Example #1
0
$id = COM_applyFilter(COM_getArgument('id'));
$type = COM_applyFilter(COM_getArgument('type'));
if (empty($id)) {
    TRB_sendTrackbackResponse(1, $TRB_ERROR['illegal_request']);
    exit;
}
if (empty($type)) {
    $type = 'article';
}
if ($type == 'article') {
    // check if they have access to this story
    $sid = DB_escapeString($id);
    $result = DB_query("SELECT trackbackcode FROM {$_TABLES['stories']} WHERE (sid = '{$sid}') AND (date <= NOW()) AND (draft_flag = 0)" . COM_getPermSql('AND') . COM_getTopicSql('AND'));
    if (DB_numRows($result) == 1) {
        $A = DB_fetchArray($result);
        if ($A['trackbackcode'] == 0) {
            TRB_handleTrackbackPing($id, $type);
        } else {
            TRB_sendTrackbackResponse(1, $TRB_ERROR['no_access']);
        }
    } else {
        TRB_sendTrackbackResponse(1, $TRB_ERROR['no_access']);
    }
} else {
    if (PLG_handlePingComment($type, $id, 'acceptByID') === true) {
        TRB_handleTrackbackPing($id, $type);
    } else {
        TRB_sendTrackbackResponse(1, $TRB_ERROR['no_access']);
    }
}
// no output here
Example #2
0
/**
* Handles a trackback ping for an entry.
*
* Also takes care of the speedlimit and spam. Assumes that the caller of this
* function has already checked permissions!
*
* Note: Error messages are XML-formatted and echo'd out directly, as they
*       are supposed to be processed by some sort of software.
*
* @param    string  $sid    ID of entry that got pinged
* @param    string  $type   type of that entry ('article' for stories, etc.)
* @return   boolean         true = success, false = an error occured
*
* P.S. "Critical" errors are rejected with a HTTP 403 Forbidden status code.
*      According to RFC2616, this status code means
*      "The server understood the request, but is refusing to fulfill it.
*       Authorization will not help and the request SHOULD NOT be repeated."
*      See http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4
*
*/
function TRB_handleTrackbackPing($sid, $type = 'article')
{
    global $_CONF, $_TABLES;
    // Note: Error messages are hard-coded in English since there is no way of
    // knowing which language the sender of the trackback ping may prefer.
    $TRB_ERROR = array('no_url' => 'No URL given.', 'rejected' => 'Multiple posts not allowed.', 'spam' => 'Spam detected.', 'speedlimit' => 'Your last trackback comment was %d seconds ago. This site requires at least %d seconds between trackback comments.', 'no_link' => 'Trackback rejected as you do not seem to link to us.');
    // the speed limit applies to trackback comments, too
    if (isset($_CONF['trackbackspeedlimit'])) {
        $speedlimit = $_CONF['trackbackspeedlimit'];
    } else {
        $speedlimit = $_CONF['commentspeedlimit'];
    }
    COM_clearSpeedlimit($speedlimit, 'trackback');
    $last = COM_checkSpeedlimit('trackback');
    if ($last > 0) {
        TRB_sendTrackbackResponse(1, sprintf($TRB_ERROR['speedlimit'], $last, $speedlimit), 403, 'Forbidden');
        TRB_logRejected('Speedlimit', $_POST['url']);
        return false;
    }
    // update speed limit now in any case
    COM_updateSpeedlimit('trackback');
    if (isset($_POST['url'])) {
        // a URL is mandatory ...
        if (substr($_POST['url'], 0, 4) != 'http') {
            TRB_sendTrackbackResponse(1, $TRB_ERROR['no_url'], 403, 'Forbidden');
            TRB_logRejected('No valid URL', $_POST['url']);
            return false;
        }
        // do spam check on the unfiltered post
        $result = TRB_checkForSpam($_POST['url'], $_POST['title'], $_POST['blog_name'], $_POST['excerpt']);
        if ($result == TRB_SAVE_SPAM) {
            TRB_sendTrackbackResponse(1, $TRB_ERROR['spam'], 403, 'Forbidden');
            TRB_logRejected('Spam detected', $_POST['url']);
            return false;
        }
        if (!isset($_CONF['check_trackback_link'])) {
            $_CONF['check_trackback_link'] = 2;
        }
        if ($_CONF['check_trackback_link'] & 4) {
            $parts = parse_url($_POST['url']);
            if (empty($parts['host'])) {
                TRB_sendTrackbackResponse(1, $TRB_ERROR['no_url'], 403, 'Forbidden');
                TRB_logRejected('No valid URL', $_POST['url']);
                return false;
            } else {
                $ip = gethostbyname($parts['host']);
                if ($ip != $_SERVER['REMOTE_ADDR']) {
                    TRB_sendTrackbackResponse(1, $TRB_ERROR['spam'], 403, 'Forbidden');
                    TRB_logRejected('IP address mismatch', $_POST['url']);
                    return false;
                }
            }
        }
        if ($_CONF['check_trackback_link'] & 3) {
            if (!TRB_linksToUs($sid, $type, $_POST['url'])) {
                TRB_sendTrackbackResponse(1, $TRB_ERROR['no_link'], 403, 'Forbidden');
                $comment = TRB_formatComment($_POST['url'], $_POST['title'], $_POST['blog_name'], $_POST['excerpt']);
                PLG_spamAction($comment, $_CONF['spamx']);
                TRB_logRejected('No link to us', $_POST['url']);
                return false;
            }
        }
        $saved = TRB_saveTrackbackComment($sid, $type, $_POST['url'], $_POST['title'], $_POST['blog_name'], $_POST['excerpt']);
        if ($saved == TRB_SAVE_REJECT) {
            TRB_sendTrackbackResponse(1, $TRB_ERROR['rejected'], 403, 'Forbidden');
            TRB_logRejected('Multiple Trackbacks', $_POST['url']);
            return false;
        }
        if (isset($_CONF['notification']) && in_array('trackback', $_CONF['notification'])) {
            TRB_sendNotificationEmail($saved, 'trackback');
        }
        TRB_sendTrackbackResponse(0);
        return true;
    } else {
        TRB_sendTrackbackResponse(1, $TRB_ERROR['no_url']);
        TRB_logRejected('No URL', $_POST['url']);
    }
    return false;
}