prohibit using same anti-bot hashes across different boards/threads

This commit is contained in:
Michael Save 2012-01-20 02:37:53 +11:00
parent 368050852a
commit cd30f3b0b9
5 changed files with 29 additions and 17 deletions

View File

@ -33,7 +33,8 @@ class Twig_Extensions_Extension_Tinyboard extends Twig_Extension
public function getFunctions() public function getFunctions()
{ {
return Array( return Array(
'time' => new Twig_Filter_Function('time', array('needs_environment' => false)) 'time' => new Twig_Filter_Function('time', array('needs_environment' => false)),
'createHiddenInputs' => new Twig_Filter_Function('createHiddenInputs', array('needs_environment' => false))
); );
} }

View File

@ -1048,9 +1048,16 @@
} }
} }
function createHiddenInputs() { function createHiddenInputs($extra_salt = Array()) {
global $config; global $config;
if(!empty($extra_salt)) {
// create a salted hash of the "extra salt"
$extra_salt = implode(':', $extra_salt);
} else {
$extra_salt = '';
}
$inputs = Array(); $inputs = Array();
shuffle($config['spam']['hidden_input_names']); shuffle($config['spam']['hidden_input_names']);
@ -1139,7 +1146,7 @@
$hash .= $config['cookies']['salt']; $hash .= $config['cookies']['salt'];
// Use SHA1 for the hash // Use SHA1 for the hash
$hash = sha1($hash); $hash = sha1($hash . $extra_salt);
// Append it to the HTML // Append it to the HTML
$content .= '<input type="hidden" name="hash" value="' . $hash . '" />'; $content .= '<input type="hidden" name="hash" value="' . $hash . '" />';
@ -1147,7 +1154,7 @@
return $content; return $content;
} }
function checkSpam() { function checkSpam($extra_salt = Array()) {
global $config; global $config;
if(!isset($_POST['hash'])) if(!isset($_POST['hash']))
@ -1155,6 +1162,13 @@
$hash = $_POST['hash']; $hash = $_POST['hash'];
if(!empty($extra_salt)) {
// create a salted hash of the "extra salt"
$extra_salt = implode(':', $extra_salt);
} else {
$extra_salt = '';
}
// Reconsturct the $inputs array // Reconsturct the $inputs array
$inputs = Array(); $inputs = Array();
@ -1179,7 +1193,7 @@
$_hash .= $config['cookies']['salt']; $_hash .= $config['cookies']['salt'];
// Use SHA1 for the hash // Use SHA1 for the hash
$_hash = sha1($_hash); $_hash = sha1($_hash . $extra_salt);
return $hash != $_hash; return $hash != $_hash;
} }
@ -1197,7 +1211,6 @@
$content['pages'] = $pages; $content['pages'] = $pages;
$content['pages'][$page-1]['selected'] = true; $content['pages'][$page-1]['selected'] = true;
$content['btn'] = getPageButtons($content['pages']); $content['btn'] = getPageButtons($content['pages']);
$content['hidden_inputs'] = createHiddenInputs();
file_write($filename, Element('index.html', $content)); file_write($filename, Element('index.html', $content));
if(isset($md5) && $md5 == md5_file($filename)) { if(isset($md5) && $md5 == md5_file($filename)) {
@ -1460,7 +1473,6 @@
'id' => $id, 'id' => $id,
'mod' => $mod, 'mod' => $mod,
'boardlist' => createBoardlist($mod), 'boardlist' => createBoardlist($mod),
'hidden_inputs' => $content['hidden_inputs'] = createHiddenInputs(),
'return' => ($mod ? '?' . $board['url'] . $config['file_index'] : $config['root'] . $board['uri'] . '/' . $config['file_index']) 'return' => ($mod ? '?' . $board['url'] . $config['file_index'] : $config['root'] . $board['uri'] . '/' . $config['file_index'])
)); ));

View File

@ -1954,7 +1954,6 @@
$page['pages'] = getPages(true); $page['pages'] = getPages(true);
$page['pages'][$page_no-1]['selected'] = true; $page['pages'][$page_no-1]['selected'] = true;
$page['btn'] = getPageButtons($page['pages'], true); $page['btn'] = getPageButtons($page['pages'], true);
$page['hidden_inputs'] = createHiddenInputs();
$page['mod'] = true; $page['mod'] = true;
echo Element('index.html', $page); echo Element('index.html', $page);

View File

@ -197,7 +197,7 @@
} }
} }
if(checkSpam()) if(checkSpam(Array($board['uri'], isset($post['thread']) ? $post['thread'] : null)))
error($config['error']['spam']); error($config['error']['spam']);
if($config['robot_enable'] && $config['robot_mute']) { if($config['robot_enable'] && $config['robot_mute']) {
@ -250,7 +250,7 @@
error($config['error']['noimage']); error($config['error']['noimage']);
} }
$post['name'] = (!empty($_POST['name'])?$_POST['name']:$config['anonymous']); $post['name'] = !empty($_POST['name']) ? $_POST['name'] : $config['anonymous'];
$post['subject'] = $_POST['subject']; $post['subject'] = $_POST['subject'];
$post['email'] = utf8tohtml($_POST['email']); $post['email'] = utf8tohtml($_POST['email']);
$post['body'] = $_POST['body']; $post['body'] = $_POST['body'];
@ -306,7 +306,7 @@
if($mod && $mod['type'] >= MOD && preg_match('/^((.+) )?## (.+)$/', $post['name'], $match)) { if($mod && $mod['type'] >= MOD && preg_match('/^((.+) )?## (.+)$/', $post['name'], $match)) {
if(($mod['type'] == MOD && $match[3] == 'Mod') || $mod['type'] >= ADMIN) { if(($mod['type'] == MOD && $match[3] == 'Mod') || $mod['type'] >= ADMIN) {
$post['capcode'] = utf8tohtml($match[3]); $post['capcode'] = utf8tohtml($match[3]);
$post['name'] = !empty($match[2])?$match[2]:$config['anonymous']; $post['name'] = !empty($match[2]) ? $match[2] : $config['anonymous'];
} }
} else { } else {
$post['capcode'] = false; $post['capcode'] = false;
@ -314,7 +314,7 @@
$trip = generate_tripcode($post['name']); $trip = generate_tripcode($post['name']);
$post['name'] = $trip[0]; $post['name'] = $trip[0];
$post['trip'] = (isset($trip[1])?$trip[1]:''); $post['trip'] = isset($trip[1]) ? $trip[1] : '';
if(strtolower($post['email']) == 'noko') { if(strtolower($post['email']) == 'noko') {
$noko = true; $noko = true;
@ -583,7 +583,7 @@
} }
} }
buildThread(($OP?$id:$post['thread'])); buildThread($OP ? $id : $post['thread']);
if(!$OP && strtolower($post['email']) != 'sage' && !$thread['sage'] && ($config['reply_limit'] == 0 || numPosts($post['thread']) < $config['reply_limit'])) { if(!$OP && strtolower($post['email']) != 'sage' && !$thread['sage'] && ($config['reply_limit'] == 0 || numPosts($post['thread']) < $config['reply_limit'])) {
bumpThread($post['thread']); bumpThread($post['thread']);
@ -603,20 +603,20 @@
// Tell it to delete the cached post for referer // Tell it to delete the cached post for referer
$js->{$_SERVER['HTTP_REFERER']} = true; $js->{$_SERVER['HTTP_REFERER']} = true;
// Encode and set cookie // Encode and set cookie
setcookie($config['cookies']['js'], json_encode($js), 0, $config['cookies']['jail']?$config['cookies']['path']:'/', null, false, false); setcookie($config['cookies']['js'], json_encode($js), 0, $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, false);
} }
$root = $post['mod'] ? $config['root'] . $config['file_mod'] . '?/' : $config['root']; $root = $post['mod'] ? $config['root'] . $config['file_mod'] . '?/' : $config['root'];
if($config['always_noko'] || $noko) { if($config['always_noko'] || $noko) {
$redirect = $root . $board['dir'] . $config['dir']['res'] . sprintf($config['file_page'], $OP?$id:$post['thread']) . (!$OP?'#'.$id:''); $redirect = $root . $board['dir'] . $config['dir']['res'] . sprintf($config['file_page'], $OP ? $id:$post['thread']) . (!$OP ? '#' . $id : '');
} else { } else {
$redirect = $root . $board['dir'] . $config['file_index']; $redirect = $root . $board['dir'] . $config['file_index'];
} }
if($config['syslog']) if($config['syslog'])
_syslog(LOG_INFO, 'New post: /' . $board['dir'] . $config['dir']['res'] . sprintf($config['file_page'], $OP?$id:$post['thread']) . (!$OP?'#'.$id:'')); _syslog(LOG_INFO, 'New post: /' . $board['dir'] . $config['dir']['res'] . sprintf($config['file_page'], $OP?$id:$post['thread']) . (!$OP ? '#' . $id : ''));
rebuildThemes('post'); rebuildThemes('post');
header('Location: ' . $redirect, true, $config['redirect_http']); header('Location: ' . $redirect, true, $config['redirect_http']);

View File

@ -1,5 +1,5 @@
<form name="post" onsubmit="return dopost(this);" enctype="multipart/form-data" action="{{ config.post_url }}" method="post"> <form name="post" onsubmit="return dopost(this);" enctype="multipart/form-data" action="{{ config.post_url }}" method="post">
{{ hidden_inputs }} {{ createHiddenInputs([board.uri, id]) }}
{% if id %}<input type="hidden" name="thread" value="{{ id }}" />{% endif %} {% if id %}<input type="hidden" name="thread" value="{{ id }}" />{% endif %}
<input type="hidden" name="board" value="{{ board.uri }}" /> <input type="hidden" name="board" value="{{ board.uri }}" />
{% if mod %}<input type="hidden" name="mod" value="1" />{% endif %} {% if mod %}<input type="hidden" name="mod" value="1" />{% endif %}