diff options
| author | rvelices <rv-github@modusoptimus.com> | 2007-01-19 02:56:54 +0000 |
|---|---|---|
| committer | rvelices <rv-github@modusoptimus.com> | 2007-01-19 02:56:54 +0000 |
| commit | 96a0c2b1d3f44196cb1471a4cb476aaf5efbca88 (patch) | |
| tree | 4521937673840147affb72206ee9618ecd8259c6 | |
| parent | 6381378a8fe8fc260344e93fd24a833aaaa656d0 (diff) | |
feature 625: comment anti-spam - protect against some of the spam robots
git-svn-id: http://piwigo.org/svn/trunk@1737 68402e56-0260-453c-a942-63ccdbb3a9ee
| -rw-r--r-- | include/picture_comment.inc.php | 47 | ||||
| -rw-r--r-- | install/config.sql | 1 | ||||
| -rw-r--r-- | install/db/43-database.php | 51 | ||||
| -rw-r--r-- | template/yoga/picture.tpl | 3 |
4 files changed, 98 insertions, 4 deletions
diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php index 38c91c167..fbbe80d50 100644 --- a/include/picture_comment.inc.php +++ b/include/picture_comment.inc.php @@ -2,10 +2,10 @@ // +-----------------------------------------------------------------------+ // | PhpWebGallery - a PHP based picture gallery | // | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net | -// | Copyright (C) 2003-2005 PhpWebGallery Team - http://phpwebgallery.net | +// | Copyright (C) 2003-2007 PhpWebGallery Team - http://phpwebgallery.net | // +-----------------------------------------------------------------------+ // | branch : BSF (Best So Far) -// | file : $RCSfile$ +// | file : $Id$ // | last update : $Date$ // | last modifier : $Author$ // | revision : $Revision$ @@ -29,6 +29,33 @@ * This file is included by the picture page to manage user comments * */ + +if (!function_exists('hash_hmac')) +{ +function hash_hmac($algo, $data, $key, $raw_output=false) +{ + /* md5 and sha1 only */ + $algo=strtolower($algo); + $p=array('md5'=>'H32','sha1'=>'H40'); + if ( !isset($p[$algo]) or !function_exists($algo) ) + { + $algo = 'md5'; + } + if(strlen($key)>64) $key=pack($p[$algo],$algo($key)); + if(strlen($key)<64) $key=str_pad($key,64,chr(0)); + + $ipad=substr($key,0,64) ^ str_repeat(chr(0x36),64); + $opad=substr($key,0,64) ^ str_repeat(chr(0x5C),64); + + $ret = $algo($opad.pack($p[$algo],$algo($ipad.$data))); + if ($raw_output) + { + $ret = pack('H*', $ret); + } + return $ret; +} +} + //returns string action to perform on a new comment: validate, moderate, reject function user_comment_check($action, $comment, $picture) { @@ -137,6 +164,15 @@ if ( $page['show_comments'] and isset( $_POST['content'] ) ) $comment_action='reject'; } + $key = explode(':', @$_POST['key']); + if ( count($key)!=2 + or $key[0]>time() or $key[0]<time()-1800 // 30 minutes expiration + or hash_hmac('md5', $key[0], $conf['secret_key'])!=$key[1] + ) + { + $comment_action='reject'; + } + if ($comment_action!='reject' and $conf['anti-flood_time']>0 ) { // anti-flood system $reference_date = time() - $conf['anti-flood_time']; @@ -316,7 +352,12 @@ SELECT id,author,date,image_id,content if (!$user['is_the_guest'] or ($user['is_the_guest'] and $conf['comments_forall'])) { - $template->assign_block_vars('comments.add_comment', array()); + $key = time(); + $key .= ':'.hash_hmac('md5', $key, $conf['secret_key']); + $template->assign_block_vars('comments.add_comment', + array( + 'key' => $key + )); // display author field if the user is not logged in if ($user['is_the_guest']) { diff --git a/install/config.sql b/install/config.sql index 53753a8d4..9c4dbc743 100644 --- a/install/config.sql +++ b/install/config.sql @@ -23,6 +23,7 @@ INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('history_admin',' INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('history_guest','true','keep a history of guest visits on your website'); INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('login_history','true','keep a history of user logins on your website'); INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('allow_user_registration','true','allow visitors to register?'); +INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('secret_key', MD5(RAND()), 'a secret key specific to the gallery for internal use'); -- Notification by mail INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('nbm_send_mail_as','','Send mail as param value for notification by mail'); INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('nbm_send_detailed_content','true','Send detailed content for notification by mail'); diff --git a/install/db/43-database.php b/install/db/43-database.php new file mode 100644 index 000000000..1e51bb99e --- /dev/null +++ b/install/db/43-database.php @@ -0,0 +1,51 @@ +<?php +// +-----------------------------------------------------------------------+ +// | PhpWebGallery - a PHP based picture gallery | +// | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net | +// | Copyright (C) 2003-2005 PhpWebGallery Team - http://phpwebgallery.net | +// +-----------------------------------------------------------------------+ +// | branch : BSF (Best So Far) +// | file : $Id$ +// | last update : $Date$ +// | last modifier : $Author$ +// | revision : $Revision$ +// +-----------------------------------------------------------------------+ +// | This program is free software; you can redistribute it and/or modify | +// | it under the terms of the GNU General Public License as published by | +// | the Free Software Foundation | +// | | +// | This program is distributed in the hope that it will be useful, but | +// | WITHOUT ANY WARRANTY; without even the implied warranty of | +// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | +// | General Public License for more details. | +// | | +// | You should have received a copy of the GNU General Public License | +// | along with this program; if not, write to the Free Software | +// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, | +// | USA. | +// +-----------------------------------------------------------------------+ + +if (!defined('PHPWG_ROOT_PATH')) +{ + die('Hacking attempt!'); +} + +$upgrade_description = 'Insert secret_key into #config'; + +include_once(PHPWG_ROOT_PATH.'include/constants.php'); + +// +-----------------------------------------------------------------------+ +// | Upgrade content | +// +-----------------------------------------------------------------------+ + +$query = ' +INSERT INTO '.PREFIX_TABLE."config (param,value,comment) VALUES ('secret_key', MD5(RAND()), 'a secret key specific to the gallery for internal use');"; +pwg_query($query); + +echo +"\n" +. $upgrade_description +."\n" +; + +?> diff --git a/template/yoga/picture.tpl b/template/yoga/picture.tpl index 02453e9af..f42fc83ae 100644 --- a/template/yoga/picture.tpl +++ b/template/yoga/picture.tpl @@ -190,7 +190,8 @@ <!-- BEGIN author_field --> <label>{lang:upload_author}<input type="text" name="author"></label> <!-- END author_field --> - <label>{lang:comment}<textarea name="content" rows="10" cols="80"></textarea></label> + <label>{lang:comment}<textarea name="content" rows="5" cols="80"></textarea></label> + <input type="hidden" name="key" value="{comments.add_comment.key}" /> <input type="submit" value="{lang:submit}"> </fieldset> </form> |