|
- <?php
-
- /*
- * Copyright (c) 2010-2013 Tinyboard Development Group
- */
-
- defined('TINYBOARD') or exit;
-
- $hidden_inputs_twig = array();
-
- class AntiBot {
- public $salt, $inputs = array(), $index = 0;
-
- public static function randomString($length, $uppercase = false, $special_chars = false, $unicode_chars = false) {
- $chars = 'abcdefghijklmnopqrstuvwxyz0123456789';
- if ($uppercase)
- $chars .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
- if ($special_chars)
- $chars .= ' ~!@#$%^&*()_+,./;\'[]\\{}|:<>?=-` ';
- if ($unicode_chars) {
- $len = strlen($chars) / 10;
- for ($n = 0; $n < $len; $n++)
- $chars .= mb_convert_encoding('&#' . mt_rand(0x2600, 0x26FF) . ';', 'UTF-8', 'HTML-ENTITIES');
- }
-
- $chars = preg_split('//u', $chars, -1, PREG_SPLIT_NO_EMPTY);
-
- $ch = array();
-
- // fill up $ch until we reach $length
- while (count($ch) < $length) {
- $n = $length - count($ch);
- $keys = array_rand($chars, $n > count($chars) ? count($chars) : $n);
- if ($n == 1) {
- $ch[] = $chars[$keys];
- break;
- }
- shuffle($keys);
- foreach ($keys as $key)
- $ch[] = $chars[$key];
- }
-
- $chars = $ch;
-
- return implode('', $chars);
- }
-
- public static function make_confusing($string) {
- $chars = preg_split('//u', $string, -1, PREG_SPLIT_NO_EMPTY);
-
- foreach ($chars as &$c) {
- if (mt_rand(0, 3) != 0)
- $c = utf8tohtml($c);
- else
- $c = mb_encode_numericentity($c, array(0, 0xffff, 0, 0xffff), 'UTF-8');
- }
-
- return implode('', $chars);
- }
-
- public function __construct(array $salt = array()) {
- global $config;
-
- if (!empty($salt)) {
- // create a salted hash of the "extra salt"
- $this->salt = implode(':', $salt);
- } else {
- $this->salt = '';
- }
-
- shuffle($config['spam']['hidden_input_names']);
-
- $input_count = mt_rand($config['spam']['hidden_inputs_min'], $config['spam']['hidden_inputs_max']);
- $hidden_input_names_x = 0;
-
- for ($x = 0; $x < $input_count ; $x++) {
- if ($hidden_input_names_x === false || mt_rand(0, 2) == 0) {
- // Use an obscure name
- $name = $this->randomString(mt_rand(10, 40), false, false, $config['spam']['unicode']);
- } else {
- // Use a pre-defined confusing name
- $name = $config['spam']['hidden_input_names'][$hidden_input_names_x++];
- if ($hidden_input_names_x >= count($config['spam']['hidden_input_names']))
- $hidden_input_names_x = false;
- }
-
- if (mt_rand(0, 2) == 0) {
- // Value must be null
- $this->inputs[$name] = '';
- } elseif (mt_rand(0, 4) == 0) {
- // Numeric value
- $this->inputs[$name] = (string)mt_rand(0, 100000);
- } else {
- // Obscure value
- $this->inputs[$name] = $this->randomString(mt_rand(5, 100), true, true, $config['spam']['unicode']);
- }
- }
- }
-
- public static function space() {
- if (mt_rand(0, 3) != 0)
- return ' ';
- return str_repeat(' ', mt_rand(1, 3));
- }
-
- public function html($count = false) {
- global $config;
-
- $elements = array(
- '<input type="hidden" name="%name%" value="%value%">',
- '<input type="hidden" value="%value%" name="%name%">',
- '<input name="%name%" value="%value%" type="hidden">',
- '<input value="%value%" name="%name%" type="hidden">',
- '<input style="display:none" type="text" name="%name%" value="%value%">',
- '<input style="display:none" type="text" value="%value%" name="%name%">',
- '<span style="display:none"><input type="text" name="%name%" value="%value%"></span>',
- '<div style="display:none"><input type="text" name="%name%" value="%value%"></div>',
- '<div style="display:none"><input type="text" name="%name%" value="%value%"></div>',
- '<textarea style="display:none" name="%name%">%value%</textarea>',
- '<textarea name="%name%" style="display:none">%value%</textarea>'
- );
-
- $html = '';
-
- if ($count === false) {
- $count = mt_rand(1, abs(count($this->inputs) / 15) + 1);
- }
-
- if ($count === true) {
- // all elements
- $inputs = array_slice($this->inputs, $this->index);
- } else {
- $inputs = array_slice($this->inputs, $this->index, $count);
- }
- $this->index += count($inputs);
-
- foreach ($inputs as $name => $value) {
- $element = false;
- while (!$element) {
- $element = $elements[array_rand($elements)];
- $element = str_replace(' ', self::space(), $element);
- if (mt_rand(0, 5) == 0)
- $element = str_replace('>', self::space() . '>', $element);
- if (strpos($element, 'textarea') !== false && $value == '') {
- // There have been some issues with mobile web browsers and empty <textarea>'s.
- $element = false;
- }
- }
-
- $element = str_replace('%name%', utf8tohtml($name), $element);
-
- if (mt_rand(0, 2) == 0)
- $value = $this->make_confusing($value);
- else
- $value = utf8tohtml($value);
-
- if (strpos($element, 'textarea') === false)
- $value = str_replace('"', '"', $value);
-
- $element = str_replace('%value%', $value, $element);
-
- $html .= $element;
- }
-
- return $html;
- }
-
- public function reset() {
- $this->index = 0;
- }
-
- public function hash() {
- global $config;
-
- // This is the tricky part: create a hash to validate it after
- // First, sort the keys in alphabetical order (A-Z)
- $inputs = $this->inputs;
- ksort($inputs);
-
- $hash = '';
- // Iterate through each input
- foreach ($inputs as $name => $value) {
- $hash .= $name . '=' . $value;
- }
- // Add a salt to the hash
- $hash .= $config['cookies']['salt'];
-
- // Use SHA1 for the hash
- return sha1($hash . $this->salt);
- }
- }
-
- function _create_antibot($board, $thread) {
- global $config, $purged_old_antispam;
-
- $antibot = new AntiBot(array($board, $thread));
-
- if (!isset($purged_old_antispam)) {
- $purged_old_antispam = true;
- query('DELETE FROM ``antispam`` WHERE `expires` < UNIX_TIMESTAMP()') or error(db_error());
- }
-
- if ($thread)
- $query = prepare('UPDATE ``antispam`` SET `expires` = UNIX_TIMESTAMP() + :expires WHERE `board` = :board AND `thread` = :thread AND `expires` IS NULL');
- else
- $query = prepare('UPDATE ``antispam`` SET `expires` = UNIX_TIMESTAMP() + :expires WHERE `board` = :board AND `thread` IS NULL AND `expires` IS NULL');
-
- $query->bindValue(':board', $board);
- if ($thread)
- $query->bindValue(':thread', $thread);
- $query->bindValue(':expires', $config['spam']['hidden_inputs_expire']);
- $query->execute() or error(db_error($query));
-
- $query = prepare('INSERT INTO ``antispam`` VALUES (:board, :thread, :hash, UNIX_TIMESTAMP(), NULL, 0)');
- $query->bindValue(':board', $board);
- $query->bindValue(':thread', $thread);
- $query->bindValue(':hash', $antibot->hash());
- $query->execute() or error(db_error($query));
-
- return $antibot;
- }
-
- function checkSpam(array $extra_salt = array()) {
- global $config, $pdo;
-
- if (!isset($_POST['hash']))
- return true;
-
- $hash = $_POST['hash'];
-
- if (!empty($extra_salt)) {
- // create a salted hash of the "extra salt"
- $extra_salt = implode(':', $extra_salt);
- } else {
- $extra_salt = '';
- }
-
- // Reconsturct the $inputs array
- $inputs = array();
-
- foreach ($_POST as $name => $value) {
- if (in_array($name, $config['spam']['valid_inputs']))
- continue;
-
- $inputs[$name] = $value;
- }
-
- // Sort the inputs in alphabetical order (A-Z)
- ksort($inputs);
-
- $_hash = '';
-
- // Iterate through each input
- foreach ($inputs as $name => $value) {
- $_hash .= $name . '=' . $value;
- }
-
- // Add a salt to the hash
- $_hash .= $config['cookies']['salt'];
-
- // Use SHA1 for the hash
- $_hash = sha1($_hash . $extra_salt);
-
- if ($hash != $_hash)
- return true;
-
- $query = prepare('SELECT `passed` FROM ``antispam`` WHERE `hash` = :hash');
- $query->bindValue(':hash', $hash);
- $query->execute() or error(db_error($query));
- if ((($passed = $query->fetchColumn(0)) === false) || ($passed > $config['spam']['hidden_inputs_max_pass'])) {
- // there was no database entry for this hash. most likely expired.
- return true;
- }
-
- return $hash;
- }
-
- function incrementSpamHash($hash) {
- $query = prepare('UPDATE ``antispam`` SET `passed` = `passed` + 1 WHERE `hash` = :hash');
- $query->bindValue(':hash', $hash);
- $query->execute() or error(db_error($query));
- }
|