From 67b954924bc9cdd30741542f7867c80aa2b48b1e Mon Sep 17 00:00:00 2001
From: Savetheinternet <savetheinternet@tinyboard.org>
Date: Mon, 3 Oct 2011 18:38:19 +1100
Subject: [PATCH] Referer checking; more descriptive error message

---
 inc/config.php    |  3 ++-
 inc/functions.php | 18 ++++++++----------
 post.php          |  5 ++---
 3 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/inc/config.php b/inc/config.php
index 4c2d5812..9a5891ff 100644
--- a/inc/config.php
+++ b/inc/config.php
@@ -132,10 +132,11 @@
 	
 	// For development purposes. Turns 'display_errors' on. Not recommended for production.
 	$config['verbose_errors']	= true;
-
+	
 	// Error messages
 	$config['error']['lurk']			= 'Lurk some more before posting.';
 	$config['error']['bot']				= 'You look like a bot.';
+	$config['error']['referer']			= 'Your browser sent an invalid or no HTTP referer.';
 	$config['error']['toolong']			= 'The %s field was too long.';
 	$config['error']['toolong_body']	= 'The body was too long.';
 	$config['error']['tooshort_body']	= 'The body was too short or empty.';
diff --git a/inc/functions.php b/inc/functions.php
index 8f28d7c0..647aee1a 100644
--- a/inc/functions.php
+++ b/inc/functions.php
@@ -31,23 +31,21 @@
 		if(!isset($config['post_url']))
 			$config['post_url'] = $config['root'] . $config['file_post'];
 		
-		if(!isset($config['url_match']))
-			$config['url_match'] = '/^' .
+		if(!isset($config['referer_match']))
+			$config['referer_match'] = '/^' .
 				(preg_match($config['url_regex'], $config['root']) ? '' :
 					(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] && $_SERVER['HTTPS'] != 'off' ? 'https' : 'http') .
 					':\/\/'.$_SERVER['HTTP_HOST']) .
 					preg_quote($config['root'], '/') .
 				'(' .
-						str_replace('%s', '\w{1,8}', preg_quote($config['board_path'], '/')) .
+						str_replace('%s', '\w+', preg_quote($config['board_path'], '/')) .
+						'(' . preg_quote($config['file_index'], '/') . ')?' .
 					'|' .
-						str_replace('%s', '\w{1,8}', preg_quote($config['board_path'], '/')) .
-						preg_quote($config['file_index'], '/') .
-					'|' .
-						str_replace('%s', '\w{1,8}', preg_quote($config['board_path'], '/')) .
+						str_replace('%s', '\w+', preg_quote($config['board_path'], '/')) .
+						preg_quote($config['dir']['res'], '/') .
 						str_replace('%d', '\d+', preg_quote($config['file_page'], '/')) .
 					'|' .
-						preg_quote($config['file_mod'], '/') .
-					'\?\/.+' .
+						preg_quote($config['file_mod'], '/') . '\?\/.+' .
 				')$/i';
 		
 		if(!isset($config['cookies']['path']))
@@ -240,7 +238,7 @@
 	
 	function purge($uri) {
 		global $config, $debug;
-		if(preg_match($config['url_match'], $config['root'])) {
+		if(preg_match($config['referer_match'], $config['root'])) {
 			$uri = (str_replace('\\', '/', dirname($_SERVER['REQUEST_URI'])) == '/' ? '/' : str_replace('\\', '/', dirname($_SERVER['REQUEST_URI'])) . '/') . $uri;
 		} else {
 			$uri = $config['root'] . $uri;
diff --git a/post.php b/post.php
index 57d11a0e..1b39cb3e 100644
--- a/post.php
+++ b/post.php
@@ -151,9 +151,8 @@
 			error($config['error']['bot']);
 		
 		// Check the referrer
-		if($OP) {
-			if(!isset($_SERVER['HTTP_REFERER']) || !preg_match($config['url_match'], $_SERVER['HTTP_REFERER'])) error($config['error']['bot']);
-		}
+		if(!isset($_SERVER['HTTP_REFERER']) || !preg_match($config['referer_match'], $_SERVER['HTTP_REFERER']))
+			error($config['error']['referer']);
 		
 		// TODO: Since we're now using static HTML files, we can't give them cookies on their first page view
 		// Find another anti-spam method.