$id = COM_applyFilter(COM_getArgument('id')); $type = COM_applyFilter(COM_getArgument('type')); if (empty($id)) { TRB_sendTrackbackResponse(1, $TRB_ERROR['illegal_request']); exit; } if (empty($type)) { $type = 'article'; } if ($type == 'article') { // check if they have access to this story $sid = DB_escapeString($id); $result = DB_query("SELECT trackbackcode FROM {$_TABLES['stories']} WHERE (sid = '{$sid}') AND (date <= NOW()) AND (draft_flag = 0)" . COM_getPermSql('AND') . COM_getTopicSql('AND')); if (DB_numRows($result) == 1) { $A = DB_fetchArray($result); if ($A['trackbackcode'] == 0) { TRB_handleTrackbackPing($id, $type); } else { TRB_sendTrackbackResponse(1, $TRB_ERROR['no_access']); } } else { TRB_sendTrackbackResponse(1, $TRB_ERROR['no_access']); } } else { if (PLG_handlePingComment($type, $id, 'acceptByID') === true) { TRB_handleTrackbackPing($id, $type); } else { TRB_sendTrackbackResponse(1, $TRB_ERROR['no_access']); } } // no output here
/** * Handles a trackback ping for an entry. * * Also takes care of the speedlimit and spam. Assumes that the caller of this * function has already checked permissions! * * Note: Error messages are XML-formatted and echo'd out directly, as they * are supposed to be processed by some sort of software. * * @param string $sid ID of entry that got pinged * @param string $type type of that entry ('article' for stories, etc.) * @return boolean true = success, false = an error occured * * P.S. "Critical" errors are rejected with a HTTP 403 Forbidden status code. * According to RFC2616, this status code means * "The server understood the request, but is refusing to fulfill it. * Authorization will not help and the request SHOULD NOT be repeated." * See http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4 * */ function TRB_handleTrackbackPing($sid, $type = 'article') { global $_CONF, $_TABLES; // Note: Error messages are hard-coded in English since there is no way of // knowing which language the sender of the trackback ping may prefer. $TRB_ERROR = array('no_url' => 'No URL given.', 'rejected' => 'Multiple posts not allowed.', 'spam' => 'Spam detected.', 'speedlimit' => 'Your last trackback comment was %d seconds ago. This site requires at least %d seconds between trackback comments.', 'no_link' => 'Trackback rejected as you do not seem to link to us.'); // the speed limit applies to trackback comments, too if (isset($_CONF['trackbackspeedlimit'])) { $speedlimit = $_CONF['trackbackspeedlimit']; } else { $speedlimit = $_CONF['commentspeedlimit']; } COM_clearSpeedlimit($speedlimit, 'trackback'); $last = COM_checkSpeedlimit('trackback'); if ($last > 0) { TRB_sendTrackbackResponse(1, sprintf($TRB_ERROR['speedlimit'], $last, $speedlimit), 403, 'Forbidden'); TRB_logRejected('Speedlimit', $_POST['url']); return false; } // update speed limit now in any case COM_updateSpeedlimit('trackback'); if (isset($_POST['url'])) { // a URL is mandatory ... if (substr($_POST['url'], 0, 4) != 'http') { TRB_sendTrackbackResponse(1, $TRB_ERROR['no_url'], 403, 'Forbidden'); TRB_logRejected('No valid URL', $_POST['url']); return false; } // do spam check on the unfiltered post $result = TRB_checkForSpam($_POST['url'], $_POST['title'], $_POST['blog_name'], $_POST['excerpt']); if ($result == TRB_SAVE_SPAM) { TRB_sendTrackbackResponse(1, $TRB_ERROR['spam'], 403, 'Forbidden'); TRB_logRejected('Spam detected', $_POST['url']); return false; } if (!isset($_CONF['check_trackback_link'])) { $_CONF['check_trackback_link'] = 2; } if ($_CONF['check_trackback_link'] & 4) { $parts = parse_url($_POST['url']); if (empty($parts['host'])) { TRB_sendTrackbackResponse(1, $TRB_ERROR['no_url'], 403, 'Forbidden'); TRB_logRejected('No valid URL', $_POST['url']); return false; } else { $ip = gethostbyname($parts['host']); if ($ip != $_SERVER['REMOTE_ADDR']) { TRB_sendTrackbackResponse(1, $TRB_ERROR['spam'], 403, 'Forbidden'); TRB_logRejected('IP address mismatch', $_POST['url']); return false; } } } if ($_CONF['check_trackback_link'] & 3) { if (!TRB_linksToUs($sid, $type, $_POST['url'])) { TRB_sendTrackbackResponse(1, $TRB_ERROR['no_link'], 403, 'Forbidden'); $comment = TRB_formatComment($_POST['url'], $_POST['title'], $_POST['blog_name'], $_POST['excerpt']); PLG_spamAction($comment, $_CONF['spamx']); TRB_logRejected('No link to us', $_POST['url']); return false; } } $saved = TRB_saveTrackbackComment($sid, $type, $_POST['url'], $_POST['title'], $_POST['blog_name'], $_POST['excerpt']); if ($saved == TRB_SAVE_REJECT) { TRB_sendTrackbackResponse(1, $TRB_ERROR['rejected'], 403, 'Forbidden'); TRB_logRejected('Multiple Trackbacks', $_POST['url']); return false; } if (isset($_CONF['notification']) && in_array('trackback', $_CONF['notification'])) { TRB_sendNotificationEmail($saved, 'trackback'); } TRB_sendTrackbackResponse(0); return true; } else { TRB_sendTrackbackResponse(1, $TRB_ERROR['no_url']); TRB_logRejected('No URL', $_POST['url']); } return false; }