2012-04-10 18:19:13 +02:00
|
|
|
<?php
|
|
|
|
|
2012-04-11 18:49:22 +02:00
|
|
|
/*
|
2013-01-20 11:23:46 +01:00
|
|
|
* Copyright (c) 2010-2013 Tinyboard Development Group
|
2012-04-11 18:49:22 +02:00
|
|
|
*/
|
|
|
|
|
2013-09-06 12:12:04 +02:00
|
|
|
defined('TINYBOARD') or exit;
|
2012-04-11 18:49:22 +02:00
|
|
|
|
2012-04-10 18:19:13 +02:00
|
|
|
class Filter {
|
2013-09-06 15:09:18 +02:00
|
|
|
public $flood_check;
|
2012-04-10 18:19:13 +02:00
|
|
|
private $condition;
|
|
|
|
|
|
|
|
public function __construct(array $arr) {
|
2012-04-12 16:18:19 +02:00
|
|
|
foreach ($arr as $key => $value)
|
2012-04-10 18:19:13 +02:00
|
|
|
$this->$key = $value;
|
|
|
|
}
|
|
|
|
|
|
|
|
public function match(array $post, $condition, $match) {
|
|
|
|
$condition = strtolower($condition);
|
|
|
|
|
|
|
|
switch($condition) {
|
|
|
|
case 'custom':
|
2012-04-12 16:18:19 +02:00
|
|
|
if (!is_callable($match))
|
2012-04-10 18:19:13 +02:00
|
|
|
error('Custom condition for filter is not callable!');
|
|
|
|
return $match($post);
|
2013-09-06 15:09:18 +02:00
|
|
|
case 'flood-match':
|
|
|
|
if (!is_array($match))
|
|
|
|
error('Filter condition "flood-match" must be an array.');
|
|
|
|
|
|
|
|
// Filter out "flood" table entries which do not match this filter.
|
|
|
|
|
|
|
|
$flood_check_matched = array();
|
|
|
|
|
|
|
|
foreach ($this->flood_check as $flood_post) {
|
|
|
|
foreach ($match as $flood_match_arg) {
|
|
|
|
switch ($flood_match_arg) {
|
|
|
|
case 'ip':
|
|
|
|
if ($flood_post['ip'] != $_SERVER['REMOTE_ADDR'])
|
|
|
|
continue 3;
|
|
|
|
break;
|
|
|
|
case 'body':
|
|
|
|
if ($flood_post['posthash'] != md5($post['body_nomarkup']))
|
|
|
|
continue 3;
|
|
|
|
break;
|
|
|
|
case 'file':
|
|
|
|
if (!isset($post['filehash']))
|
|
|
|
return false;
|
|
|
|
if ($flood_post['filehash'] != $post['filehash'])
|
|
|
|
continue 3;
|
|
|
|
break;
|
|
|
|
case 'board':
|
|
|
|
if ($flood_post['board'] != $post['board'])
|
|
|
|
continue 3;
|
|
|
|
break;
|
|
|
|
case 'isreply':
|
|
|
|
if ($flood_post['isreply'] == $post['op'])
|
|
|
|
continue 3;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
error('Invalid filter flood condition: ' . $flood_match_arg);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
$flood_check_matched[] = $flood_post;
|
|
|
|
}
|
|
|
|
|
|
|
|
$this->flood_check = $flood_check_matched;
|
|
|
|
|
|
|
|
return !empty($this->flood_check);
|
|
|
|
case 'flood-time':
|
|
|
|
foreach ($this->flood_check as $flood_post) {
|
|
|
|
if (time() - $flood_post['time'] <= $match) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false;
|
2012-04-10 18:19:13 +02:00
|
|
|
case 'name':
|
|
|
|
return preg_match($match, $post['name']);
|
|
|
|
case 'trip':
|
2012-05-19 04:23:51 +02:00
|
|
|
return $match === $post['trip'];
|
2012-04-10 18:19:13 +02:00
|
|
|
case 'email':
|
|
|
|
return preg_match($match, $post['email']);
|
|
|
|
case 'subject':
|
|
|
|
return preg_match($match, $post['subject']);
|
|
|
|
case 'body':
|
2013-09-06 15:09:18 +02:00
|
|
|
return preg_match($match, $post['body_nomarkup']);
|
2012-04-10 18:19:13 +02:00
|
|
|
case 'filename':
|
2012-04-12 16:18:19 +02:00
|
|
|
if (!$post['has_file'])
|
2012-04-10 18:19:13 +02:00
|
|
|
return false;
|
|
|
|
return preg_match($match, $post['filename']);
|
|
|
|
case 'extension':
|
2012-04-12 16:18:19 +02:00
|
|
|
if (!$post['has_file'])
|
2012-04-10 18:19:13 +02:00
|
|
|
return false;
|
|
|
|
return preg_match($match, $post['body']);
|
|
|
|
case 'ip':
|
|
|
|
return preg_match($match, $_SERVER['REMOTE_ADDR']);
|
|
|
|
case 'op':
|
|
|
|
return $post['op'] == $match;
|
|
|
|
case 'has_file':
|
|
|
|
return $post['has_file'] == $match;
|
|
|
|
default:
|
|
|
|
error('Unknown filter condition: ' . $condition);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
public function action() {
|
|
|
|
global $board;
|
|
|
|
|
|
|
|
switch($this->action) {
|
|
|
|
case 'reject':
|
|
|
|
error(isset($this->message) ? $this->message : 'Posting throttled by flood filter.');
|
|
|
|
case 'ban':
|
2012-04-12 16:18:19 +02:00
|
|
|
if (!isset($this->reason))
|
2012-04-10 18:19:13 +02:00
|
|
|
error('The ban action requires a reason.');
|
|
|
|
|
|
|
|
$reason = $this->reason;
|
|
|
|
|
2012-04-12 16:18:19 +02:00
|
|
|
if (isset($this->expires))
|
2012-04-10 18:19:13 +02:00
|
|
|
$expires = time() + $this->expires;
|
|
|
|
else
|
|
|
|
$expires = 0; // Ban indefinitely
|
|
|
|
|
2012-04-12 16:18:19 +02:00
|
|
|
if (isset($this->reject))
|
2012-04-10 18:19:13 +02:00
|
|
|
$reject = $this->reject;
|
|
|
|
else
|
|
|
|
$reject = true;
|
|
|
|
|
2012-04-12 16:18:19 +02:00
|
|
|
if (isset($this->all_boards))
|
2012-04-10 18:19:13 +02:00
|
|
|
$all_boards = $this->all_boards;
|
|
|
|
else
|
|
|
|
$all_boards = false;
|
|
|
|
|
2013-08-01 04:14:26 +02:00
|
|
|
$query = prepare("INSERT INTO ``bans`` VALUES (NULL, :ip, :mod, :set, :expires, :reason, :board, 0)");
|
2012-04-10 18:19:13 +02:00
|
|
|
$query->bindValue(':ip', $_SERVER['REMOTE_ADDR']);
|
|
|
|
$query->bindValue(':mod', -1);
|
|
|
|
$query->bindValue(':set', time());
|
|
|
|
|
2012-04-12 16:18:19 +02:00
|
|
|
if ($expires)
|
2012-04-10 18:19:13 +02:00
|
|
|
$query->bindValue(':expires', $expires);
|
|
|
|
else
|
|
|
|
$query->bindValue(':expires', null, PDO::PARAM_NULL);
|
|
|
|
|
2012-04-12 16:18:19 +02:00
|
|
|
if ($reason)
|
2012-04-10 18:19:13 +02:00
|
|
|
$query->bindValue(':reason', $reason);
|
|
|
|
else
|
|
|
|
$query->bindValue(':reason', null, PDO::PARAM_NULL);
|
|
|
|
|
|
|
|
|
2012-04-12 16:18:19 +02:00
|
|
|
if ($all_boards)
|
2012-04-10 18:19:13 +02:00
|
|
|
$query->bindValue(':board', null, PDO::PARAM_NULL);
|
|
|
|
else
|
2012-04-12 15:23:47 +02:00
|
|
|
$query->bindValue(':board', $board['uri']);
|
2012-04-10 18:19:13 +02:00
|
|
|
|
|
|
|
$query->execute() or error(db_error($query));
|
|
|
|
|
2012-04-12 16:18:19 +02:00
|
|
|
if ($reject) {
|
|
|
|
if (isset($this->message))
|
2012-04-10 18:19:13 +02:00
|
|
|
error($message);
|
|
|
|
|
|
|
|
checkBan($board['uri']);
|
|
|
|
exit;
|
|
|
|
}
|
|
|
|
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
error('Unknown filter action: ' . $this->action);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
public function check(array $post) {
|
2012-04-12 16:18:19 +02:00
|
|
|
foreach ($this->condition as $condition => $value) {
|
|
|
|
if (!$this->match($post, $condition, $value))
|
2012-04-10 18:19:13 +02:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* match */
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-09-06 15:09:18 +02:00
|
|
|
function purge_flood_table() {
|
|
|
|
global $config;
|
|
|
|
|
|
|
|
// Determine how long we need to keep a cache of posts for flood prevention. Unfortunately, it is not
|
|
|
|
// aware of flood filters in other board configurations. You can solve this problem by settings the
|
|
|
|
// config variable $config['flood_cache'] (seconds).
|
|
|
|
|
|
|
|
if (isset($config['flood_cache'])) {
|
|
|
|
$max_time = &$config['flood_cache'];
|
|
|
|
} else {
|
|
|
|
$max_time = 0;
|
|
|
|
foreach ($config['filters'] as $filter) {
|
|
|
|
if (isset($filter['condition']['flood-time']))
|
|
|
|
$max_time = max($max_time, $filter['condition']['flood-time']);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
$time = time() - $max_time;
|
|
|
|
|
|
|
|
query("DELETE FROM ``flood`` WHERE ``time`` < $time") or error(db_error());
|
|
|
|
}
|
|
|
|
|
2012-04-10 18:19:13 +02:00
|
|
|
function do_filters(array $post) {
|
|
|
|
global $config;
|
|
|
|
|
2013-09-06 15:09:18 +02:00
|
|
|
if (!isset($config['filters']) || empty($config['filters']))
|
2012-04-10 18:19:13 +02:00
|
|
|
return;
|
|
|
|
|
2013-09-06 15:09:18 +02:00
|
|
|
foreach ($config['filters'] as $filter) {
|
|
|
|
if (isset($filter['condition']['flood-match'])) {
|
|
|
|
$has_flood = true;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
purge_flood_table();
|
|
|
|
|
|
|
|
if (isset($has_flood)) {
|
|
|
|
if ($post['has_file']) {
|
|
|
|
$query = prepare("SELECT * FROM ``flood`` WHERE `ip` = :ip OR `posthash` = :posthash OR `filehash` = :filehash");
|
|
|
|
$query->bindValue(':ip', $_SERVER['REMOTE_ADDR']);
|
|
|
|
$query->bindValue(':posthash', md5($post['body_nomarkup']));
|
|
|
|
$query->bindValue(':filehash', $post['filehash']);
|
|
|
|
} else {
|
|
|
|
$query = prepare("SELECT * FROM ``flood`` WHERE `ip` = :ip OR `posthash` = :posthash");
|
|
|
|
$query->bindValue(':ip', $_SERVER['REMOTE_ADDR']);
|
|
|
|
$query->bindValue(':posthash', md5($post['body_nomarkup']));
|
|
|
|
|
|
|
|
}
|
|
|
|
$query->execute() or error(db_error($query));
|
|
|
|
$flood_check = $query->fetchAll(PDO::FETCH_ASSOC);
|
|
|
|
} else {
|
|
|
|
$flood_check = false;
|
|
|
|
}
|
|
|
|
|
|
|
|
foreach ($config['filters'] as $filter_array) {
|
|
|
|
$filter = new Filter($filter_array);
|
|
|
|
$filter->flood_check = $flood_check;
|
2012-04-12 16:18:19 +02:00
|
|
|
if ($filter->check($post))
|
2012-04-10 18:19:13 +02:00
|
|
|
$filter->action();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|