do security checks *after* checking captcha

This commit is contained in:
Bui 2014-10-06 19:35:37 +09:00 committed by czaks
parent aba8d27ace
commit cb9b4db73d

View File

@ -187,20 +187,6 @@ if (isset($_POST['delete'])) {
} else } else
$post['op'] = true; $post['op'] = true;
if (!(($post['op'] && $_POST['post'] == $config['button_newtopic']) ||
(!$post['op'] && $_POST['post'] == $config['button_reply'])))
error($config['error']['bot']);
// Check the referrer
if ($config['referer_match'] !== false &&
(!isset($_SERVER['HTTP_REFERER']) || !preg_match($config['referer_match'], rawurldecode($_SERVER['HTTP_REFERER']))))
error($config['error']['referer']);
checkDNSBL();
// Check if banned
checkBan($board['uri']);
// Check for CAPTCHA right after opening the board so the "return" link is in there // Check for CAPTCHA right after opening the board so the "return" link is in there
if ($config['recaptcha']) { if ($config['recaptcha']) {
if (!isset($_POST['recaptcha_challenge_field']) || !isset($_POST['recaptcha_response_field'])) if (!isset($_POST['recaptcha_challenge_field']) || !isset($_POST['recaptcha_response_field']))
@ -214,7 +200,21 @@ if (isset($_POST['delete'])) {
error($config['error']['captcha']); error($config['error']['captcha']);
} }
} }
if (!(($post['op'] && $_POST['post'] == $config['button_newtopic']) ||
(!$post['op'] && $_POST['post'] == $config['button_reply'])))
error($config['error']['bot']);
// Check the referrer
if ($config['referer_match'] !== false &&
(!isset($_SERVER['HTTP_REFERER']) || !preg_match($config['referer_match'], rawurldecode($_SERVER['HTTP_REFERER']))))
error($config['error']['referer']);
checkDNSBL();
// Check if banned
checkBan($board['uri']);
if ($post['mod'] = isset($_POST['mod']) && $_POST['mod']) { if ($post['mod'] = isset($_POST['mod']) && $_POST['mod']) {
require 'inc/mod/auth.php'; require 'inc/mod/auth.php';
if (!$mod) { if (!$mod) {