cite'), + 'embed' => array('src'), + 'fig' => array('src', 'imagemap'), + 'ilayer' => array('src'), + 'ins' => array('cite'), + 'note' => array('src'), + 'overlay' => array('src', 'imagemap'), + 'q' => array('cite'), + 'ul' => array('src') + ); + + preg_match_all('#(<\s*style[^>]*>)(.*?)(<\s*/\s*style[^>]*>)#is', $_response_body, $matches, PREG_SET_ORDER); + + for ($i = 0, $count_i = count($matches); $i < $count_i; ++$i) + { + $_response_body = str_replace($matches[$i][0], $matches[$i][1]. proxify_css($matches[$i][2]) .$matches[$i][3], $_response_body); + } + + preg_match_all("#<\s*([a-zA-Z\?-]+)([^>]+)>#S", $_response_body, $matches); + + for ($i = 0, $count_i = count($matches[0]); $i < $count_i; ++$i) + { + if (!preg_match_all("#([a-zA-Z\-\/]+)\s*(?:=\s*(?:\"([^\">]*)\"?|'([^'>]*)'?|([^'\"\s]*)))?#S", $matches[2][$i], $m, PREG_SET_ORDER)) + { + continue; + } + + $rebuild = false; + $extra_html = $temp = ''; + $attrs = array(); + + for ($j = 0, $count_j = count($m); $j < $count_j; $attrs[strtolower($m[$j][1])] = (isset($m[$j][4]) ? $m[$j][4] : (isset($m[$j][3]) ? $m[$j][3] : (isset($m[$j][2]) ? $m[$j][2] : false))), ++$j); + + if (isset($attrs['style'])) + { + $rebuild = true; + $attrs['style'] = proxify_inline_css($attrs['style']); + } + + $tag = strtolower($matches[1][$i]); + + if (isset($tags[$tag])) + { + switch ($tag) + { + case 'a': + if (isset($attrs['href'])) + { + $rebuild = true; + $attrs['href'] = complete_url($attrs['href']); + } + break; + case 'img': + if (isset($attrs['src'])) + { + $rebuild = true; + $attrs['src'] = complete_url($attrs['src']); + } + if (isset($attrs['longdesc'])) + { + $rebuild = true; + $attrs['longdesc'] = complete_url($attrs['longdesc']); + } + break; + case 'form': + if (isset($attrs['action'])) + { + $rebuild = true; + + if (trim($attrs['action']) === '') + { + $attrs['action'] = $_url_parts['path']; + } + if (!isset($attrs['method']) || strtolower(trim($attrs['method'])) === 'get') + { + $extra_html = ''; + $attrs['action'] = ''; + break; + } + + $attrs['action'] = complete_url($attrs['action']); + } + break; + case 'base': + if (isset($attrs['href'])) + { + $rebuild = true; + url_parse($attrs['href'], $_base); + $attrs['href'] = complete_url($attrs['href']); + } + break; + case 'meta': + if ($_flags['strip_meta'] && isset($attrs['name'])) + { + $_response_body = str_replace($matches[0][$i], '', $_response_body); + } + if (isset($attrs['http-equiv'], $attrs['content']) && preg_match('#\s*refresh\s*#i', $attrs['http-equiv'])) + { + if (preg_match('#^(\s*[0-9]*\s*;\s*url=)(.*)#i', $attrs['content'], $content)) + { + $rebuild = true; + $attrs['content'] = $content[1] . complete_url(trim($content[2], '"\'')); + } + } + break; + case 'head': + if (isset($attrs['profile'])) + { + $rebuild = true; + $attrs['profile'] = implode(' ', array_map('complete_url', explode(' ', $attrs['profile']))); + } + break; + case 'applet': + if (isset($attrs['codebase'])) + { + $rebuild = true; + $temp = $_base; + url_parse(complete_url(rtrim($attrs['codebase'], '/') . '/', false), $_base); + unset($attrs['codebase']); + } + if (isset($attrs['code']) && strpos($attrs['code'], '/') !== false) + { + $rebuild = true; + $attrs['code'] = complete_url($attrs['code']); + } + if (isset($attrs['object'])) + { + $rebuild = true; + $attrs['object'] = complete_url($attrs['object']); + } + if (isset($attrs['archive'])) + { + $rebuild = true; + $attrs['archive'] = implode(',', array_map('complete_url', preg_split('#\s*,\s*#', $attrs['archive']))); + } + if (!empty($temp)) + { + $_base = $temp; + } + break; + case 'object': + if (isset($attrs['usemap'])) + { + $rebuild = true; + $attrs['usemap'] = complete_url($attrs['usemap']); + } + if (isset($attrs['codebase'])) + { + $rebuild = true; + $temp = $_base; + url_parse(complete_url(rtrim($attrs['codebase'], '/') . '/', false), $_base); + unset($attrs['codebase']); + } + if (isset($attrs['data'])) + { + $rebuild = true; + $attrs['data'] = complete_url($attrs['data']); + } + if (isset($attrs['classid']) && !preg_match('#^clsid:#i', $attrs['classid'])) + { + $rebuild = true; + $attrs['classid'] = complete_url($attrs['classid']); + } + if (isset($attrs['archive'])) + { + $rebuild = true; + $attrs['archive'] = implode(' ', array_map('complete_url', explode(' ', $attrs['archive']))); + } + if (!empty($temp)) + { + $_base = $temp; + } + break; + case 'param': + if (isset($attrs['valuetype'], $attrs['value']) && strtolower($attrs['valuetype']) == 'ref' && preg_match('#^[\w.+-]+://#', $attrs['value'])) + { + $rebuild = true; + $attrs['value'] = complete_url($attrs['value']); + } + break; + case 'frame': + case 'iframe': + if (isset($attrs['src'])) + { + $rebuild = true; + $attrs['src'] = complete_url($attrs['src']) . '&nf=1'; + } + if (isset($attrs['longdesc'])) + { + $rebuild = true; + $attrs['longdesc'] = complete_url($attrs['longdesc']); + } + break; + default: + foreach ($tags[$tag] as $attr) + { + if (isset($attrs[$attr])) + { + $rebuild = true; + $attrs[$attr] = complete_url($attrs[$attr]); + } + } + break; + } + } + + if ($rebuild) + { + $new_tag = "<$tag"; + foreach ($attrs as $name => $value) + { + $delim = strpos($value, '"') && !strpos($value, "'") ? "'" : '"'; + $new_tag .= ' ' . $name . ($value !== false ? '=' . $delim . $value . $delim : ''); + } + + $_response_body = str_replace($matches[0][$i], $new_tag . '>' . $extra_html, $_response_body); + } + } + + if ($_flags['include_form'] && !isset($_GET['nf'])) + { + $_url_form = '
' + . '
' + . ' ' + . ' ' + . ' [go: up one dir, main page]' + . '
'; + + foreach ($_flags as $flag_name => $flag_value) + { + if (!$_frozen_flags[$flag_name]) + { + $_url_form .= ' '; + } + } + + $_url_form .= '
'; + $_response_body = preg_replace('#\<\s*body(.*?)\>#si', "$0\n$_url_form" , $_response_body, 1); + } +} + +$_response_keys['content-disposition'] = 'Content-Disposition'; +$_response_headers['content-disposition'][0] = empty($_content_disp) ? ($_content_type == 'application/octet_stream' ? 'attachment' : 'inline') . '; filename="' . $_url_parts['file'] . '"' : $_content_disp; +$_response_keys['content-length'] = 'Content-Length'; +$_response_headers['content-length'][0] = strlen($_response_body); +$_response_headers = array_filter($_response_headers); +$_response_keys = array_filter($_response_keys); + +header(array_shift($_response_keys)); +array_shift($_response_headers); + +foreach ($_response_headers as $name => $array) +{ + foreach ($array as $value) + { + header($_response_keys[$name] . ': ' . $value, false); + } +} + +echo $_response_body; +?> diff --git a/pox/style.css b/pox/style.css new file mode 100644 index 0000000..f3adc29 --- /dev/null +++ b/pox/style.css @@ -0,0 +1,144 @@ +body, input +{ + font-family: "Bitstream Vera Sans", Arial, Helvetica, sans-serif; + color: #44352C; +} + +a +{ + color: #9B9C83; + text-decoration:none; + border-bottom: 1px orange dashed; +} + +a:hover +{ + color: #0080FF; +} + +#container +{ + border: 1px #9B9C83 solid; + -moz-border-radius: 8px; + margin: auto; + padding: 5px; + width: 700px; +} + +#title +{ + color: #CC6633; + margin: 0; +} + +ul#navigation, ul#form +{ + list-style-type: none; + padding: 0; + margin: 0; +} + +ul#navigation +{ + float: right; +} + +ul#form +{ + clear: both; +} + +ul#navigation li +{ + float: left; + margin: 0; + padding: 5px 0; + border-top: 2px #BFAA9B solid; +} + +ul#navigation li a +{ + font-weight: bold; + color: #ffffff; + background-color: #AA8E79; + padding: 5px 15px; + margin-left: 1px; + text-decoration: none; + border-bottom: 0 #ffffff solid; +} + +ul#navigation li a:hover +{ + color: #44352C; +} + +ul#form li +{ + width: 700px; +} + +#footer +{ + color: #9B9C83; + font-size: small; + text-align: right; +} + +#address_bar +{ + border-top: 2px #BFAA9B solid; + border-bottom: 3px #44352C solid; + background-color: #AA8E79; + text-align: center; + padding: 5px 0; + color: #ffffff; +} + +#go +{ + background-color: #ffffff; + font-weight: bold; + color: #AA8E79; + border: 0 #ffffff solid; + padding: 2px 5px; +} + +#address_box +{ + width: 500px; +} + +.option +{ + padding: 2px 0; + background-color: #EEEBEA; +} + +.option label +{ + border-bottom: 2px #ffffff solid; +} + +form +{ + margin: 0; +} + +#error, #auth +{ + background-color: #BF6464; + border-top: 1px solid #44352C; + border-bottom: 1px solid #44352C; + width: 700px; + clear: both; +} + +#auth +{ + background-color: #94C261; +} + +#error p, #auth p, #auth form +{ + margin: 5px; +} \ No newline at end of file