prohibit using same anti-bot hashes across different boards/threads

inc/contrib/Twig/Extensions/Extension/Tinyboard.php

@@ -33,7 +33,8 @@ class Twig_Extensions_Extension_Tinyboard extends Twig_Extension
 	public function getFunctions()
 	{
 		return Array(
-			'time' => new Twig_Filter_Function('time', array('needs_environment' => false))
+			'time' => new Twig_Filter_Function('time', array('needs_environment' => false)),
+			'createHiddenInputs' => new Twig_Filter_Function('createHiddenInputs', array('needs_environment' => false))
 		);
 	}
 	

inc/functions.php

@@ -1048,9 +1048,16 @@
 		}
 	}
 	
-	function createHiddenInputs() {
+	function createHiddenInputs($extra_salt = Array()) {
 		global $config;
 		
+		if(!empty($extra_salt)) {
+			// create a salted hash of the "extra salt"
+			$extra_salt = implode(':', $extra_salt);
+		} else { 
+			$extra_salt = '';
+		}
+		
 		$inputs = Array();
 		
 		shuffle($config['spam']['hidden_input_names']);
@@ -1139,7 +1146,7 @@
 		$hash .= $config['cookies']['salt'];
 		
 		// Use SHA1 for the hash
-		$hash = sha1($hash);
+		$hash = sha1($hash . $extra_salt);
 		
 		// Append it to the HTML
 		$content .= '<input type="hidden" name="hash" value="' . $hash . '" />';
@@ -1147,7 +1154,7 @@
 		return $content;
 	}
 	
-	function checkSpam() {
+	function checkSpam($extra_salt = Array()) {
 		global $config;
 		
 		if(!isset($_POST['hash']))
@@ -1155,6 +1162,13 @@
 		
 		$hash = $_POST['hash'];
 		
+		if(!empty($extra_salt)) {
+			// create a salted hash of the "extra salt"
+			$extra_salt = implode(':', $extra_salt);
+		} else { 
+			$extra_salt = '';
+		}
+		
 		// Reconsturct the $inputs array
 		$inputs = Array();
 		
@@ -1179,7 +1193,7 @@
 		$_hash .= $config['cookies']['salt'];
 		
 		// Use SHA1 for the hash
-		$_hash = sha1($_hash);
+		$_hash = sha1($_hash . $extra_salt);
 		
 		return $hash != $_hash;
 	}
@@ -1197,7 +1211,6 @@
 			$content['pages'] = $pages;
 			$content['pages'][$page-1]['selected'] = true;
 			$content['btn'] = getPageButtons($content['pages']);
-			$content['hidden_inputs'] = createHiddenInputs();
 			file_write($filename, Element('index.html', $content));
 			
 			if(isset($md5) && $md5 == md5_file($filename)) {
@@ -1460,7 +1473,6 @@
 			'id' => $id,
 			'mod' => $mod,
 			'boardlist' => createBoardlist($mod),
-			'hidden_inputs' => $content['hidden_inputs'] = createHiddenInputs(),
 			'return' => ($mod ? '?' . $board['url'] . $config['file_index'] : $config['root'] . $board['uri'] . '/' . $config['file_index'])
 		));
 		

mod.php

@@ -1954,7 +1954,6 @@
 			$page['pages'] = getPages(true);
 			$page['pages'][$page_no-1]['selected'] = true;
 			$page['btn'] = getPageButtons($page['pages'], true);
-			$page['hidden_inputs'] = createHiddenInputs();
 			$page['mod'] = true;
 			
 			echo Element('index.html', $page);

post.php

@@ -197,7 +197,7 @@
 			}
 		}
 		
-		if(checkSpam())
+		if(checkSpam(Array($board['uri'], isset($post['thread']) ? $post['thread'] : null)))
 			error($config['error']['spam']);
 		
 		if($config['robot_enable'] && $config['robot_mute']) {
@@ -250,7 +250,7 @@
 				error($config['error']['noimage']);
 		}
 		
-		$post['name'] = (!empty($_POST['name'])?$_POST['name']:$config['anonymous']);
+		$post['name'] = !empty($_POST['name']) ? $_POST['name'] : $config['anonymous'];
 		$post['subject'] = $_POST['subject'];
 		$post['email'] = utf8tohtml($_POST['email']);
 		$post['body'] = $_POST['body'];
@@ -306,7 +306,7 @@
 		if($mod && $mod['type'] >= MOD && preg_match('/^((.+) )?## (.+)$/', $post['name'], $match)) {
 			if(($mod['type'] == MOD && $match[3] == 'Mod') || $mod['type'] >= ADMIN) {
 				$post['capcode'] = utf8tohtml($match[3]);
-				$post['name'] = !empty($match[2])?$match[2]:$config['anonymous'];
+				$post['name'] = !empty($match[2]) ? $match[2] : $config['anonymous'];
 			}
 		} else {
 			$post['capcode'] = false;
@@ -314,7 +314,7 @@
 		
 		$trip = generate_tripcode($post['name']);
 		$post['name'] = $trip[0];
-		$post['trip'] = (isset($trip[1])?$trip[1]:'');
+		$post['trip'] = isset($trip[1]) ? $trip[1] : '';
 		
 		if(strtolower($post['email']) == 'noko') {
 			$noko = true;
@@ -583,7 +583,7 @@
 			}
 		}
 		
-		buildThread(($OP?$id:$post['thread']));
+		buildThread($OP ? $id : $post['thread']);
 		
 		if(!$OP && strtolower($post['email']) != 'sage' && !$thread['sage'] && ($config['reply_limit'] == 0 || numPosts($post['thread']) < $config['reply_limit'])) {
 			bumpThread($post['thread']);
@@ -603,20 +603,20 @@
 			// Tell it to delete the cached post for referer
 			$js->{$_SERVER['HTTP_REFERER']} = true;
 			// Encode and set cookie
-			setcookie($config['cookies']['js'], json_encode($js), 0, $config['cookies']['jail']?$config['cookies']['path']:'/', null, false, false);
+			setcookie($config['cookies']['js'], json_encode($js), 0, $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, false);
 		}
 		
 		$root = $post['mod'] ? $config['root'] . $config['file_mod'] . '?/' : $config['root'];
 		
 		if($config['always_noko'] || $noko) {
-			$redirect = $root . $board['dir'] . $config['dir']['res'] . sprintf($config['file_page'], $OP?$id:$post['thread']) . (!$OP?'#'.$id:'');
+			$redirect = $root . $board['dir'] . $config['dir']['res'] . sprintf($config['file_page'], $OP ? $id:$post['thread']) . (!$OP ? '#' . $id : '');
 		} else {
 			$redirect = $root . $board['dir'] . $config['file_index'];
 			
 		}
 		
 		if($config['syslog'])
-			_syslog(LOG_INFO, 'New post: /' . $board['dir'] . $config['dir']['res'] . sprintf($config['file_page'], $OP?$id:$post['thread']) . (!$OP?'#'.$id:''));
+			_syslog(LOG_INFO, 'New post: /' . $board['dir'] . $config['dir']['res'] . sprintf($config['file_page'], $OP?$id:$post['thread']) . (!$OP ? '#' . $id : ''));
 		
 		rebuildThemes('post');
 		header('Location: ' . $redirect, true, $config['redirect_http']);

templates/post_form.html

@@ -1,5 +1,5 @@
 <form name="post" onsubmit="return dopost(this);" enctype="multipart/form-data" action="{{ config.post_url }}" method="post">
-{{ hidden_inputs }}
+{{ createHiddenInputs([board.uri, id]) }}
 {% if id %}<input type="hidden" name="thread" value="{{ id }}" />{% endif %}
 <input type="hidden" name="board" value="{{ board.uri }}" />
 {% if mod %}<input type="hidden" name="mod" value="1" />{% endif %}