diff --git a/inc/config.php b/inc/config.php index dd156c02..0c7dfb8f 100644 --- a/inc/config.php +++ b/inc/config.php @@ -164,6 +164,7 @@ $config['error']['delete_too_soon'] = 'You\'ll have to wait another %s before deleting that.'; $config['error']['mime_exploit'] = 'MIME type detection XSS exploit (IE) detected; post discarded.'; $config['error']['invalid_embed'] = 'Couldn\'t make sense of the URL of the video you tried to embed.'; + $config['error']['captcha'] = 'You seem to have mistyped the verification.'; // Moderator errors $config['error']['invalid'] = 'Invalid username and/or password.'; @@ -246,7 +247,7 @@ // Display the aspect ratio in a post's file info $config['show_ratio'] = false; - // Display the file's original filename + // Display the file's original filename $config['show_filename']= true; // Directory where temporary files will be created. Not really used much yet except for some experimental stuff. @@ -538,7 +539,9 @@ 'sticky', 'lock', 'raw', - 'embed' + 'embed', + 'recaptcha_challenge_field', + 'recaptcha_response_field' ); // Custom flood filters. Detect flood attacks and reject new posts if there's a positive match. @@ -730,6 +733,12 @@ // ) //); + // Enable reCaptcha to make spam even harder + $config['recaptcha'] = false; + // Public and private key pair from https://www.google.com/recaptcha/admin/create + $config['recaptcha_public'] = '6LcXTcUSAAAAAKBxyFWIt2SO8jwx4W7wcSMRoN3f'; + $config['recaptcha_private'] = '6LcXTcUSAAAAAOGVbVdhmEM1_SyRF4xTKe8jbzf_'; + if($_SERVER['SCRIPT_FILENAME'] == str_replace('\\', '/', __FILE__)) { // You cannot request this file directly. header('Location: ../', true, 302); diff --git a/inc/contrib/recaptcha/LICENSE b/inc/contrib/recaptcha/LICENSE new file mode 100644 index 00000000..b612f71f --- /dev/null +++ b/inc/contrib/recaptcha/LICENSE @@ -0,0 +1,22 @@ +Copyright (c) 2007 reCAPTCHA -- http://recaptcha.net +AUTHORS: + Mike Crawford + Ben Maurer + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/inc/contrib/recaptcha/recaptchalib.php b/inc/contrib/recaptcha/recaptchalib.php new file mode 100644 index 00000000..32c4f4d7 --- /dev/null +++ b/inc/contrib/recaptcha/recaptchalib.php @@ -0,0 +1,277 @@ + $value ) + $req .= $key . '=' . urlencode( stripslashes($value) ) . '&'; + + // Cut the last '&' + $req=substr($req,0,strlen($req)-1); + return $req; +} + + + +/** + * Submits an HTTP POST to a reCAPTCHA server + * @param string $host + * @param string $path + * @param array $data + * @param int port + * @return array response + */ +function _recaptcha_http_post($host, $path, $data, $port = 80) { + + $req = _recaptcha_qsencode ($data); + + $http_request = "POST $path HTTP/1.0\r\n"; + $http_request .= "Host: $host\r\n"; + $http_request .= "Content-Type: application/x-www-form-urlencoded;\r\n"; + $http_request .= "Content-Length: " . strlen($req) . "\r\n"; + $http_request .= "User-Agent: reCAPTCHA/PHP\r\n"; + $http_request .= "\r\n"; + $http_request .= $req; + + $response = ''; + if( false == ( $fs = @fsockopen($host, $port, $errno, $errstr, 10) ) ) { + die ('Could not open socket'); + } + + fwrite($fs, $http_request); + + while ( !feof($fs) ) + $response .= fgets($fs, 1160); // One TCP-IP packet + fclose($fs); + $response = explode("\r\n\r\n", $response, 2); + + return $response; +} + + + +/** + * Gets the challenge HTML (javascript and non-javascript version). + * This is called from the browser, and the resulting reCAPTCHA HTML widget + * is embedded within the HTML form it was called from. + * @param string $pubkey A public key for reCAPTCHA + * @param string $error The error given by reCAPTCHA (optional, default is null) + * @param boolean $use_ssl Should the request be made over ssl? (optional, default is false) + + * @return string - The HTML to be embedded in the user's form. + */ +function recaptcha_get_html ($pubkey, $error = null, $use_ssl = false) +{ + if ($pubkey == null || $pubkey == '') { + die ("To use reCAPTCHA you must get an API key from https://www.google.com/recaptcha/admin/create"); + } + + if ($use_ssl) { + $server = RECAPTCHA_API_SECURE_SERVER; + } else { + $server = RECAPTCHA_API_SERVER; + } + + $errorpart = ""; + if ($error) { + $errorpart = "&error=" . $error; + } + return ' + + '; +} + + + + +/** + * A ReCaptchaResponse is returned from recaptcha_check_answer() + */ +class ReCaptchaResponse { + var $is_valid; + var $error; +} + + +/** + * Calls an HTTP POST function to verify if the user's guess was correct + * @param string $privkey + * @param string $remoteip + * @param string $challenge + * @param string $response + * @param array $extra_params an array of extra variables to post to the server + * @return ReCaptchaResponse + */ +function recaptcha_check_answer ($privkey, $remoteip, $challenge, $response, $extra_params = array()) +{ + if ($privkey == null || $privkey == '') { + die ("To use reCAPTCHA you must get an API key from https://www.google.com/recaptcha/admin/create"); + } + + if ($remoteip == null || $remoteip == '') { + die ("For security reasons, you must pass the remote ip to reCAPTCHA"); + } + + + + //discard spam submissions + if ($challenge == null || strlen($challenge) == 0 || $response == null || strlen($response) == 0) { + $recaptcha_response = new ReCaptchaResponse(); + $recaptcha_response->is_valid = false; + $recaptcha_response->error = 'incorrect-captcha-sol'; + return $recaptcha_response; + } + + $response = _recaptcha_http_post (RECAPTCHA_VERIFY_SERVER, "/recaptcha/api/verify", + array ( + 'privatekey' => $privkey, + 'remoteip' => $remoteip, + 'challenge' => $challenge, + 'response' => $response + ) + $extra_params + ); + + $answers = explode ("\n", $response [1]); + $recaptcha_response = new ReCaptchaResponse(); + + if (trim ($answers [0]) == 'true') { + $recaptcha_response->is_valid = true; + } + else { + $recaptcha_response->is_valid = false; + $recaptcha_response->error = $answers [1]; + } + return $recaptcha_response; + +} + +/** + * gets a URL where the user can sign up for reCAPTCHA. If your application + * has a configuration page where you enter a key, you should provide a link + * using this function. + * @param string $domain The domain where the page is hosted + * @param string $appname The name of your application + */ +function recaptcha_get_signup_url ($domain = null, $appname = null) { + return "https://www.google.com/recaptcha/admin/create?" . _recaptcha_qsencode (array ('domains' => $domain, 'app' => $appname)); +} + +function _recaptcha_aes_pad($val) { + $block_size = 16; + $numpad = $block_size - (strlen ($val) % $block_size); + return str_pad($val, strlen ($val) + $numpad, chr($numpad)); +} + +/* Mailhide related code */ + +function _recaptcha_aes_encrypt($val,$ky) { + if (! function_exists ("mcrypt_encrypt")) { + die ("To use reCAPTCHA Mailhide, you need to have the mcrypt php module installed."); + } + $mode=MCRYPT_MODE_CBC; + $enc=MCRYPT_RIJNDAEL_128; + $val=_recaptcha_aes_pad($val); + return mcrypt_encrypt($enc, $ky, $val, $mode, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"); +} + + +function _recaptcha_mailhide_urlbase64 ($x) { + return strtr(base64_encode ($x), '+/', '-_'); +} + +/* gets the reCAPTCHA Mailhide url for a given email, public key and private key */ +function recaptcha_mailhide_url($pubkey, $privkey, $email) { + if ($pubkey == '' || $pubkey == null || $privkey == "" || $privkey == null) { + die ("To use reCAPTCHA Mailhide, you have to sign up for a public and private key, " . + "you can do so at http://www.google.com/recaptcha/mailhide/apikey"); + } + + + $ky = pack('H*', $privkey); + $cryptmail = _recaptcha_aes_encrypt ($email, $ky); + + return "http://www.google.com/recaptcha/mailhide/d?k=" . $pubkey . "&c=" . _recaptcha_mailhide_urlbase64 ($cryptmail); +} + +/** + * gets the parts of the email to expose to the user. + * eg, given johndoe@example,com return ["john", "example.com"]. + * the email is then displayed as john...@example.com + */ +function _recaptcha_mailhide_email_parts ($email) { + $arr = preg_split("/@/", $email ); + + if (strlen ($arr[0]) <= 4) { + $arr[0] = substr ($arr[0], 0, 1); + } else if (strlen ($arr[0]) <= 6) { + $arr[0] = substr ($arr[0], 0, 3); + } else { + $arr[0] = substr ($arr[0], 0, 4); + } + return $arr; +} + +/** + * Gets html to display an email address given a public an private key. + * to get a key, go to: + * + * http://www.google.com/recaptcha/mailhide/apikey + */ +function recaptcha_mailhide_html($pubkey, $privkey, $email) { + $emailparts = _recaptcha_mailhide_email_parts ($email); + $url = recaptcha_mailhide_url ($pubkey, $privkey, $email); + + return htmlentities($emailparts[0]) . "...@" . htmlentities ($emailparts [1]); + +} + + +?> diff --git a/inc/functions.php b/inc/functions.php old mode 100755 new mode 100644 index e8ee59cf..fb395686 --- a/inc/functions.php +++ b/inc/functions.php @@ -102,6 +102,8 @@ $_SERVER['REMOTE_ADDR'] = $m[2]; } + if($config['recaptcha']) + require_once 'inc/contrib/recaptcha/recaptchalib.php'; if($config['memcached']['enabled']) memcached_open(); } diff --git a/main.js b/main.js index 52f4bb60..4f69a205 100644 --- a/main.js +++ b/main.js @@ -53,8 +53,8 @@ function citeReply(id) { var selectedstyle = 'Yotsuba B'; var styles = [ - ['Yotsuba B', '/default.css'], - ['Yotsuba', '/yotsuba.css'] + ['Yotsuba B', '/Tinyboard/default.css'], + ['Yotsuba', '/Tinyboard/yotsuba.css'] ]; var saved = {}; @@ -161,4 +161,9 @@ function init() } } +var RecaptchaOptions = { + theme : 'clean' +}; + + window.onload = init; diff --git a/post.php b/post.php index 01ec3898..ec2f6f15 100644 --- a/post.php +++ b/post.php @@ -183,6 +183,20 @@ if(!openBoard($post['board'])) error($config['error']['noboard']); + // Check for CAPTCHA right after opening the board so the "return" link is in there + if($config['recaptcha']) { + if(!isset($_POST['recaptcha_challenge_field']) || !isset($_POST['recaptcha_response_field'])) + error($config['error']['bot']); + // Check what reCAPTCHA has to say... + $resp = recaptcha_check_answer($config['recaptcha_private'], + $_SERVER['REMOTE_ADDR'], + $_POST['recaptcha_challenge_field'], + $_POST['recaptcha_response_field']); + if(!$resp->is_valid) { + error($config['error']['captcha']); + } + } + if(checkSpam()) error($config['error']['spam']); diff --git a/templates/index.html b/templates/index.html index c0491534..d00380e6 100644 --- a/templates/index.html +++ b/templates/index.html @@ -9,6 +9,22 @@ {config[meta_keywords]?} + {config[recaptcha]?}
{boardlist[top]} @@ -56,6 +72,16 @@ + {config[recaptcha]? +Powered by Tinyboard v0.9.2 | Tinyboard Copyright © 2010-2011 Tinyboard Development Group
All trademarks, copyrights, comments and images on this page are owned by and/or are the responsibility of their respective parties.
-