1
0
mirror of https://github.com/vichan-devel/vichan.git synced 2024-12-25 05:44:57 +01:00
vichan/inc/anti-bot.php

283 lines
7.8 KiB
PHP
Raw Normal View History

2012-04-12 09:20:49 +02:00
<?php
/*
2013-01-20 11:23:46 +01:00
* Copyright (c) 2010-2013 Tinyboard Development Group
2012-04-12 09:20:49 +02:00
*/
defined('TINYBOARD') or exit;
2012-04-12 09:20:49 +02:00
$hidden_inputs_twig = array();
class AntiBot {
public $salt, $inputs = array(), $index = 0;
2012-04-12 09:20:49 +02:00
2013-09-08 09:01:55 +02:00
public static function randomString($length, $uppercase = false, $special_chars = false, $unicode_chars = false) {
2012-04-12 09:20:49 +02:00
$chars = 'abcdefghijklmnopqrstuvwxyz0123456789';
2012-04-12 16:18:19 +02:00
if ($uppercase)
2012-04-12 09:20:49 +02:00
$chars .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
2012-04-12 16:18:19 +02:00
if ($special_chars)
$chars .= ' ~!@#$%^&*()_+,./;\'[]\\{}|:<>?=-` ';
2013-09-08 09:01:55 +02:00
if ($unicode_chars) {
$len = strlen($chars) / 10;
for ($n = 0; $n < $len; $n++)
$chars .= mb_convert_encoding('&#' . mt_rand(0x2600, 0x26FF) . ';', 'UTF-8', 'HTML-ENTITIES');
}
2012-04-12 09:20:49 +02:00
2013-09-08 09:01:55 +02:00
$chars = preg_split('//u', $chars, -1, PREG_SPLIT_NO_EMPTY);
2012-04-12 09:20:49 +02:00
$ch = array();
// fill up $ch until we reach $length
2012-04-12 16:18:19 +02:00
while (count($ch) < $length) {
2012-04-12 09:20:49 +02:00
$n = $length - count($ch);
$keys = array_rand($chars, $n > count($chars) ? count($chars) : $n);
2012-04-12 16:18:19 +02:00
if ($n == 1) {
2012-04-12 09:20:49 +02:00
$ch[] = $chars[$keys];
break;
}
shuffle($keys);
2012-04-12 16:18:19 +02:00
foreach ($keys as $key)
2012-04-12 09:20:49 +02:00
$ch[] = $chars[$key];
}
$chars = $ch;
return implode('', $chars);
}
public static function make_confusing($string) {
2013-09-08 09:01:55 +02:00
$chars = preg_split('//u', $string, -1, PREG_SPLIT_NO_EMPTY);
2012-04-12 09:20:49 +02:00
2012-04-12 16:18:19 +02:00
foreach ($chars as &$c) {
2013-09-08 09:01:55 +02:00
if (mt_rand(0, 3) != 0)
2012-08-25 15:52:37 +02:00
$c = utf8tohtml($c);
else
$c = mb_encode_numericentity($c, array(0, 0xffff, 0, 0xffff), 'UTF-8');
2012-04-12 09:20:49 +02:00
}
return implode('', $chars);
}
public function __construct(array $salt = array()) {
global $config;
2012-04-12 16:18:19 +02:00
if (!empty($salt)) {
2012-04-12 09:20:49 +02:00
// create a salted hash of the "extra salt"
$this->salt = implode(':', $salt);
} else {
$this->salt = '';
}
shuffle($config['spam']['hidden_input_names']);
2013-09-08 09:01:55 +02:00
$input_count = mt_rand($config['spam']['hidden_inputs_min'], $config['spam']['hidden_inputs_max']);
2012-04-12 09:20:49 +02:00
$hidden_input_names_x = 0;
2012-04-12 16:18:19 +02:00
for ($x = 0; $x < $input_count ; $x++) {
2013-09-08 09:01:55 +02:00
if ($hidden_input_names_x === false || mt_rand(0, 2) == 0) {
2012-04-12 09:20:49 +02:00
// Use an obscure name
2013-09-08 09:01:55 +02:00
$name = $this->randomString(mt_rand(10, 40), false, false, $config['spam']['unicode']);
2012-04-12 09:20:49 +02:00
} else {
// Use a pre-defined confusing name
$name = $config['spam']['hidden_input_names'][$hidden_input_names_x++];
2012-04-12 16:18:19 +02:00
if ($hidden_input_names_x >= count($config['spam']['hidden_input_names']))
2012-04-12 09:20:49 +02:00
$hidden_input_names_x = false;
}
2013-09-08 09:01:55 +02:00
if (mt_rand(0, 2) == 0) {
2012-04-12 09:20:49 +02:00
// Value must be null
$this->inputs[$name] = '';
2013-09-08 09:01:55 +02:00
} elseif (mt_rand(0, 4) == 0) {
2012-04-12 09:20:49 +02:00
// Numeric value
2013-09-08 09:01:55 +02:00
$this->inputs[$name] = (string)mt_rand(0, 100000);
2012-04-12 09:20:49 +02:00
} else {
// Obscure value
2013-09-08 09:01:55 +02:00
$this->inputs[$name] = $this->randomString(mt_rand(5, 100), true, true, $config['spam']['unicode']);
2012-04-12 09:20:49 +02:00
}
}
}
2013-09-08 09:01:55 +02:00
public static function space() {
if (mt_rand(0, 3) != 0)
return ' ';
return str_repeat(' ', mt_rand(1, 3));
}
2012-04-12 09:20:49 +02:00
public function html($count = false) {
global $config;
2012-04-12 09:20:49 +02:00
$elements = array(
'<input type="hidden" name="%name%" value="%value%">',
'<input type="hidden" value="%value%" name="%name%">',
2013-09-08 09:01:55 +02:00
'<input name="%name%" value="%value%" type="hidden">',
'<input value="%value%" name="%name%" type="hidden">',
2012-04-12 09:20:49 +02:00
'<input style="display:none" type="text" name="%name%" value="%value%">',
'<input style="display:none" type="text" value="%value%" name="%name%">',
'<span style="display:none"><input type="text" name="%name%" value="%value%"></span>',
'<div style="display:none"><input type="text" name="%name%" value="%value%"></div>',
'<div style="display:none"><input type="text" name="%name%" value="%value%"></div>',
'<textarea style="display:none" name="%name%">%value%</textarea>',
'<textarea name="%name%" style="display:none">%value%</textarea>'
);
$html = '';
2012-04-12 16:18:19 +02:00
if ($count === false) {
2013-09-08 09:01:55 +02:00
$count = mt_rand(1, abs(count($this->inputs) / 15) + 1);
}
2012-04-12 16:18:19 +02:00
if ($count === true) {
2012-04-12 09:20:49 +02:00
// all elements
$inputs = array_slice($this->inputs, $this->index);
} else {
$inputs = array_slice($this->inputs, $this->index, $count);
}
$this->index += count($inputs);
2012-04-12 16:18:19 +02:00
foreach ($inputs as $name => $value) {
2012-04-12 09:20:49 +02:00
$element = false;
2012-04-12 16:18:19 +02:00
while (!$element) {
2012-04-12 09:20:49 +02:00
$element = $elements[array_rand($elements)];
2013-09-08 09:01:55 +02:00
$element = str_replace(' ', self::space(), $element);
if (mt_rand(0, 5) == 0)
$element = str_replace('>', self::space() . '>', $element);
2012-04-12 16:18:19 +02:00
if (strpos($element, 'textarea') !== false && $value == '') {
2012-04-12 09:20:49 +02:00
// There have been some issues with mobile web browsers and empty <textarea>'s.
$element = false;
}
}
$element = str_replace('%name%', utf8tohtml($name), $element);
2013-09-08 09:01:55 +02:00
if (mt_rand(0, 2) == 0)
2012-04-12 09:20:49 +02:00
$value = $this->make_confusing($value);
else
$value = utf8tohtml($value);
2012-04-12 16:18:19 +02:00
if (strpos($element, 'textarea') === false)
$value = str_replace('"', '&quot;', $value);
2012-04-12 09:20:49 +02:00
$element = str_replace('%value%', $value, $element);
$html .= $element;
}
return $html;
}
public function reset() {
$this->index = 0;
}
2012-04-12 09:20:49 +02:00
public function hash() {
global $config;
// This is the tricky part: create a hash to validate it after
// First, sort the keys in alphabetical order (A-Z)
$inputs = $this->inputs;
ksort($inputs);
$hash = '';
// Iterate through each input
2012-04-12 16:18:19 +02:00
foreach ($inputs as $name => $value) {
2012-04-12 09:20:49 +02:00
$hash .= $name . '=' . $value;
}
// Add a salt to the hash
$hash .= $config['cookies']['salt'];
// Use SHA1 for the hash
return sha1($hash . $this->salt);
}
}
2012-04-12 09:20:49 +02:00
function _create_antibot($board, $thread) {
global $config, $purged_old_antispam;
2012-04-12 09:20:49 +02:00
$antibot = new AntiBot(array($board, $thread));
2012-04-12 09:20:49 +02:00
if (!isset($purged_old_antispam)) {
$purged_old_antispam = true;
query('DELETE FROM ``antispam`` WHERE `expires` < UNIX_TIMESTAMP()') or error(db_error());
}
2012-04-12 09:20:49 +02:00
2012-04-12 16:18:19 +02:00
if ($thread)
$query = prepare('UPDATE ``antispam`` SET `expires` = UNIX_TIMESTAMP() + :expires WHERE `board` = :board AND `thread` = :thread AND `expires` IS NULL');
2012-04-12 09:20:49 +02:00
else
$query = prepare('UPDATE ``antispam`` SET `expires` = UNIX_TIMESTAMP() + :expires WHERE `board` = :board AND `thread` IS NULL AND `expires` IS NULL');
2012-04-12 09:20:49 +02:00
$query->bindValue(':board', $board);
2012-04-12 16:18:19 +02:00
if ($thread)
$query->bindValue(':thread', $thread);
$query->bindValue(':expires', $config['spam']['hidden_inputs_expire']);
$query->execute() or error(db_error($query));
2012-04-12 09:20:49 +02:00
$query = prepare('INSERT INTO ``antispam`` VALUES (:board, :thread, :hash, UNIX_TIMESTAMP(), NULL, 0)');
$query->bindValue(':board', $board);
$query->bindValue(':thread', $thread);
$query->bindValue(':hash', $antibot->hash());
$query->execute() or error(db_error($query));
2012-04-12 09:20:49 +02:00
return $antibot;
2012-04-12 09:20:49 +02:00
}
function checkSpam(array $extra_salt = array()) {
global $config, $pdo;
2012-08-30 17:35:27 +02:00
2012-04-12 16:18:19 +02:00
if (!isset($_POST['hash']))
2012-04-12 09:20:49 +02:00
return true;
2012-08-30 17:35:27 +02:00
2012-04-12 09:20:49 +02:00
$hash = $_POST['hash'];
2012-08-30 17:35:27 +02:00
2012-04-12 16:18:19 +02:00
if (!empty($extra_salt)) {
2012-04-12 09:20:49 +02:00
// create a salted hash of the "extra salt"
$extra_salt = implode(':', $extra_salt);
} else {
$extra_salt = '';
}
2012-08-30 17:35:27 +02:00
2012-04-12 09:20:49 +02:00
// Reconsturct the $inputs array
$inputs = array();
2012-08-30 17:35:27 +02:00
2012-04-12 16:18:19 +02:00
foreach ($_POST as $name => $value) {
if (in_array($name, $config['spam']['valid_inputs']))
2012-04-12 09:20:49 +02:00
continue;
2012-08-30 17:35:27 +02:00
2012-04-12 09:20:49 +02:00
$inputs[$name] = $value;
}
2012-08-30 17:35:27 +02:00
2012-04-12 09:20:49 +02:00
// Sort the inputs in alphabetical order (A-Z)
ksort($inputs);
2012-08-30 17:35:27 +02:00
2012-04-12 09:20:49 +02:00
$_hash = '';
2012-08-30 17:35:27 +02:00
2012-04-12 09:20:49 +02:00
// Iterate through each input
2012-04-12 16:18:19 +02:00
foreach ($inputs as $name => $value) {
2012-04-12 09:20:49 +02:00
$_hash .= $name . '=' . $value;
}
2012-08-30 17:35:27 +02:00
2012-04-12 09:20:49 +02:00
// Add a salt to the hash
$_hash .= $config['cookies']['salt'];
2012-08-30 17:35:27 +02:00
2012-04-12 09:20:49 +02:00
// Use SHA1 for the hash
$_hash = sha1($_hash . $extra_salt);
2012-08-30 17:35:27 +02:00
2012-04-12 16:18:19 +02:00
if ($hash != $_hash)
return true;
2012-08-30 17:35:27 +02:00
$query = prepare('SELECT `passed` FROM ``antispam`` WHERE `hash` = :hash');
$query->bindValue(':hash', $hash);
$query->execute() or error(db_error($query));
2012-08-30 17:35:27 +02:00
if ((($passed = $query->fetchColumn(0)) === false) || ($passed > $config['spam']['hidden_inputs_max_pass'])) {
// there was no database entry for this hash. most likely expired.
return true;
}
2012-08-30 17:35:27 +02:00
return $hash;
2012-04-12 09:20:49 +02:00
}
function incrementSpamHash($hash) {
$query = prepare('UPDATE ``antispam`` SET `passed` = `passed` + 1 WHERE `hash` = :hash');
$query->bindValue(':hash', $hash);
$query->execute() or error(db_error($query));
}