<% '======================================================================================================================= ' Controller Registry ' Provides a whitelist of valid controllers to prevent code injection attacks '======================================================================================================================= Class ControllerRegistry_Class Private m_controllers Private Sub Class_Initialize() Set m_controllers = Server.CreateObject("Scripting.Dictionary") m_controllers.CompareMode = 1 ' vbTextCompare for case-insensitive ' Register all valid controllers here ' Format: m_controllers.Add "controllername", True RegisterController "homecontroller" RegisterController "errorcontroller" End Sub Private Sub Class_Terminate() Set m_controllers = Nothing End Sub '--------------------------------------------------------------------------------------------------------------------- ' Register a controller as valid '--------------------------------------------------------------------------------------------------------------------- Public Sub RegisterController(controllerName) Dim key : key = LCase(Trim(controllerName)) If Not m_controllers.Exists(key) Then m_controllers.Add key, True End If End Sub '--------------------------------------------------------------------------------------------------------------------- ' Check if a controller is registered (valid) '--------------------------------------------------------------------------------------------------------------------- Public Function IsValidController(controllerName) Dim key : key = LCase(Trim(controllerName)) IsValidController = m_controllers.Exists(key) End Function '--------------------------------------------------------------------------------------------------------------------- ' Get list of all registered controllers '--------------------------------------------------------------------------------------------------------------------- Public Function GetRegisteredControllers() GetRegisteredControllers = m_controllers.Keys() End Function '--------------------------------------------------------------------------------------------------------------------- ' Validate controller name format (alphanumeric and underscore only) '--------------------------------------------------------------------------------------------------------------------- Public Function IsValidControllerFormat(controllerName) If IsEmpty(controllerName) Or Len(controllerName) = 0 Then IsValidControllerFormat = False Exit Function End If Dim i, ch For i = 1 To Len(controllerName) ch = Mid(controllerName, i, 1) ' Allow a-z, A-Z, 0-9, and underscore If Not ((ch >= "a" And ch <= "z") Or _ (ch >= "A" And ch <= "Z") Or _ (ch >= "0" And ch <= "9") Or _ ch = "_") Then IsValidControllerFormat = False Exit Function End If Next IsValidControllerFormat = True End Function '--------------------------------------------------------------------------------------------------------------------- ' Validate action name format (alphanumeric and underscore only) '--------------------------------------------------------------------------------------------------------------------- Public Function IsValidActionFormat(actionName) If IsEmpty(actionName) Or Len(actionName) = 0 Then IsValidActionFormat = False Exit Function End If Dim i, ch For i = 1 To Len(actionName) ch = Mid(actionName, i, 1) ' Allow a-z, A-Z, 0-9, and underscore If Not ((ch >= "a" And ch <= "z") Or _ (ch >= "A" And ch <= "Z") Or _ (ch >= "0" And ch <= "9") Or _ ch = "_") Then IsValidActionFormat = False Exit Function End If Next IsValidActionFormat = True End Function End Class ' Singleton instance Dim ControllerRegistry_Class__Singleton Function ControllerRegistry() If IsEmpty(ControllerRegistry_Class__Singleton) Then Set ControllerRegistry_Class__Singleton = New ControllerRegistry_Class End If Set ControllerRegistry = ControllerRegistry_Class__Singleton End Function %>