From 8ef28ea951c3005ecf6545f527920830dd99fc3d Mon Sep 17 00:00:00 2001 From: oes Date: Sat, 15 Mar 2003 14:06:58 +0000 Subject: [PATCH] - Assorted refinements, optimizations and fixes in the js-annoyances, img-reorder, banners-by-size, banners-by-link, webbugs, refresh-tags, html-annoyances, content-cookies and fun filters - Replaced filter "popups" by choice between two modes: - "unsolicited-popups" tries to catch only the unsolicited ones - "all-popups" tries to kill them all (as before) - New filter "tiny-textforms" Help those tiny or hard-wrap textareas. - New filter "jumping-windows" that prevents windows from resizing and moving themselves - Replaced "nimda" with more general "ie-exploits" filter in which all filters for exploits shall be collected --- default.filter | 265 +++++++++++++++++++++++++++++-------------------- 1 file changed, 156 insertions(+), 109 deletions(-) diff --git a/default.filter b/default.filter index 619a7273..5780c972 100644 --- a/default.filter +++ b/default.filter @@ -2,7 +2,7 @@ # # File : $Source: /cvsroot/ijbswa/current/default.filter,v $ # -# $Id: default.filter,v 1.11.2.10 2002/11/11 13:39:47 oes Exp $ +# $Id: default.filter,v 1.11.2.11 2002/11/12 16:14:43 oes Exp $ # # Purpose : Rules to process the content of web pages # @@ -78,17 +78,16 @@ FILTER: js-annoyances Get rid of particularly annoying JavaScript abuse # Get rid of Javascript referrer tracking. # Test page: http://www.javascript-page.com/referrer.html # -s|document\.referrer|"Not Your Business!"|gisU +s|(?:\w+\.)+referrer|"Not Your Business!"|gisU # The status bar is for displaying link targets, not pointless blahblah -# -#s/([\n =;{}]|window\.)(default)?status\s*=/$1dUmMy=/ig -s/(([\n =;{}]|window\.)(default)?status)\s*=\s*((['"]).*?\5)/if(typeof(this.href) != 'undefined') $1 = $4 + ' URL: ' + this.href;else return false/ig +# +s/(\W\s*)((this|window)\.(default)?status)\s*=\s*((['"]).*?\6)/$1if(typeof(this.href) != 'undefined') $2 = $5 + ' URL: ' + this.href;else return false/ig # Kill OnUnload popups. Yummy. # Test: http://www.zdnet.com/zdsubs/yahoo/tree/yfs.html # -s/(]*)onunload(.*>)/$1never$2/siU +s/(]*)onunload/$1never/siU s|()|$1never|sigU # If we allow window.open, we want normal window features: @@ -103,9 +102,22 @@ s/(open\s*\([^\)]+toolbar=)(["']?)(?:no|0)\2/$1$2yes$2/sigU s/(open\s*\([^\)]+directories=)(["']?)(?:no|0)\2/$1$2yes$2/sigU s/(open\s*\([^\)]+fullscreen=)(["']?)(?:yes|1)\2/$1$2no$2/sigU s/(open\s*\([^\)]+always(?:raised|lowered)=)(["']?)(?:yes|1)\2/$1$2no$2/sigU -s/(open\s*\([^\)]+zlock=)(["']?)(?:yes|1)\2/$1$2no$2/sigU +s/(open\s*\([^\)]+z-?lock=)(["']?)(?:yes|1)\2/$1$2no$2/sigU s/(open\s*\([^\)]+hotkeys=)(["']?)(?:yes|1)\2/$1$2no$2/sigU -s/(open\s*\([^\)]+titlebar=)(["']?)(?:yes|1)\2/$1$2yes$2/sigU +s/(open\s*\([^\)]+titlebar=)(["']?)(?:no|0)\2/$1$2yes$2/sigU +s/(open\s*\([^\)]+always(?:raised|lowered)=)(["']?)(?:yes|1)\2/$1$2no$2/sigU + + +################################################################################# +# +# js-events: Kill all JS event bindings (Radically destructive! Only for extra nasty sites) +# +################################################################################# +FILTER: js-events Kill all JS event bindings (Radically destructive! Only for extra nasty sites) + +s/(on|event\.)((mouse(over|out|down|up|move))|(un)?load|contextmenu|selectstart)/never/ig +# Not events, but abused on the same type of sites: +s/(alert|confirm)\s*\(/concat(/ig ################################################################################# @@ -124,9 +136,9 @@ s/(]+status=)(['"]?)(?:no|0)\2/$1$2yes1$2/igU s/(]+scrolling=)(['"]?)(?:no|0)\2/$1$2auto$2/igU s/(]+menubar=)(['"]?)(?:no|0)\2/$1$2yes$2/igU -# The tag was a crime! +# The and tags were crimes! # -s*|**ig +s***ig ################################################################################# @@ -136,9 +148,9 @@ s*|**ig ################################################################################# FILTER: content-cookies Kill cookies that come in the HTML or JS content -# JS cookies, like found on privacy.net: +# JS cookies, except those used by antiadbuster.com to detect us: # -s|document\.cookie(?=[ \t\r\n]*=)|ZappedCookie|ig +s|(\w+\.)+cookie(?=[ \t\r\n]*=)(?!='aab)|ZappedCookie|ig # HTML cookies: # @@ -147,54 +159,41 @@ s|||igU ################################################################################# # -# webbugs: Squish WebBugs (1x1 invisible GIFs used for user tracking) +# refresh-tags: Kill automatic refresh tags (for dial-on-demand setups) # ################################################################################# -FILTER: webbugs Squish WebBugs (1x1 invisible GIFs used for user tracking) - -s/]*(?:width|height)\s*=\s*['"]?1(?=\D)[^>]*(?:width|height)\s*=\s*['"]?1(?=\D)[^>]*?>//siUg - +FILTER: refresh-tags Kill automatic refresh tags (for dial-on-demand setups) -################################################################################## -# -# popups: Kill all popups in JS and HTML +# Note: Only deactivates refreshes with more than 9 seconds delay to +# preserve monster-stupid but common redirections via meta tags. # -################################################################################# -FILTER: popups Kill all popups in JS and HTML - -s/([\n =;{}]|window\.)open\s*\\?\(/$1concat(/ig # JavaScript -s/ target\s*=\s*(['"]?)(_blank|_new)\1?/ notarget/ig # HTML +s/\2]*))?\2/]*)framespacing=(['"]?)(no|0)\2/$1/igU -s/(]*)frameborder=(['"]?)(no|0)\2/$1/igU -s/(]*)border=(['"]?)(no|0)\2/$1/igU -s/(]*)noresize/$1/igU -s/(]*)frameborder=(['"]?)(no|0)\2/$1/igU -s/(]*)scrolling=(['"]?)(no|0)\2/$1/igU +s++$0+isU +s+([^\w\s.]\s*)((window|this|parent)\.)?open\s*\(+$1PrivoxyWindowOpen(+ig +s++$0+iU -################################################################################# +################################################################################## # -# refresh-tags: Kill automatic refresh tags (for dial-on-demand setups) +# all-popups: Kill all popups in JavaScript and HTML # ################################################################################# -FILTER: refresh-tags Kill automatic refresh tags (for dial-on-demand setups) +FILTER: all-popups Kill all popups in JavaScript and HTML -# Note: Only deactivates refreshes with more than 9 seconds delay to -# preserve monster-stupid but common redirections via meta tags. -# -s/\2]*))?\2/ tags to make the banners-by-* filters more effective # @@ -204,7 +203,7 @@ FILTER: img-reorder Reorder attributes in tags to make the banners-by-* fi # In the first step src is moved to the start, then width is moved to the second # place to guarantee an order of src, width, height. # This makes banners-by-size more effective and allows both banners-by-size -# and banners-by-link to preserve the original image URL in the alt attribute. +# and banners-by-link to preserve the original image URL in the title attribute. s|]*) src\s*=\s*(['"])([^>\\\2]+)\2|]*) src\s*=\s*([^'">\\\s]+)|\\\\2]+\2\|[^'">\\\s]+?))([^>]*)width\s*=\s*(["']?)(\d+? FILTER: banners-by-size Kill banners by size # 88*31 -s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)88\4)[^>]*?(height=(['"]?)31\6)[^>]*>@$1Killed-$2-by-size$1@sig +s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)88\4)[^>]*?(height=(['"]?)31\6)[^>]*>@@sig # 120*60, 120*90, 120*240, 120*600 -s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)120\4)[^>]*?(height=(['"]?)(?:600?|90|240)\6)[^>]*>@$1Killed-$2-by-size$1@sig +s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)120\4)[^>]*?(height=(['"]?)(?:600?|90|240)\6)[^>]*>@@sig # 125*125 -s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)125\4)[^>]*?(height=(['"]?)125\6)[^>]*>@$1Killed-$2-by-size$1@sig +s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)125\4)[^>]*?(height=(['"]?)125\6)[^>]*>@@sig # 160*600 -s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)160\4)[^>]*?(height=(['"]?)600\6)[^>]*>@$1Killed-$2-by-size$1@sig +s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)160\4)[^>]*?(height=(['"]?)600\6)[^>]*>@@sig # 180*150 -s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)180\4)[^>]*?(height=(['"]?)150\6)[^>]*>@$1Killed-$2-by-size$1@sig +s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)180\4)[^>]*?(height=(['"]?)150\6)[^>]*>@@sig # 234*60, 468*60 (Most Banners!) -s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)(?:234|468)\4)[^>]*?(height=(['"]?)60\6)[^>]*>@$1Killed-$2-by-size$1@sig +s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)(?:234|468)\4)[^>]*?(height=(['"]?)60\6)[^>]*>@@sig # 240*400 -s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)240\4)[^>]*?(height=(['"]?)400\6)[^>]*>@$1Killed-$2-by-size$1@sig +s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)240\4)[^>]*?(height=(['"]?)400\6)[^>]*>@@sig # 250*250, 300*250 -s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)(?:250|300)\4)[^>]*?(height=(['"]?)250\6)[^>]*>@$1Killed-$2-by-size$1@sig +s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)(?:250|300)\4)[^>]*?(height=(['"]?)250\6)[^>]*>@@sig # 336*280 -s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)336\4)[^>]*?(height=(['"]?)280\6)[^>]*>@$1Killed-$2-by-size$1@sig +s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)336\4)[^>]*?(height=(['"]?)280\6)[^>]*>@@sig # Note: 200*50 was also proposed, but it probably causes too much collateral damage: # -#s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)200\4)[^>]*?(height=(['"]?)50\6)[^>]*>@$1Killed-$2-by-size$1@sig +#s@\\\1\s]+)\1)?[^>]*?(width=(['"]?)200\4)[^>]*?(height=(['"]?)50\6)[^>]*>@@sig ################################################################################# # -# banners-by-link: Kill banners by their links to known clicktrackers +# banners-by-link: Kill banners by their links to known clicktrackers (Experimental) # ################################################################################# FILTER: banners-by-link Kill banners by their links to known clicktrackers @@ -269,92 +268,58 @@ s@\1\s]*?(?:\ | tracker | counter # common \ | adlog\.pl # see sf.net \ )[^>\1\s]*)\1[^>]*>\s*\\\3\s]+)\3)?[^>]*((?:width|height)\s*=\s*(['"]?)\d+?\6)[^>]*((?:width|height)\s*=\s*(['"]?)\d+?\8)[^>]*>\ -@$1Killed@sigx +@@sigx # Rare case w/o explicit dimensions: # -s@\1\s]*?(?:adclick|atwola\.com/(?:link|redir)|doubleclick\.net/jump/|tracker|counter|adlog\.pl)[^>\1\s]*)\1[^>]*>\s*\\\3\s]+)\3)?[^>]*>@$1Killed@sig - -################################################################################# -# -# fun: Text replacements for subversive browsing fun! -# -################################################################################# -FILTER: fun Text replacements for subversive browsing fun! - -s/microsoft(?!.com)/MicroSuck/ig - -# Buzzword Bingo (example for extended regex syntax) -# -s* industry[ -]leading \ -| cutting[ -]edge \ -| customer[ -]focused \ -| market[ -]driven \ -| award[ -]winning # Comments are OK, too! \ -| high[ -]performance \ -| solutions[ -]based \ -| unmatched \ -| unparalleled \ -| unrivalled \ -*BINGO! \ -*igx - - -################################################################################# -# -# nimda: Remove Nimda (virus) code -# -################################################################################# -FILTER: nimda Remove Nimda (virus) code +s@\1\s]*?(?:adclick|atwola\.com/(?:link|redir)|doubleclick\.net/jump/|tracker|counter|adlog\.pl)[^>\1\s]*)\1[^>]*>\s*\\\3\s]+)\3)?[^>]*>@@sig -s%%
WARNING: This Server is infected with Nimda!%g - -################################################################################# +################################################################################ # -# shockwave-flash: Kill embedded Shockwave Flash objects +# webbugs: Squish WebBugs (1x1 invisible GIFs used for user tracking) # ################################################################################# -FILTER: shockwave-flash Kill embedded Shockwave Flash objects +FILTER: webbugs Squish WebBugs (1x1 invisible GIFs used for user tracking) -s|]*application/x-shockwave-flash.*||sigU +s/]*(?:width|height)\s*=\s*['"]?[01](?=\D)[^>]*(?:width|height)\s*=\s*['"]?[01](?=\D)[^>]*?>//siUg ################################################################################# # -# quicktime-kioskmode: Make Quicktime movies saveable +# tiny-textforms: Extend those tiny textareas up to 40x80 and kill the hard wrap # ################################################################################# -FILTER: quicktime-kioskmode Make Quicktime movies saveable +FILTER: tiny-textforms Extend those tiny textareas up to 40x80 and kill the hard wrap -s/(]*)kioskmode\s*=\s*(["']?)true\2/$1/ig +s/(]*?)(?:\s*(?:rows|cols)=(['"]?)\d+\2)+/$1 rows=$2\40$2 cols=$2\80$2/ig +s/(]*?)wrap=(['"]?)hard\2/$1/ig ################################################################################# # -# js-events: Kill all JS event bindings (Radically destructive! Only for extra nasty sites) +# jumping-windows: Prevent windows from resizing and moving themselves # ################################################################################# -FILTER: js-events Kill all JS event bindings (Radically destructive! Only for extra nasty sites) +FILTER: jumping-windows Prevent windows from resizing and moving themselves -s/(on|event\.)((mouse(over|out|down|up|move))|(un)?load|contextmenu|selectstart)/never/ig -# Not events, but abused on the same type of sites: -s/(alert|confirm)\s*\(/concat(/ig +s/(?:window|this|self)\.(?:move|resize)(?:to|by)\(/concat(/ig ################################################################################# # -# crude-parental: Crude parental filtering? (Use along with a suitable blocklist). -# Shows how to deny access to whole page based on a keyword. +# frameset-borders: Give frames a border, make them resizable and scrollable # ################################################################################# -FILTER: crude-parental Crude parental filtering (demo only) +FILTER: frameset-borders Give frames a border and make them resizable -# (Note: Middlesex, Sussex and Essex are counties in the UK, not rude words) -# (Note #2: Is 'sex' a rude word?!) +s/(]*)framespacing=(['"]?)(no|0)\2/$1/igU +s/(]*)frameborder=(['"]?)(no|0)\2/$1/igU +s/(]*)border=(['"]?)(no|0)\2/$1/igU +s/(]*)noresize/$1/igU +s/(]*)frameborder=(['"]?)(no|0)\2/$1/igU +s/(]*)scrolling=(['"]?)(no|0)\2/$1/igU -s%^.*(?Blocked

Blocked due to possible adult content. Please see this site.

%is -s+^.*warez.*$+No Warez

You're not searching for illegal stuff, are you?

+is ################################################################################# @@ -367,7 +332,7 @@ s+^.*warez.*$+No Warez

You're not sea # John Walker -- January 1998, http://www.fourmilab.ch/webtools/demoroniser # ################################################################################# -FILTER: demoronizer fixing MS's non-standard use of std charsets. +FILTER: demoronizer Fix MS's non-standard use of standard charsets s/(&\#[0-2]\d\d)\s/$1; /g # per Robert Lynch: http://slate.msn.com//?id=2067547, just a guess. @@ -394,10 +359,92 @@ s/\x97/--/g s/\x9B/>/g # 155 +################################################################################# +# +# shockwave-flash: Kill embedded Shockwave Flash objects +# +################################################################################# +FILTER: shockwave-flash Kill embedded Shockwave Flash objects + +s|]*application/x-shockwave-flash.*||sigU + + +################################################################################# +# +# quicktime-kioskmode: Make Quicktime movies saveable +# +################################################################################# +FILTER: quicktime-kioskmode Make Quicktime movies saveable + +s/(]*)kioskmode\s*=\s*(["']?)true\2/$1/ig + + +################################################################################# +# +# fun: Text replacements for subversive browsing fun! +# +################################################################################# +FILTER: fun Text replacements for subversive browsing fun! + +s/microsoft(?!.com)/MicroSuck/ig + +# Buzzword Bingo (example for extended regex syntax) +# +s* (?:industry|world)[ -]leading \ +| cutting[ -]edge \ +| customer[ -]focused \ +| market[ -]driven \ +| award[ -]winning # Comments are OK, too! \ +| high[ -]performance \ +| solutions[ -]based \ +| unmatched \ +| unparalleled \ +| unrivalled \ +*$0Bingo! \ +*igx + + +################################################################################# +# +# crude-parental: Crude parental filtering? (Use along with a suitable blocklist). +# Shows how to deny access to whole page based on a keyword. +# +################################################################################# +FILTER: crude-parental Crude parental filtering (demo only) + +# (Note: Middlesex, Sussex and Essex are counties in the UK, not rude words) +# (Note #2: Is 'sex' a rude word?!) + +s%^.*(?Blocked

Blocked due to possible adult content. Please see this site.

%is +s+^.*warez.*$+No Warez

You're not searching for illegal stuff, are you?

+is + + +################################################################################# +# +# IE-Exploits: Disable some known Internet Explorer bug exploits +# +################################################################################# +FILTER: ie-exploits Disable some known Internet Explorer bug exploits + +# Note: This is basically a demo and waits for someone more interested in IE +# security (sic!) to take over. + +# Cross-site-scripting: +# +s%f\("javascript:location.replace\('mk:@MSITStore:C:'\)"\);%alert\("This page looks like it tries to use a vulnerability described here:\n http://online.securityfocus.com/archive/1/298748/2002-11-02/2002-11-08/2"\);%siU + +# Nimda: +# +s%%
WARNING: This Server is infected with Nimda!%g + + ############################################################################## # # Revisions : # $Log: default.filter,v $ +# Revision 1.11.2.11 2002/11/12 16:14:43 oes +# Exchanged js-annoyance filter against status bar rewrites with improved version by Don Libes +# # Revision 1.11.2.10 2002/11/11 13:39:47 oes # Make refresh-tags filter work even on incorrect refresh tags like found on usatoday.com # -- 2.49.0