Browse Source

Merge branch 'master' of https://github.com/savetheinternet/Tinyboard into vichan-devel-4.5

Conflicts:
	inc/config.php
	inc/display.php
	inc/mod/pages.php
	install.php
	js/quick-reply.js
	post.php
	templates/index.html
pull/40/head
czaks 9 years ago
parent
commit
6cb7eb939e
  1. 2
      README.md
  2. 47
      inc/anti-bot.php
  3. 1
      inc/api.php
  4. 258
      inc/bans.php
  5. 7
      inc/cache.php
  6. 252
      inc/config.php
  7. 22
      inc/database.php
  8. 10
      inc/display.php
  9. 5
      inc/events.php
  10. 176
      inc/filters.php
  11. 181
      inc/functions.php
  12. 5
      inc/image.php
  13. 20
      inc/lib/IP/LICENSE
  14. 293
      inc/lib/IP/Lifo/IP/BC.php
  15. 706
      inc/lib/IP/Lifo/IP/CIDR.php
  16. 207
      inc/lib/IP/Lifo/IP/IP.php
  17. 15
      inc/mod.php
  18. 5
      inc/mod/auth.php
  19. 99
      inc/mod/ban.php
  20. 17
      inc/mod/config-editor.php
  21. 138
      inc/mod/pages.php
  22. 5
      inc/remote.php
  23. 5
      inc/template.php
  24. 89
      install.php
  25. 48
      install.sql
  26. 77
      js/ajax-post-controls.js
  27. 128
      js/ajax.js
  28. 6
      js/jquery-ui.custom.min.js
  29. 2
      js/quick-post-controls.js
  30. 46
      js/quick-reply-old.js
  31. 47
      js/quick-reply-vd-old.js
  32. 374
      js/quick-reply.js
  33. 57
      post.php
  34. 14
      stylesheets/style.css
  35. 2
      templates/banned.html
  36. 22
      templates/index.html
  37. 29
      templates/main.js
  38. 14
      templates/mod/ban_list.html
  39. 9
      templates/mod/config-editor.html
  40. 26
      templates/mod/debug/antispam.html
  41. 43
      templates/mod/debug/recent_posts.html
  42. 8
      templates/mod/debug/sql.html
  43. 14
      templates/mod/search_results.html
  44. 20
      templates/mod/user.html
  45. 13
      templates/mod/users.html
  46. 4
      templates/mod/view_ip.html

2
README.md

@ -30,7 +30,7 @@ it need one.
### Recommended
1. PHP >= 5.3
2. MySQL server >= 5.5.3
3. ImageMagick or command-line version (```convert``` and ```identify```)
3. ImageMagick (command-line ImageMagick or GraphicsMagick preferred).
4. [APC (Alternative PHP Cache)](http://php.net/manual/en/book.apc.php), [XCache](http://xcache.lighttpd.net/) or [Memcached](http://www.php.net/manual/en/intro.memcached.php)
Contributing

47
inc/anti-bot.php

@ -4,24 +4,26 @@
* Copyright (c) 2010-2013 Tinyboard Development Group
*/
if (realpath($_SERVER['SCRIPT_FILENAME']) == str_replace('\\', '/', __FILE__)) {
// You cannot request this file directly.
exit;
}
defined('TINYBOARD') or exit;
$hidden_inputs_twig = array();
class AntiBot {
public $salt, $inputs = array(), $index = 0;
public static function randomString($length, $uppercase = false, $special_chars = false) {
public static function randomString($length, $uppercase = false, $special_chars = false, $unicode_chars = false) {
$chars = 'abcdefghijklmnopqrstuvwxyz0123456789';
if ($uppercase)
$chars .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
if ($special_chars)
$chars .= ' [email protected]#$%^&*()_+,./;\'[]\\{}|:<>?=-` ';
if ($unicode_chars) {
$len = strlen($chars) / 10;
for ($n = 0; $n < $len; $n++)
$chars .= mb_convert_encoding('&#' . mt_rand(0x2600, 0x26FF) . ';', 'UTF-8', 'HTML-ENTITIES');
}
$chars = str_split($chars);
$chars = preg_split('//u', $chars, -1, PREG_SPLIT_NO_EMPTY);
$ch = array();
@ -44,10 +46,10 @@ class AntiBot {
}
public static function make_confusing($string) {
$chars = str_split($string);
$chars = preg_split('//u', $string, -1, PREG_SPLIT_NO_EMPTY);
foreach ($chars as &$c) {
if (rand(0, 2) != 0)
if (mt_rand(0, 3) != 0)
$c = utf8tohtml($c);
else
$c = mb_encode_numericentity($c, array(0, 0xffff, 0, 0xffff), 'UTF-8');
@ -68,13 +70,13 @@ class AntiBot {
shuffle($config['spam']['hidden_input_names']);
$input_count = rand($config['spam']['hidden_inputs_min'], $config['spam']['hidden_inputs_max']);
$input_count = mt_rand($config['spam']['hidden_inputs_min'], $config['spam']['hidden_inputs_max']);
$hidden_input_names_x = 0;
for ($x = 0; $x < $input_count ; $x++) {
if ($hidden_input_names_x === false || rand(0, 2) == 0) {
if ($hidden_input_names_x === false || mt_rand(0, 2) == 0) {
// Use an obscure name
$name = $this->randomString(rand(10, 40));
$name = $this->randomString(mt_rand(10, 40), false, false, $config['spam']['unicode']);
} else {
// Use a pre-defined confusing name
$name = $config['spam']['hidden_input_names'][$hidden_input_names_x++];
@ -82,25 +84,33 @@ class AntiBot {
$hidden_input_names_x = false;
}
if (rand(0, 2) == 0) {
if (mt_rand(0, 2) == 0) {
// Value must be null
$this->inputs[$name] = '';
} elseif (rand(0, 4) == 0) {
} elseif (mt_rand(0, 4) == 0) {
// Numeric value
$this->inputs[$name] = (string)rand(0, 100);
$this->inputs[$name] = (string)mt_rand(0, 100000);
} else {
// Obscure value
$this->inputs[$name] = $this->randomString(rand(5, 100), true, true);
$this->inputs[$name] = $this->randomString(mt_rand(5, 100), true, true, $config['spam']['unicode']);
}
}
}
public static function space() {
if (mt_rand(0, 3) != 0)
return ' ';
return str_repeat(' ', mt_rand(1, 3));
}
public function html($count = false) {
global $config;
$elements = array(
'<input type="hidden" name="%name%" value="%value%">',
'<input type="hidden" value="%value%" name="%name%">',
'<input name="%name%" value="%value%" type="hidden">',
'<input value="%value%" name="%name%" type="hidden">',
'<input style="display:none" type="text" name="%name%" value="%value%">',
'<input style="display:none" type="text" value="%value%" name="%name%">',
'<span style="display:none"><input type="text" name="%name%" value="%value%"></span>',
@ -113,7 +123,7 @@ class AntiBot {
$html = '';
if ($count === false) {
$count = rand(1, count($this->inputs) / 15);
$count = mt_rand(1, abs(count($this->inputs) / 15) + 1);
}
if ($count === true) {
@ -128,6 +138,9 @@ class AntiBot {
$element = false;
while (!$element) {
$element = $elements[array_rand($elements)];
$element = str_replace(' ', self::space(), $element);
if (mt_rand(0, 5) == 0)
$element = str_replace('>', self::space() . '>', $element);
if (strpos($element, 'textarea') !== false && $value == '') {
// There have been some issues with mobile web browsers and empty <textarea>'s.
$element = false;
@ -136,7 +149,7 @@ class AntiBot {
$element = str_replace('%name%', utf8tohtml($name), $element);
if (rand(0, 2) == 0)
if (mt_rand(0, 2) == 0)
$value = $this->make_confusing($value);
else
$value = utf8tohtml($value);

1
inc/api.php

@ -3,6 +3,7 @@
* Copyright (c) 2010-2013 Tinyboard Development Group
*/
defined('TINYBOARD') or exit;
/**
* Class for generating json API compatible with 4chan API

258
inc/bans.php

@ -0,0 +1,258 @@
<?php
require 'inc/lib/IP/Lifo/IP/IP.php';
require 'inc/lib/IP/Lifo/IP/BC.php';
require 'inc/lib/IP/Lifo/IP/CIDR.php';
use Lifo\IP\CIDR;
class Bans {
static public function range_to_string($mask) {
list($ipstart, $ipend) = $mask;
if (!isset($ipend) || $ipend === false) {
// Not a range. Single IP address.
$ipstr = inet_ntop($ipstart);
return $ipstr;
}
if (strlen($ipstart) != strlen($ipend))
return '???'; // What the fuck are you doing, son?
$range = CIDR::range_to_cidr(inet_ntop($ipstart), inet_ntop($ipend));
if ($range !== false)
return $range;
return '???';
}
private static function calc_cidr($mask) {
$cidr = new CIDR($mask);
$range = $cidr->getRange();
return array(inet_pton($range[0]), inet_pton($range[1]));
}
private static function parse_time($str) {
if (empty($str))
return false;
if (($time = @strtotime($str)) !== false)
return $time;
if (!preg_match('/^((\d+)\s?ye?a?r?s?)?\s?+((\d+)\s?mon?t?h?s?)?\s?+((\d+)\s?we?e?k?s?)?\s?+((\d+)\s?da?y?s?)?((\d+)\s?ho?u?r?s?)?\s?+((\d+)\s?mi?n?u?t?e?s?)?\s?+((\d+)\s?se?c?o?n?d?s?)?$/', $str, $matches))
return false;
$expire = 0;
if (isset($matches[2])) {
// Years
$expire += $matches[2]*60*60*24*365;
}
if (isset($matches[4])) {
// Months
$expire += $matches[4]*60*60*24*30;
}
if (isset($matches[6])) {
// Weeks
$expire += $matches[6]*60*60*24*7;
}
if (isset($matches[8])) {
// Days
$expire += $matches[8]*60*60*24;
}
if (isset($matches[10])) {
// Hours
$expire += $matches[10]*60*60;
}
if (isset($matches[12])) {
// Minutes
$expire += $matches[12]*60;
}
if (isset($matches[14])) {
// Seconds
$expire += $matches[14];
}
return time() + $expire;
}
static public function parse_range($mask) {
$ipstart = false;
$ipend = false;
if (preg_match('@^(\d{1,3}\.){1,3}([\d*]{1,3})[email protected]', $mask) && substr_count($mask, '*') == 1) {
// IPv4 wildcard mask
$parts = explode('.', $mask);
$ipv4 = '';
foreach ($parts as $part) {
if ($part == '*') {
$ipstart = inet_pton($ipv4 . '0' . str_repeat('.0', 3 - substr_count($ipv4, '.')));
$ipend = inet_pton($ipv4 . '255' . str_repeat('.255', 3 - substr_count($ipv4, '.')));
break;
} elseif(($wc = strpos($part, '*')) !== false) {
$ipstart = inet_pton($ipv4 . substr($part, 0, $wc) . '0' . str_repeat('.0', 3 - substr_count($ipv4, '.')));
$ipend = inet_pton($ipv4 . substr($part, 0, $wc) . '9' . str_repeat('.255', 3 - substr_count($ipv4, '.')));
break;
}
$ipv4 .= "$part.";
}
} elseif (preg_match('@^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/\[email protected]', $mask)) {
list($ipv4, $bits) = explode('/', $mask);
if ($bits > 32)
return false;
list($ipstart, $ipend) = self::calc_cidr($mask);
} elseif (preg_match('@^[:a-z\d]+/\[email protected]', $mask)) {
list($ipv6, $bits) = explode('/', $mask);
if ($bits > 128)
return false;
list($ipstart, $ipend) = self::calc_cidr($mask);
} else {
if (($ipstart = @inet_pton($mask)) === false)
return false;
}
return array($ipstart, $ipend);
}
static public function find($ip, $board = false, $get_mod_info = false) {
global $config;
$query = prepare('SELECT ``bans``.*' . ($get_mod_info ? ', `username`' : '') . ' FROM ``bans``
' . ($get_mod_info ? 'LEFT JOIN ``mods`` ON ``mods``.`id` = `creator`' : '') . '
WHERE
(' . ($board ? '(`board` IS NULL OR `board` = :board) AND' : '') . '
(`ipstart` = :ip OR (:ip >= `ipstart` AND :ip <= `ipend`)))
ORDER BY `expires` IS NULL, `expires` DESC');
if ($board)
$query->bindValue(':board', $board);
$query->bindValue(':ip', inet_pton($ip));
$query->execute() or error(db_error($query));
$ban_list = array();
while ($ban = $query->fetch(PDO::FETCH_ASSOC)) {
if ($ban['expires'] && ($ban['seen'] || !$config['require_ban_view']) && $ban['expires'] < time()) {
$query = prepare("DELETE FROM ``bans`` WHERE `id` = :id");
$query->bindValue(':id', $ban['id'], PDO::PARAM_INT);
$query->execute() or error(db_error($query));
} else {
$ban['mask'] = self::range_to_string(array($ban['ipstart'], $ban['ipend']));
$ban_list[] = $ban;
}
}
return $ban_list;
}
static public function list_all($offset = 0, $limit = 9001) {
$offset = (int)$offset;
$limit = (int)$limit;
$query = query("SELECT ``bans``.*, `username` FROM ``bans``
LEFT JOIN ``mods`` ON ``mods``.`id` = `creator`
ORDER BY `created` DESC LIMIT $offset, $limit") or error(db_error());
$bans = $query->fetchAll(PDO::FETCH_ASSOC);
foreach ($bans as &$ban) {
$ban['mask'] = self::range_to_string(array($ban['ipstart'], $ban['ipend']));
}
return $bans;
}
static public function count() {
$query = query("SELECT COUNT(*) FROM ``bans``") or error(db_error());
return (int)$query->fetchColumn();
}
static public function seen($ban_id) {
$query = query("UPDATE ``bans`` SET `seen` = 1 WHERE `id` = " . (int)$ban_id) or error(db_error());
}
static public function purge() {
$query = query("DELETE FROM ``bans`` WHERE `expires` IS NOT NULL AND `expires` < " . time() . " AND `seen` = 1") or error(db_error());
}
static public function delete($ban_id, $modlog = false) {
if ($modlog) {
$query = query("SELECT `ipstart`, `ipend` FROM ``bans`` WHERE `id` = " . (int)$ban_id) or error(db_error());
if (!$ban = $query->fetch(PDO::FETCH_ASSOC)) {
// Ban doesn't exist
return false;
}
$mask = self::range_to_string(array($ban['ipstart'], $ban['ipend']));
modLog("Removed ban #{$ban_id} for " .
(filter_var($mask, FILTER_VALIDATE_IP) !== false ? "<a href=\"?/IP/$mask\">$mask</a>" : $mask));
}
query("DELETE FROM ``bans`` WHERE `id` = " . (int)$ban_id) or error(db_error());
return true;
}
static public function new_ban($mask, $reason, $length = false, $board = false, $mod_id = false) {
global $mod, $pdo;
if ($mod_id === false) {
$mod_id = isset($mod['id']) ? $mod['id'] : -1;
}
$range = self::parse_range($mask);
$mask = self::range_to_string($range);
$query = prepare("INSERT INTO ``bans`` VALUES (NULL, :ipstart, :ipend, :time, :expires, :board, :mod, :reason, 0, NULL)");
$query->bindValue(':ipstart', $range[0]);
if ($range[1] !== false && $range[1] != $range[0])
$query->bindValue(':ipend', $range[1]);
else
$query->bindValue(':ipend', null, PDO::PARAM_NULL);
$query->bindValue(':mod', $mod_id);
$query->bindValue(':time', time());
if ($reason !== '') {
$reason = escape_markup_modifiers($reason);
markup($reason);
$query->bindValue(':reason', $reason);
} else
$query->bindValue(':reason', null, PDO::PARAM_NULL);
if ($length) {
if (is_int($length) || ctype_digit($length)) {
$length = time() + $length;
} else {
$length = self::parse_time($length);
}
$query->bindValue(':expires', $length);
} else {
$query->bindValue(':expires', null, PDO::PARAM_NULL);
}
if ($board)
$query->bindValue(':board', $board);
else
$query->bindValue(':board', null, PDO::PARAM_NULL);
$query->execute() or error(db_error($query));
if (isset($mod['id']) && $mod['id'] == $mod_id) {
modLog('Created a new ' .
($length > 0 ? preg_replace('/^(\d+) (\w+?)s?$/', '$1-$2', until($length)) : 'permanent') .
' ban on ' .
($board ? '/' . $board . '/' : 'all boards') .
' for ' .
(filter_var($mask, FILTER_VALIDATE_IP) !== false ? "<a href=\"?/IP/$mask\">$mask</a>" : $mask) .
' (<small>#' . $pdo->lastInsertId() . '</small>)' .
' with ' . ($reason ? 'reason: ' . utf8tohtml($reason) . '' : 'no reason'));
}
return $pdo->lastInsertId();
}
}

7
inc/cache.php

@ -4,10 +4,7 @@
* Copyright (c) 2010-2013 Tinyboard Development Group
*/
if (realpath($_SERVER['SCRIPT_FILENAME']) == str_replace('\\', '/', __FILE__)) {
// You cannot request this file directly.
exit;
}
defined('TINYBOARD') or exit;
class Cache {
private static $cache;
@ -135,7 +132,7 @@ class Cache {
case 'apc':
return apc_clear_cache('user');
case 'php':
self::$cache[$key] = array();
self::$cache = array();
break;
case 'redis':
if (!self::$cache)

252
inc/config.php

@ -44,6 +44,8 @@
$config['debug'] = false;
// For development purposes. Displays (and "dies" on) all errors and warnings. Turn on with the above.
$config['verbose_errors'] = true;
// EXPLAIN all SQL queries (when in debug mode).
$config['debug_explain'] = false;
// Directory where temporary files will be created.
$config['tmp'] = sys_get_temp_dir();
@ -168,13 +170,6 @@
* ====================
*/
// Minimum time between between each post by the same IP address.
$config['flood_time'] = 10;
// Minimum time between between each post with the exact same content AND same IP address.
$config['flood_time_ip'] = 120;
// Same as above but by a different IP address. (Same content, not necessarily same IP address.)
$config['flood_time_same'] = 30;
/*
* To further prevent spam and abuse, you can use DNS blacklists (DNSBL). A DNSBL is a list of IP
* addresses published through the Internet Domain Name Service (DNS) either as a zone file that can be
@ -237,6 +232,9 @@
// How soon after regeneration do hashes expire (in seconds)?
$config['spam']['hidden_inputs_expire'] = 60 * 60 * 3; // three hours
// Whether to use Unicode characters in hidden input names and values.
$config['spam']['unicode'] = true;
// These are fields used to confuse the bots. Make sure they aren't actually used by Tinyboard, or it won't work.
$config['spam']['hidden_input_names'] = array(
@ -274,6 +272,7 @@
'quick-reply',
'page',
'file_url',
'json_response',
);
// Enable reCaptcha to make spam even harder. Rarely necessary.
@ -283,6 +282,132 @@
$config['recaptcha_public'] = '6LcXTcUSAAAAAKBxyFWIt2SO8jwx4W7wcSMRoN3f';
$config['recaptcha_private'] = '6LcXTcUSAAAAAOGVbVdhmEM1_SyRF4xTKe8jbzf_';
/*
* Custom filters detect certain posts and reject/ban accordingly. They are made up of a condition and an
* action (for when ALL conditions are met). As every single post has to be put through each filter,
* having hundreds probably isn't ideal as it could slow things down.
*
* By default, the custom filters array is populated with basic flood prevention conditions. This
* includes forcing users to wait at least 5 seconds between posts. To disable (or amend) these flood
* prevention settings, you will need to empty the $config['filters'] array first. You can do so by
* adding "$config['filters'] = array();" to inc/instance-config.php. Basic flood prevention used to be
* controlled solely by config variables such as $config['flood_time'] and $config['flood_time_ip'], and
* it still is, as long as you leave the relevant $config['filters'] intact. These old config variables
* still exist for backwards-compatability and general convenience.
*
* Read more: http://tinyboard.org/docs/index.php?p=Config/Filters
*/
// Minimum time between between each post by the same IP address.
$config['flood_time'] = 10;
// Minimum time between between each post with the exact same content AND same IP address.
$config['flood_time_ip'] = 120;
// Same as above but by a different IP address. (Same content, not necessarily same IP address.)
$config['flood_time_same'] = 30;
// Minimum time between posts by the same IP address (all boards).
$config['filters'][] = array(
'condition' => array(
'flood-match' => array('ip'), // Only match IP address
'flood-time' => &$config['flood_time']
),
'action' => 'reject',
'message' => &$config['error']['flood']
);
// Minimum time between posts by the same IP address with the same text.
$config['filters'][] = array(
'condition' => array(
'flood-match' => array('ip', 'body'), // Match IP address and post body
'flood-time' => &$config['flood_time_ip'],
'!body' => '/^$/', // Post body is NOT empty
),
'action' => 'reject',
'message' => &$config['error']['flood']
);
// Minimum time between posts with the same text. (Same content, but not always the same IP address.)
$config['filters'][] = array(
'condition' => array(
'flood-match' => array('body'), // Match only post body
'flood-time' => &$config['flood_time_same']
),
'action' => 'reject',
'message' => &$config['error']['flood']
);
// Example: Minimum time between posts with the same file hash.
// $config['filters'][] = array(
// 'condition' => array(
// 'flood-match' => array('file'), // Match file hash
// 'flood-time' => 60 * 2 // 2 minutes minimum
// ),
// 'action' => 'reject',
// 'message' => &$config['error']['flood']
// );
// Example: Use the "flood-count" condition to only match if the user has made at least two posts with
// the same content and IP address in the past 2 minutes.
// $config['filters'][] = array(
// 'condition' => array(
// 'flood-match' => array('ip', 'body'), // Match IP address and post body
// 'flood-time' => 60 * 2, // 2 minutes
// 'flood-count' => 2 // At least two recent posts
// ),
// '!body' => '/^$/',
// 'action' => 'reject',
// 'message' => &$config['error']['flood']
// );
// Example: Blocking an imaginary known spammer, who keeps posting a reply with the name "surgeon",
// ending his posts with "regards, the surgeon" or similar.
// $config['filters'][] = array(
// 'condition' => array(
// 'name' => '/^surgeon$/',
// 'body' => '/regards,\s+(the )?surgeon$/i',
// 'OP' => false
// ),
// 'action' => 'reject',
// 'message' => 'Go away, spammer.'
// );
// Example: Same as above, but issuing a 3-hour ban instead of just reject the post.
// $config['filters'][] = array(
// 'condition' => array(
// 'name' => '/^surgeon$/',
// 'body' => '/regards,\s+(the )?surgeon$/i',
// 'OP' => false
// ),
// 'action' => 'ban',
// 'expires' => 60 * 60 * 3, // 3 hours
// 'reason' => 'Go away, spammer.'
// );
// Example: PHP 5.3+ (anonymous functions)
// There is also a "custom" condition, making the possibilities of this feature pretty much endless.
// This is a bad example, because there is already a "name" condition built-in.
// $config['filters'][] = array(
// 'condition' => array(
// 'body' => '/h$/i',
// 'OP' => false,
// 'custom' => function($post) {
// if($post['name'] == 'Anonymous')
// return true;
// else
// return false;
// }
// ),
// 'action' => 'reject'
// );
// Filter flood prevention conditions ("flood-match") depend on a table which contains a cache of recent
// posts across all boards. This table is automatically purged of older posts, determining the maximum
// "age" by looking at each filter. However, when determining the maximum age, Tinyboard does not look
// outside the current board. This means that if you have a special flood condition for a specific board
// (contained in a board configuration file) which has a flood-time greater than any of those in the
// global configuration, you need to set the following variable to the maximum flood-time condition value.
// $config['flood_cache'] = 60 * 60 * 24; // 24 hours
/*
* ====================
* Post settings
@ -406,57 +531,6 @@
// Require users to see the ban page at least once for a ban even if it has since expired.
$config['require_ban_view'] = true;
/*
* Custom filters detect certain posts and reject/ban accordingly. They are made up of a
* condition and an action (for when ALL conditions are met). As every single post has to
* be put through each filter, having hundreds probably isn’t ideal as it could slow things down.
*
* Read more: http://tinyboard.org/docs/index.php?p=Config/Filters
*
* This used to be named $config['flood_filters'] (still exists as an alias).
*/
// An example of blocking an imaginary known spammer, who keeps posting a reply with the name "surgeon",
// ending his posts with "regards, the surgeon" or similar.
// $config['filters'][] = array(
// 'condition' => array(
// 'name' => '/^surgeon$/',
// 'body' => '/regards,\s+(the )?surgeon$/i',
// 'OP' => false
// ),
// 'action' => 'reject',
// 'message' => 'Go away, spammer.'
// );
// Same as above, but issuing a 3-hour ban instead of just reject the post.
// $config['filters'][] = array(
// 'condition' => array(
// 'name' => '/^surgeon$/',
// 'body' => '/regards,\s+(the )?surgeon$/i',
// 'OP' => false
// ),
// 'action' => 'ban',
// 'expires' => 60 * 60 * 3, // 3 hours
// 'reason' => 'Go away, spammer.'
// );
// PHP 5.3+ (anonymous functions)
// There is also a "custom" condition, making the possibilities of this feature pretty much endless.
// This is a bad example, because there is already a "name" condition built-in.
// $config['filters'][] = array(
// 'condition' => array(
// 'body' => '/h$/i',
// 'OP' => false,
// 'custom' => function($post) {
// if($post['name'] == 'Anonymous')
// return true;
// else
// return false;
// }
// ),
// 'action' => 'reject'
// );
/*
* ====================
* Markup settings
@ -598,10 +672,6 @@
// that as a thumbnail instead of resizing/redrawing.
$config['minimum_copy_resize'] = false;
// Image hashing function. There's really no reason to change this.
// sha1_file, md5_file, etc. You can also define your own similar function.
$config['file_hash'] = 'sha1_file';
// Maximum image upload size in bytes.
$config['max_filesize'] = 10 * 1024 * 1024; // 10MB
// Maximum image dimensions.
@ -752,6 +822,12 @@
// Whether or not to put brackets around the whole board list
$config['boardlist_wrap_bracket'] = false;
// Show page navigation links at the top as well.
$config['page_nav_top'] = false;
// Show "Catalog" link in page navigation. Use with the Catalog theme.
// $config['catalog_link'] = 'catalog.html';
// Board categories. Only used in the "Categories" theme.
// $config['categories'] = array(
// 'Group Name' => array('a', 'b', 'c'),
@ -1010,8 +1086,8 @@
* ====================
*/
// Limit how many bans can be removed via the ban list. Set to -1 for no limit.
$config['mod']['unban_limit'] = -1;
// Limit how many bans can be removed via the ban list. Set to false (or zero) for no limit.
$config['mod']['unban_limit'] = false;
// Whether or not to lock moderator sessions to IP addresses. This makes cookie theft ineffective.
$config['mod']['lock_ip'] = true;
@ -1056,14 +1132,6 @@
// 'color:red;font-weight:bold' // Change tripcode style; optional
//);
// Enable IP range bans (eg. "127.*.0.1", "127.0.0.*", and "12*.0.0.1" all match "127.0.0.1"). Puts a
// little more load on the database
$config['ban_range'] = true;
// Enable CDIR netmask bans (eg. "10.0.0.0/8" for 10.0.0.0.0 - 10.255.255.255). Useful for stopping
// persistent spammers and ban evaders. Again, a little more database load.
$config['ban_cidr'] = true;
// Enable the moving of single replies
$config['move_replies'] = false;
@ -1130,18 +1198,28 @@
* ====================
*/
// Probably best not to change these:
if (!defined('JANITOR')) {
define('JANITOR', 0, true);
define('MOD', 1, true);
define('ADMIN', 2, true);
define('DISABLED', 3, true);
}
// Probably best not to change this unless you are smart enough to figure out what you're doing. If you
// decide to change it, remember that it is impossible to redefinite/overwrite groups; you may only add
// new ones.
$config['mod']['groups'] = array(
10 => 'Janitor',
20 => 'Mod',
30 => 'Admin',
// 98 => 'God',
99 => 'Disabled'
);
// If you add stuff to the above, you'll need to call this function immediately after.
define_groups();
// Example: Adding a new permissions group.
// $config['mod']['groups'][0] = 'NearlyPowerless';
// define_groups();
// Capcode permissions.
$config['mod']['capcode'] = array(
// JANITOR => array('Janitor'),
MOD => array('Mod'),
MOD => array('Mod'),
ADMIN => true
);
@ -1193,7 +1271,8 @@
// Post bypass unoriginal content check on robot-enabled boards
$config['mod']['postunoriginal'] = ADMIN;
// Bypass flood check
$config['mod']['flood'] = ADMIN;
$config['mod']['bypass_filters'] = ADMIN;
$config['mod']['flood'] = &$config['mod']['bypass_filters'];
// Raw HTML posting
$config['mod']['rawhtml'] = ADMIN;
@ -1279,18 +1358,14 @@
$config['mod']['edit_config'] = ADMIN;
// Config editor permissions
$config['mod']['config'] = array(
JANITOR => false,
MOD => false,
ADMIN => false,
DISABLED => false,
);
$config['mod']['config'] = array();
// Disable the following configuration variables from being changed via ?/config. The following default
// banned variables are considered somewhat dangerous.
$config['mod']['config'][DISABLED] = array(
'mod>config',
'mod>config_editor_php',
'mod>groups',
'convert_args',
'db>password',
);
@ -1421,6 +1496,3 @@
// is the absolute maximum, because MySQL cannot handle table names greater than 64 characters.
$config['board_regex'] = '[0-9a-zA-Z$_\x{0080}-\x{FFFF}]{1,58}';
// Regex for URLs.
$config['url_regex'] = '@^(?i)\b((?:[a-z][\w-]+:(?:/{1,3}|[a-z0-9%])|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:\'".,<>?«»“”‘’]))[email protected]';

22
inc/database.php

@ -4,27 +4,32 @@
* Copyright (c) 2010-2013 Tinyboard Development Group
*/
if (realpath($_SERVER['SCRIPT_FILENAME']) == str_replace('\\', '/', __FILE__)) {
// You cannot request this file directly.
exit;
}
defined('TINYBOARD') or exit;
class PreparedQueryDebug {
protected $query;
protected $query, $explain_query = false;
public function __construct($query) {
global $pdo;
global $pdo, $config;
$query = preg_replace("/[\n\t]+/", ' ', $query);
$this->query = $pdo->prepare($query);
if ($config['debug'] && $config['debug_explain'] && preg_match('/^(SELECT|INSERT|UPDATE|DELETE) /i', $query))
$this->explain_query = $pdo->prepare("EXPLAIN $query");
}
public function __call($function, $args) {
global $config, $debug;
if ($config['debug'] && $function == 'execute') {
if ($this->explain_query) {
$this->explain_query->execute() or error(db_error($this->explain_query));
}
$start = microtime(true);
}
if ($this->explain_query && $function == 'bindValue')
call_user_func_array(array($this->explain_query, $function), $args);
$return = call_user_func_array(array($this->query, $function), $args);
if ($config['debug'] && $function == 'execute') {
@ -32,6 +37,7 @@ class PreparedQueryDebug {
$debug['sql'][] = array(
'query' => $this->query->queryString,
'rows' => $this->query->rowCount(),
'explain' => $this->explain_query ? $this->explain_query->fetchAll(PDO::FETCH_ASSOC) : null,
'time' => '~' . round($time * 1000, 2) . 'ms'
);
$debug['time']['db_queries'] += $time;
@ -121,6 +127,9 @@ function query($query) {
sql_open();
if ($config['debug']) {
if ($config['debug_explain'] && preg_match('/^(SELECT|INSERT|UPDATE|DELETE) /i', $query)) {
$explain = $pdo->query("EXPLAIN $query") or error(db_error());
}
$start = microtime(true);
$query = $pdo->query($query);
if (!$query)
@ -129,6 +138,7 @@ function query($query) {
$debug['sql'][] = array(
'query' => $query->queryString,
'rows' => $query->rowCount(),
'explain' => isset($explain) ? $explain->fetchAll(PDO::FETCH_ASSOC) : null,
'time' => '~' . round($time * 1000, 2) . 'ms'
);
$debug['time']['db_queries'] += $time;

10
inc/display.php

@ -88,6 +88,14 @@ function error($message, $priority = true, $debug_stuff = false) {
// Return the bad request header, necessary for AJAX posts
header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request');
// Is there a reason to disable this?
if (isset($_POST['json_response'])) {
header('Content-Type: text/json; charset=utf-8');
die(json_encode(array(
'error' => $message
)));
}
die(Element('page.html', array(
'config' => $config,
'title' => _('Error'),
@ -536,6 +544,8 @@ class Thread {
$hasnoko50 = $this->postCount() >= $config['noko50_min'];
event('show-thread', $this);
$built = Element('post_thread.html', array('config' => $config, 'board' => $board, 'post' => &$this, 'index' => $index, 'hasnoko50' => $hasnoko50, 'isnoko50' => $isnoko50));
return $built;

5
inc/events.php

@ -4,10 +4,7 @@
* Copyright (c) 2010-2013 Tinyboard Development Group
*/
if (realpath($_SERVER['SCRIPT_FILENAME']) == str_replace('\\', '/', __FILE__)) {
// You cannot request this file directly.
exit;
}
defined('TINYBOARD') or exit;
function event() {
global $events;

176
inc/filters.php

@ -4,12 +4,10 @@
* Copyright (c) 2010-2013 Tinyboard Development Group
*/
if (realpath($_SERVER['SCRIPT_FILENAME']) == str_replace('\\', '/', __FILE__)) {
// You cannot request this file directly.
exit;
}
defined('TINYBOARD') or exit;
class Filter {
public $flood_check;
private $condition;
public function __construct(array $arr) {
@ -25,6 +23,64 @@ class Filter {
if (!is_callable($match))
error('Custom condition for filter is not callable!');
return $match($post);
case 'flood-match':
if (!is_array($match))
error('Filter condition "flood-match" must be an array.');
// Filter out "flood" table entries which do not match this filter.
$flood_check_matched = array();
foreach ($this->flood_check as $flood_post) {
foreach ($match as $flood_match_arg) {
switch ($flood_match_arg) {
case 'ip':
if ($flood_post['ip'] != $_SERVER['REMOTE_ADDR'])
continue 3;
break;
case 'body':
if ($flood_post['posthash'] != make_comment_hex($post['body_nomarkup']))
continue 3;
break;
case 'file':
if (!isset($post['filehash']))
return false;
if ($flood_post['filehash'] != $post['filehash'])
continue 3;
break;
case 'board':
if ($flood_post['board'] != $post['board'])
continue 3;
break;
case 'isreply':
if ($flood_post['isreply'] == $post['op'])
continue 3;
break;
default:
error('Invalid filter flood condition: ' . $flood_match_arg);
}
}
$flood_check_matched[] = $flood_post;
}
$this->flood_check = $flood_check_matched;
return !empty($this->flood_check);
case 'flood-time':
foreach ($this->flood_check as $flood_post) {
if (time() - $flood_post['time'] <= $match) {
return true;
}
}
return false;
case 'flood-count':
$count = 0;
foreach ($this->flood_check as $flood_post) {
if (time() - $flood_post['time'] <= $this->condition['flood-time']) {
++$count;
}
}
return $count >= $match;
case 'name':
return preg_match($match, $post['name']);
case 'trip':
@ -34,7 +90,7 @@ class Filter {
case 'subject':
return preg_match($match, $post['subject']);
case 'body':
return preg_match($match, $post['body']);
return preg_match($match, $post['body_nomarkup']);
case 'filename':
if (!$post['has_file'])
return false;
@ -59,52 +115,18 @@ class Filter {
switch($this->action) {
case 'reject':
error(isset($this->message) ? $this->message : 'Posting throttled by flood filter.');
error(isset($this->message) ? $this->message : 'Posting throttled by filter.');
case 'ban':
if (!isset($this->reason))
error('The ban action requires a reason.');
$reason = $this->reason;
if (isset($this->expires))
$expires = time() + $this->expires;
else
$expires = 0; // Ban indefinitely
if (isset($this->reject))
$reject = $this->reject;
else
$reject = true;
if (isset($this->all_boards))
$all_boards = $this->all_boards;
else
$all_boards = false;
$query = prepare("INSERT INTO ``bans`` VALUES (NULL, :ip, :mod, :set, :expires, :reason, :board, 0)");
$query->bindValue(':ip', $_SERVER['REMOTE_ADDR']);
$query->bindValue(':mod', -1);
$query->bindValue(':set', time());
if ($expires)
$query->bindValue(':expires', $expires);
else
$query->bindValue(':expires', null, PDO::PARAM_NULL);
if ($reason)
$query->bindValue(':reason', $reason);
else
$query->bindValue(':reason', null, PDO::PARAM_NULL);
if ($all_boards)
$query->bindValue(':board', null, PDO::PARAM_NULL);
else
$query->bindValue(':board', $board['uri']);
$this->expires = isset($this->expires) ? $this->expires : false;
$this->reject = isset($this->reject) ? $this->reject : true;
$this->all_boards = isset($this->all_boards) ? $this->all_boards : false;
$query->execute() or error(db_error($query));
Bans::new_ban($_SERVER['REMOTE_ADDR'], $this->reason, $this->expires, $this->all_boards ? false : $board['uri'], -1);
if ($reject) {
if ($this->reject) {
if (isset($this->message))
error($message);
@ -120,25 +142,77 @@ class Filter {
public function check(array $post) {
foreach ($this->condition as $condition => $value) {
if (!$this->match($post, $condition, $value))
if ($condition[0] == '!') {
$NOT = true;
$condition = substr($condition, 1);
} else $NOT = false;
if ($this->match($post, $condition, $value) == $NOT)
return false;
}
/* match */
return true;
}
}
function purge_flood_table() {
global $config;
// Determine how long we need to keep a cache of posts for flood prevention. Unfortunately, it is not
// aware of flood filters in other board configurations. You can solve this problem by settings the
// config variable $config['flood_cache'] (seconds).
if (isset($config['flood_cache'])) {
$max_time = &$config['flood_cache'];
} else {
$max_time = 0;
foreach ($config['filters'] as $filter) {
if (isset($filter['condition']['flood-time']))
$max_time = max($max_time, $filter['condition']['flood-time']);
}
}
$time = time() - $max_time;
query("DELETE FROM ``flood`` WHERE `time` < $time") or error(db_error());
}
function do_filters(array $post) {
global $config;
if (!isset($config['filters']))
if (!isset($config['filters']) || empty($config['filters']))
return;
foreach ($config['filters'] as $arr) {
$filter = new Filter($arr);
foreach ($config['filters'] as $filter) {
if (isset($filter['condition']['flood-match'])) {
$has_flood = true;
break;
}
}
if (isset($has_flood)) {
if ($post['has_file']) {
$query = prepare("SELECT * FROM ``flood`` WHERE `ip` = :ip OR `posthash` = :posthash OR `filehash` = :filehash");
$query->bindValue(':ip', $_SERVER['REMOTE_ADDR']);
$query->bindValue(':posthash', make_comment_hex($post['body_nomarkup']));
$query->bindValue(':filehash', $post['filehash']);
} else {
$query = prepare("SELECT * FROM ``flood`` WHERE `ip` = :ip OR `posthash` = :posthash");
$query->bindValue(':ip', $_SERVER['REMOTE_ADDR']);
$query->bindValue(':posthash', make_comment_hex($post['body_nomarkup']));
}
$query->execute() or error(db_error($query));
$flood_check = $query->fetchAll(PDO::FETCH_ASSOC);
} else {
$flood_check = false;
}
foreach ($config['filters'] as $filter_array) {
$filter = new Filter($filter_array);
$filter->flood_check = $flood_check;
if ($filter->check($post))
$filter->action();
}
purge_flood_table();
}

181
inc/functions.php

@ -9,6 +9,8 @@ if (realpath($_SERVER['SCRIPT_FILENAME']) == str_replace('\\', '/', __FILE__)) {
exit;
}
define('TINYBOARD', null);
$microtime_start = microtime(true);
require_once 'inc/display.php';
@ -16,6 +18,7 @@ require_once 'inc/template.php';
require_once 'inc/database.php';
require_once 'inc/events.php';
require_once 'inc/api.php';
require_once 'inc/bans.php';
require_once 'inc/lib/gettext/gettext.inc';
// the user is not currently logged in as a moderator
@ -92,7 +95,7 @@ function loadConfig() {
if (!isset($config['referer_match']))
if (isset($_SERVER['HTTP_HOST'])) {
$config['referer_match'] = '/^' .
(preg_match($config['url_regex'], $config['root']) ? '' :
(preg_match('@^https?://@', $config['root']) ? '' :
'https?:\/\/' . $_SERVER['HTTP_HOST']) .
preg_quote($config['root'], '/') .
'(' .
@ -266,6 +269,15 @@ function verbose_error_handler($errno, $errstr, $errfile, $errline) {
));
}
function define_groups() {
global $config;
foreach ($config['mod']['groups'] as $group_value => $group_name)
defined($group_name) or define($group_name, $group_value, true);
ksort($config['mod']['groups']);
}
function create_antibot($board, $thread = null) {
require_once dirname(__FILE__) . '/anti-bot.php';
@ -573,30 +585,6 @@ function listBoards() {
return $boards;
}
function checkFlood($post) {
global $board, $config;
$query = prepare(sprintf("SELECT COUNT(*) FROM ``posts_%s`` WHERE
(`ip` = :ip AND `time` >= :floodtime)
OR
(`ip` = :ip AND :body != '' AND `body_nomarkup` = :body AND `time` >= :floodsameiptime)
OR
(:body != '' AND `body_nomarkup` = :body AND `time` >= :floodsametime) LIMIT 1", $board['uri']));
$query->bindValue(':ip', $_SERVER['REMOTE_ADDR']);
$query->bindValue(':body', $post['body']);
$query->bindValue(':floodtime', time()-$config['flood_time'], PDO::PARAM_INT);
$query->bindValue(':floodsameiptime', time()-$config['flood_time_ip'], PDO::PARAM_INT);
$query->bindValue(':floodsametime', time()-$config['flood_time_same'], PDO::PARAM_INT);
$query->execute() or error(db_error($query));
$flood = (bool) $query->fetchColumn();
if (event('check-flood', $post))
return true;
return $flood;
}
function until($timestamp) {
$difference = $timestamp - time();
if ($difference < 60) {
@ -635,9 +623,7 @@ function displayBan($ban) {
global $config;
if (!$ban['seen']) {
$query = prepare("UPDATE ``bans`` SET `seen` = 1 WHERE `id` = :id");
$query->bindValue(':id', $ban['id'], PDO::PARAM_INT);
$query->execute() or error(db_error($query));
Bans::seen($ban['id']);
}
$ban['ip'] = $_SERVER['REMOTE_ADDR'];
@ -655,7 +641,7 @@ function displayBan($ban) {
));
}
function checkBan($board = 0) {
function checkBan($board = false) {
global $config;
if (!isset($_SERVER['REMOTE_ADDR'])) {
@ -665,67 +651,38 @@ function checkBan($board = 0) {
if (event('check-ban', $board))
return true;
$query = prepare("SELECT `set`, `expires`, `reason`, `board`, `seen`, `id` FROM ``bans`` WHERE (`board` IS NULL OR `board` = :board) AND `ip` = :ip ORDER BY `expires` IS NULL DESC, `expires` DESC LIMIT 1");
$query->bindValue(':ip', $_SERVER['REMOTE_ADDR']);
$query->bindValue(':board', $board);
$query->execute() or error(db_error($query));
if ($query->rowCount() < 1 && $config['ban_range']) {
$query = prepare("SELECT `set`, `expires`, `reason`, `board`, `seen`, `id` FROM ``bans`` WHERE (`board` IS NULL OR `board` = :board) AND :ip LIKE REPLACE(REPLACE(`ip`, '%', '!%'), '*', '%') ESCAPE '!' ORDER BY `expires` IS NULL DESC, `expires` DESC LIMIT 1");
$query->bindValue(':ip', $_SERVER['REMOTE_ADDR']);
$query->bindValue(':board', $board);
$query->execute() or error(db_error($query));
}
if ($query->rowCount() < 1 && $config['ban_cidr'] && !isIPv6()) {
// my most insane SQL query yet
$query = prepare("SELECT `set`, `expires`, `reason`, `board`, `seen`, ``bans``.`id` FROM ``bans`` WHERE (`board` IS NULL OR `board` = :board)
AND (
`ip` REGEXP '^(\[0-9]+\.\[0-9]+\.\[0-9]+\.\[0-9]+\)\/(\[0-9]+)$'
AND
:ip >= INET_ATON(SUBSTRING_INDEX(`ip`, '/', 1))
AND
:ip < INET_ATON(SUBSTRING_INDEX(`ip`, '/', 1)) + POW(2, 32 - SUBSTRING_INDEX(`ip`, '/', -1))
)
ORDER BY `expires` IS NULL DESC, `expires` DESC LIMIT 1");
$query->bindValue(':ip', ip2long($_SERVER['REMOTE_ADDR']));
$query->bindValue(':board', $board);
$query->execute() or error(db_error($query));
}
if ($ban = $query->fetch(PDO::FETCH_ASSOC)) {
$bans = Bans::find($_SERVER['REMOTE_ADDR'], $board);
foreach ($bans as &$ban) {
if ($ban['expires'] && $ban['expires'] < time()) {
// Ban expired
$query = prepare("DELETE FROM ``bans`` WHERE `id` = :id");
$query->bindValue(':id', $ban['id'], PDO::PARAM_INT);
$query->execute() or error(db_error($query));
Bans::delete($ban['id']);
if ($config['require_ban_view'] && !$ban['seen']) {
if (!isset($_POST['json_response'])) {
displayBan($ban);
} else {
header('Content-Type: text/json');
die(json_encode(array('error' => true, 'banned' => true)));
}
}
} else {
if (!isset($_POST['json_response'])) {
displayBan($ban);
} else {
header('Content-Type: text/json');
die(json_encode(array('error' => true, 'banned' => true)));
}
return;
}
displayBan($ban);
}
// I'm not sure where else to put this. It doesn't really matter where; it just needs to be called every now and then to keep the ban list tidy.
purge_bans();
}
// No reason to keep expired bans in the database (except those that haven't been viewed yet)
function purge_bans() {
global $config;
// I'm not sure where else to put this. It doesn't really matter where; it just needs to be called every
// now and then to keep the ban list tidy.
if ($config['cache']['enabled'] && $last_time_purged = cache::get('purged_bans_last')) {
if (time() - $last_time_purged < $config['purge_bans'] )
return;
}
$query = prepare("DELETE FROM ``bans`` WHERE `expires` IS NOT NULL AND `expires` < :time AND `seen` = 1");
$query->bindValue(':time', time());
$query->execute() or error(db_error($query));
Bans::purge();
if ($config['cache']['enabled'])
cache::set('purged_bans_last', time());
@ -781,6 +738,22 @@ function threadExists($id) {
return false;
}
function insertFloodPost(array $post) {
global $board;
$query = prepare("INSERT INTO ``flood`` VALUES (NULL, :ip, :board, :time, :posthash, :filehash, :isreply)");
$query->bindValue(':ip', $_SERVER['REMOTE_ADDR']);
$query->bindValue(':board', $board['uri']);
$query->bindValue(':time', time());
$query->bindValue(':posthash', make_comment_hex($post['body_nomarkup']));
if ($post['has_file'])
$query->bindValue(':filehash', $post['filehash']);
else
$query->bindValue(':filehash', null, PDO::PARAM_NULL);
$query->bindValue(':isreply', !$post['op'], PDO::PARAM_INT);
$query->execute() or error(db_error($query));
}
function post(array $post) {
global $pdo, $board;
$query = prepare(sprintf("INSERT INTO ``posts_%s`` VALUES ( NULL, :thread, :subject, :email, :name, :trip, :capcode, :body, :body_nomarkup, :time, :time, :thumb, :thumbwidth, :thumbheight, :file, :width, :height, :filesize, :filename, :filehash, :password, :ip, :sticky, :locked, 0, :embed)", $board['uri']));
@ -789,19 +762,19 @@ function post(array $post) {
if (!empty($post['subject'])) {
$query->bindValue(':subject', $post['subject']);
} else {
$query->bindValue(':subject', NULL, PDO::PARAM_NULL);
$query->bindValue(':subject', null, PDO::PARAM_NULL);
}
if (!empty($post['email'])) {
$query->bindValue(':email', $post['email']);
} else {
$query->bindValue(':email', NULL, PDO::PARAM_NULL);
$query->bindValue(':email', null, PDO::PARAM_NULL);
}
if (!empty($post['trip'])) {
$query->bindValue(':trip', $post['trip']);
} else {
$query->bindValue(':trip', NULL, PDO::PARAM_NULL);
$query->bindValue(':trip', null, PDO::PARAM_NULL);
}
$query->bindValue(':name', $post['name']);
@ -812,27 +785,27 @@ function post(array $post) {
$query->bindValue(':ip', isset($post['ip']) ? $post['ip'] : $_SERVER['REMOTE_ADDR']);
if ($post['op'] && $post['mod'] && isset($post['sticky']) && $post['sticky']) {
$query->bindValue(':sticky', 1, PDO::PARAM_INT);
$query->bindValue(':sticky', true, PDO::PARAM_INT);
} else {
$query->bindValue(':sticky', 0, PDO::PARAM_INT);
$query->bindValue(':sticky', false, PDO::PARAM_INT);
}
if ($post['op'] && $post['mod'] && isset($post['locked']) && $post['locked']) {
$query->bindValue(':locked', 1, PDO::PARAM_INT);
$query->bindValue(':locked', true, PDO::PARAM_INT);
} else {
$query->bindValue(':locked', 0, PDO::PARAM_INT);
$query->bindValue(':locked', false, PDO::PARAM_INT);
}
if ($post['mod'] && isset($post['capcode']) && $post['capcode']) {
$query->bindValue(':capcode', $post['capcode'], PDO::PARAM_INT);
} else {
$query->bindValue(':capcode', NULL, PDO::PARAM_NULL);
$query->bindValue(':capcode', null, PDO::PARAM_NULL);
}
if (!empty($post['embed'])) {
$query->bindValue(':embed', $post['embed']);
} else {
$query->bindValue(':embed', NULL, PDO::PARAM_NULL);
$query->bindValue(':embed', null, PDO::PARAM_NULL);
}
if ($post['op']) {
@ -1079,10 +1052,16 @@ function index($page, $mod=false) {
while ($th = $query->fetch(PDO::FETCH_ASSOC)) {
$thread = new Thread($th, $mod ? '?/' : $config['root'], $mod);
if ($config['cache']['enabled'] && $cached = cache::get("thread_index_{$board['uri']}_{$th['id']}")) {
$replies = $cached['replies'];
$omitted = $cached['omitted'];
} else {
if ($config['cache']['enabled']) {
$cached = cache::get("thread_index_{$board['uri']}_{$th['id']}");
if (isset($cached['replies'], $cached['omitted'])) {
$replies = $cached['replies'];
$omitted = $cached['omitted'];
} else {
unset($cached);
}
}
if (!isset($cached)) {
$posts = prepare(sprintf("SELECT * FROM ``posts_%s`` WHERE `thread` = :id ORDER BY `id` DESC LIMIT :limit", $board['uri']));
$posts->bindValue(':id', $th['id']);
$posts->bindValue(':limit', ($th['sticky'] ? $config['threads_preview_sticky'] : $config['threads_preview']), PDO::PARAM_INT);
@ -1203,6 +1182,26 @@ function getPages($mod=false) {
return $pages;
}
// Stolen with permission from PlainIB (by Frank Usrs)
function make_comment_hex($str) {
// remove cross-board citations
// the numbers don't matter
$str = preg_replace('!>>>/[A-Za-z0-9]+/!', '', $str);
if (function_exists('iconv')) {
// remove diacritics and other noise
// FIXME: this removes cyrillic entirely
$str = iconv('UTF-8', 'ASCII//TRANSLIT//IGNORE', $str);
}
$str = strtolower($str);
// strip all non-alphabet characters
$str = preg_replace('/[^a-z]/', '', $str);
return md5($str);
}
function makerobot($body) {
global $config;
$body = strtolower($body);

5
inc/image.php

@ -4,10 +4,7 @@
* Copyright (c) 2010-2013 Tinyboard Development Group
*/
if (realpath($_SERVER['SCRIPT_FILENAME']) == str_replace('\\', '/', __FILE__)) {
// You cannot request this file directly.
exit;
}
defined('TINYBOARD') or exit;
class Image {
public $src, $format, $image, $size;

20
inc/lib/IP/LICENSE

@ -0,0 +1,20 @@
Copyright (c) 2013 Jason Morriss
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished
to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

293
inc/lib/IP/Lifo/IP/BC.php

@ -0,0 +1,293 @@
<?php
/**
* This file is part of the Lifo\IP PHP Library.
*
* (c) Jason Morriss <lifo2013@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Lifo\IP;
/**
* BCMath helper class.
*
* Provides a handful of BCMath routines that are not included in the native
* PHP library.
*
* Note: The Bitwise functions operate on fixed byte boundaries. For example,
* comparing the following numbers uses X number of bits:
* 0xFFFF and 0xFF will result in comparison of 16 bits.
* 0xFFFFFFFF and 0xF will result in comparison of 32 bits.
* etc...
*
*/
abstract class BC
{
// Some common (maybe useless) constants
const MAX_INT_32 = '2147483647'; // 7FFFFFFF
const MAX_UINT_32 = '4294967295'; // FFFFFFFF
const MAX_INT_64 = '9223372036854775807'; // 7FFFFFFFFFFFFFFF
const MAX_UINT_64 = '18446744073709551615'; // FFFFFFFFFFFFFFFF
const MAX_INT_96 = '39614081257132168796771975167'; // 7FFFFFFFFFFFFFFFFFFFFFFF
const MAX_UINT_96 = '79228162514264337593543950335'; // FFFFFFFFFFFFFFFFFFFFFFFF
const MAX_INT_128 = '170141183460469231731687303715884105727'; // 7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
const MAX_UINT_128 = '340282366920938463463374607431768211455'; // FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/**
* BC Math function to convert a HEX string into a DECIMAL
*/
public static function bchexdec($hex)
{
if (strlen($hex) == 1) {
return hexdec($hex);
}
$remain = substr($hex, 0, -1);
$last = substr($hex, -1);
return bcadd(bcmul(16, self::bchexdec($remain), 0), hexdec($last), 0);
}
/**
* BC Math function to convert a DECIMAL string into a BINARY string
*/
public static function bcdecbin($dec, $pad = null)
{
$bin = '';
while ($dec) {
$m = bcmod($dec, 2);
$dec = bcdiv($dec, 2, 0);
$bin = abs($m) . $bin;
}
return $pad ? sprintf("%0{$pad}s", $bin) : $bin;
}
/**
* BC Math function to convert a BINARY string into a DECIMAL string
*/
public static function bcbindec($bin)
{
$dec = '0';
for ($i=0, $j=strlen($bin); $i<$j; $i++) {
$dec = bcmul($dec, '2', 0);
$dec = bcadd($dec, $bin[$i], 0);
}
return $dec;
}
/**
* BC Math function to convert a BINARY string into a HEX string
*/
public static function bcbinhex($bin, $pad = 0)
{
return self::bcdechex(self::bcbindec($bin));
}
/**
* BC Math function to convert a DECIMAL into a HEX string
*/
public static function bcdechex($dec)
{
$last = bcmod($dec, 16);
$remain = bcdiv(bcsub($dec, $last, 0), 16, 0);
return $remain == 0 ? dechex($last) : self::bcdechex($remain) . dechex($last);
}
/**
* Bitwise AND two arbitrarily large numbers together.
*/
public static function bcand($left, $right)
{
$len = self::_bitwise($left, $right);
$value = '';
for ($i=0; $i<$len; $i++) {
$value .= (($left{$i} + 0) & ($right{$i} + 0)) ? '1' : '0';
}
return self::bcbindec($value != '' ? $value : '0');
}
/**
* Bitwise OR two arbitrarily large numbers together.
*/
public static function bcor($left, $right)
{
$len = self::_bitwise($left, $right);
$value = '';
for ($i=0; $i<$len; $i++) {
$value .= (($left{$i} + 0) | ($right{$i} + 0)) ? '1' : '0';
}
return self::bcbindec($value != '' ? $value : '0');
}
/**
* Bitwise XOR two arbitrarily large numbers together.
*/
public static function bcxor($left, $right)
{
$len = self::_bitwise($left, $right);
$value = '';
for ($i=0; $i<$len; $i++) {
$value .= (($left{$i} + 0) ^ ($right{$i} + 0)) ? '1' : '0';
}
return self::bcbindec($value != '' ? $value : '0');
}
/**
* Bitwise NOT two arbitrarily large numbers together.
*/
public static function bcnot($left, $bits = null)
{
$right = 0;
$len = self::_bitwise($left, $right, $bits);
$value = '';
for ($i=0; $i<$len; $i++) {
$value .= $left{$i} == '1' ? '0' : '1';
}
return self::bcbindec($value);
}
/**
* Shift number to the left
*
* @param integer $bits Total bits to shift
*/
public static function bcleft($num, $bits) {
return bcmul($num, bcpow('2', $bits));
}
/**
* Shift number to the right
*
* @param integer $bits Total bits to shift
*/
public static function bcright($num, $bits) {
return bcdiv($num, bcpow('2', $bits));
}
/**
* Determine how many bits are needed to store the number rounded to the
* nearest bit boundary.
*/
public static function bits_needed($num, $boundary = 4)
{
$bits = 0;
while ($num > 0) {
$num = bcdiv($num, '2', 0);
$bits++;
}
// round to nearest boundrary
return $boundary ? ceil($bits / $boundary) * $boundary : $bits;
}
/**
* BC Math function to return an arbitrarily large random number.
*/
public static function bcrand($min, $max = null)
{
if ($max === null) {
$max = $min;
$min = 0;
}
// swap values if $min > $max
if (bccomp($min, $max) == 1) {
list($min,$max) = array($max,$min);
}
return bcadd(
bcmul(
bcdiv(
mt_rand(0, mt_getrandmax()),
mt_getrandmax(),
strlen($max)
),
bcsub(
bcadd($max, '1'),
$min
)
),
$min
);
}
/**
* Computes the natural logarithm using a series.
* @author Thomas Oldbury.
* @license Public domain.
*/
public static function bclog($num, $iter = 10, $scale = 100)
{
$log = "0.0";
for($i = 0; $i < $iter; $i++) {
$pow = 1 + (2 * $i);
$mul = bcdiv("1.0", $pow, $scale);