prohibit using same anti-bot hashes across different boards/threads
This commit is contained in:
parent
368050852a
commit
cd30f3b0b9
@ -33,7 +33,8 @@ class Twig_Extensions_Extension_Tinyboard extends Twig_Extension
|
||||
public function getFunctions()
|
||||
{
|
||||
return Array(
|
||||
'time' => new Twig_Filter_Function('time', array('needs_environment' => false))
|
||||
'time' => new Twig_Filter_Function('time', array('needs_environment' => false)),
|
||||
'createHiddenInputs' => new Twig_Filter_Function('createHiddenInputs', array('needs_environment' => false))
|
||||
);
|
||||
}
|
||||
|
||||
|
@ -1048,9 +1048,16 @@
|
||||
}
|
||||
}
|
||||
|
||||
function createHiddenInputs() {
|
||||
function createHiddenInputs($extra_salt = Array()) {
|
||||
global $config;
|
||||
|
||||
if(!empty($extra_salt)) {
|
||||
// create a salted hash of the "extra salt"
|
||||
$extra_salt = implode(':', $extra_salt);
|
||||
} else {
|
||||
$extra_salt = '';
|
||||
}
|
||||
|
||||
$inputs = Array();
|
||||
|
||||
shuffle($config['spam']['hidden_input_names']);
|
||||
@ -1139,7 +1146,7 @@
|
||||
$hash .= $config['cookies']['salt'];
|
||||
|
||||
// Use SHA1 for the hash
|
||||
$hash = sha1($hash);
|
||||
$hash = sha1($hash . $extra_salt);
|
||||
|
||||
// Append it to the HTML
|
||||
$content .= '<input type="hidden" name="hash" value="' . $hash . '" />';
|
||||
@ -1147,7 +1154,7 @@
|
||||
return $content;
|
||||
}
|
||||
|
||||
function checkSpam() {
|
||||
function checkSpam($extra_salt = Array()) {
|
||||
global $config;
|
||||
|
||||
if(!isset($_POST['hash']))
|
||||
@ -1155,6 +1162,13 @@
|
||||
|
||||
$hash = $_POST['hash'];
|
||||
|
||||
if(!empty($extra_salt)) {
|
||||
// create a salted hash of the "extra salt"
|
||||
$extra_salt = implode(':', $extra_salt);
|
||||
} else {
|
||||
$extra_salt = '';
|
||||
}
|
||||
|
||||
// Reconsturct the $inputs array
|
||||
$inputs = Array();
|
||||
|
||||
@ -1179,7 +1193,7 @@
|
||||
$_hash .= $config['cookies']['salt'];
|
||||
|
||||
// Use SHA1 for the hash
|
||||
$_hash = sha1($_hash);
|
||||
$_hash = sha1($_hash . $extra_salt);
|
||||
|
||||
return $hash != $_hash;
|
||||
}
|
||||
@ -1197,7 +1211,6 @@
|
||||
$content['pages'] = $pages;
|
||||
$content['pages'][$page-1]['selected'] = true;
|
||||
$content['btn'] = getPageButtons($content['pages']);
|
||||
$content['hidden_inputs'] = createHiddenInputs();
|
||||
file_write($filename, Element('index.html', $content));
|
||||
|
||||
if(isset($md5) && $md5 == md5_file($filename)) {
|
||||
@ -1460,7 +1473,6 @@
|
||||
'id' => $id,
|
||||
'mod' => $mod,
|
||||
'boardlist' => createBoardlist($mod),
|
||||
'hidden_inputs' => $content['hidden_inputs'] = createHiddenInputs(),
|
||||
'return' => ($mod ? '?' . $board['url'] . $config['file_index'] : $config['root'] . $board['uri'] . '/' . $config['file_index'])
|
||||
));
|
||||
|
||||
|
1
mod.php
1
mod.php
@ -1954,7 +1954,6 @@
|
||||
$page['pages'] = getPages(true);
|
||||
$page['pages'][$page_no-1]['selected'] = true;
|
||||
$page['btn'] = getPageButtons($page['pages'], true);
|
||||
$page['hidden_inputs'] = createHiddenInputs();
|
||||
$page['mod'] = true;
|
||||
|
||||
echo Element('index.html', $page);
|
||||
|
16
post.php
16
post.php
@ -197,7 +197,7 @@
|
||||
}
|
||||
}
|
||||
|
||||
if(checkSpam())
|
||||
if(checkSpam(Array($board['uri'], isset($post['thread']) ? $post['thread'] : null)))
|
||||
error($config['error']['spam']);
|
||||
|
||||
if($config['robot_enable'] && $config['robot_mute']) {
|
||||
@ -250,7 +250,7 @@
|
||||
error($config['error']['noimage']);
|
||||
}
|
||||
|
||||
$post['name'] = (!empty($_POST['name'])?$_POST['name']:$config['anonymous']);
|
||||
$post['name'] = !empty($_POST['name']) ? $_POST['name'] : $config['anonymous'];
|
||||
$post['subject'] = $_POST['subject'];
|
||||
$post['email'] = utf8tohtml($_POST['email']);
|
||||
$post['body'] = $_POST['body'];
|
||||
@ -306,7 +306,7 @@
|
||||
if($mod && $mod['type'] >= MOD && preg_match('/^((.+) )?## (.+)$/', $post['name'], $match)) {
|
||||
if(($mod['type'] == MOD && $match[3] == 'Mod') || $mod['type'] >= ADMIN) {
|
||||
$post['capcode'] = utf8tohtml($match[3]);
|
||||
$post['name'] = !empty($match[2])?$match[2]:$config['anonymous'];
|
||||
$post['name'] = !empty($match[2]) ? $match[2] : $config['anonymous'];
|
||||
}
|
||||
} else {
|
||||
$post['capcode'] = false;
|
||||
@ -314,7 +314,7 @@
|
||||
|
||||
$trip = generate_tripcode($post['name']);
|
||||
$post['name'] = $trip[0];
|
||||
$post['trip'] = (isset($trip[1])?$trip[1]:'');
|
||||
$post['trip'] = isset($trip[1]) ? $trip[1] : '';
|
||||
|
||||
if(strtolower($post['email']) == 'noko') {
|
||||
$noko = true;
|
||||
@ -583,7 +583,7 @@
|
||||
}
|
||||
}
|
||||
|
||||
buildThread(($OP?$id:$post['thread']));
|
||||
buildThread($OP ? $id : $post['thread']);
|
||||
|
||||
if(!$OP && strtolower($post['email']) != 'sage' && !$thread['sage'] && ($config['reply_limit'] == 0 || numPosts($post['thread']) < $config['reply_limit'])) {
|
||||
bumpThread($post['thread']);
|
||||
@ -603,20 +603,20 @@
|
||||
// Tell it to delete the cached post for referer
|
||||
$js->{$_SERVER['HTTP_REFERER']} = true;
|
||||
// Encode and set cookie
|
||||
setcookie($config['cookies']['js'], json_encode($js), 0, $config['cookies']['jail']?$config['cookies']['path']:'/', null, false, false);
|
||||
setcookie($config['cookies']['js'], json_encode($js), 0, $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, false);
|
||||
}
|
||||
|
||||
$root = $post['mod'] ? $config['root'] . $config['file_mod'] . '?/' : $config['root'];
|
||||
|
||||
if($config['always_noko'] || $noko) {
|
||||
$redirect = $root . $board['dir'] . $config['dir']['res'] . sprintf($config['file_page'], $OP?$id:$post['thread']) . (!$OP?'#'.$id:'');
|
||||
$redirect = $root . $board['dir'] . $config['dir']['res'] . sprintf($config['file_page'], $OP ? $id:$post['thread']) . (!$OP ? '#' . $id : '');
|
||||
} else {
|
||||
$redirect = $root . $board['dir'] . $config['file_index'];
|
||||
|
||||
}
|
||||
|
||||
if($config['syslog'])
|
||||
_syslog(LOG_INFO, 'New post: /' . $board['dir'] . $config['dir']['res'] . sprintf($config['file_page'], $OP?$id:$post['thread']) . (!$OP?'#'.$id:''));
|
||||
_syslog(LOG_INFO, 'New post: /' . $board['dir'] . $config['dir']['res'] . sprintf($config['file_page'], $OP?$id:$post['thread']) . (!$OP ? '#' . $id : ''));
|
||||
|
||||
rebuildThemes('post');
|
||||
header('Location: ' . $redirect, true, $config['redirect_http']);
|
||||
|
@ -1,5 +1,5 @@
|
||||
<form name="post" onsubmit="return dopost(this);" enctype="multipart/form-data" action="{{ config.post_url }}" method="post">
|
||||
{{ hidden_inputs }}
|
||||
{{ createHiddenInputs([board.uri, id]) }}
|
||||
{% if id %}<input type="hidden" name="thread" value="{{ id }}" />{% endif %}
|
||||
<input type="hidden" name="board" value="{{ board.uri }}" />
|
||||
{% if mod %}<input type="hidden" name="mod" value="1" />{% endif %}
|
||||
|
Loading…
Reference in New Issue
Block a user