function bb2_start($settings)
{
// Gather up all the information we need, first of all.
$headers = bb2_load_headers();
// Postprocess the headers to mixed-case
// TODO: get the world to stop using PHP as CGI
$headers_mixed = array();
foreach ($headers as $h => $v) {
$headers_mixed[uc_all($h)] = $v;
}
// IPv6 - IPv4 compatibility mode hack
$_SERVER['REMOTE_ADDR'] = preg_replace("/^::ffff:/", "", $_SERVER['REMOTE_ADDR']);
// Reconstruct the HTTP entity, if present.
$request_entity = array();
if (!strcasecmp($_SERVER['REQUEST_METHOD'], "POST") || !strcasecmp($_SERVER['REQUEST_METHOD'], "PUT")) {
foreach ($_POST as $h => $v) {
$request_entity[$h] = $v;
}
}
@($package = array('ip' => $_SERVER['REMOTE_ADDR'], 'headers' => $headers, 'headers_mixed' => $headers_mixed, 'request_method' => $_SERVER['REQUEST_METHOD'], 'request_uri' => $_SERVER['REQUEST_URI'], 'server_protocol' => $_SERVER['SERVER_PROTOCOL'], 'request_entity' => $request_entity, 'user_agent' => $_SERVER['HTTP_USER_AGENT'], 'is_browser' => false));
$result = bb2_screen($settings, $package);
if ($result && !defined('BB2_TEST')) {
bb2_banned($settings, $package, $result);
}
return $result;
}
function bb2_load_headers()
{
if (!is_callable('getallheaders')) {
$headers = array();
foreach ($_SERVER as $h => $v) {
if (ereg('HTTP_(.+)', $h, $hp)) {
$headers[str_replace("_", "-", uc_all($hp[1]))] = $v;
}
}
} else {
$headers = getallheaders();
}
return $headers;
}
function bb2_start($settings)
{
// Gather up all the information we need, first of all.
$headers = bb2_load_headers();
// Postprocess the headers to mixed-case
// FIXME: get the world to stop using PHP as CGI
$headers_mixed = array();
foreach ($headers as $h => $v) {
$headers_mixed[uc_all($h)] = $v;
}
// IPv6 - IPv4 compatibility mode hack
$_SERVER['REMOTE_ADDR'] = preg_replace("/^::ffff:/", "", $_SERVER['REMOTE_ADDR']);
// We use these frequently. Keep a copy close at hand.
$ip = $_SERVER['REMOTE_ADDR'];
$request_method = $_SERVER['REQUEST_METHOD'];
$request_uri = $_SERVER['REQUEST_URI'];
if (!$request_uri) {
$request_uri = $_SERVER['SCRIPT_NAME'];
}
# IIS
$server_protocol = $_SERVER['SERVER_PROTOCOL'];
@($user_agent = $_SERVER['HTTP_USER_AGENT']);
// Reconstruct the HTTP entity, if present.
$request_entity = array();
if (!strcasecmp($request_method, "POST") || !strcasecmp($request_method, "PUT")) {
foreach ($_POST as $h => $v) {
$request_entity[$h] = $v;
}
}
$package = array('ip' => $ip, 'headers' => $headers, 'headers_mixed' => $headers_mixed, 'request_method' => $request_method, 'request_uri' => $request_uri, 'server_protocol' => $server_protocol, 'request_entity' => $request_entity, 'user_agent' => $user_agent, 'is_browser' => false);
// Please proceed to the security checkpoint and have your
// identification and boarding pass ready.
// First check the whitelist
require_once BB2_CORE . "/whitelist.inc.php";
if (!bb2_whitelist($package)) {
// Now check the blacklist
require_once BB2_CORE . "/blacklist.inc.php";
bb2_test($settings, $package, bb2_blacklist($package));
// Check the http:BL
// config check added for DokuWiki plugin
if (!$settings['skipblackhole']) {
require_once BB2_CORE . "/blackhole.inc.php";
if (bb2_test($settings, $package, bb2_httpbl($settings, $package))) {
// Bypass all checks if http:BL says search engine
bb2_approved($settings, $package);
return true;
}
}
// Check for common stuff
require_once BB2_CORE . "/common_tests.inc.php";
bb2_test($settings, $package, bb2_protocol($settings, $package));
bb2_test($settings, $package, bb2_cookies($settings, $package));
bb2_test($settings, $package, bb2_misc_headers($settings, $package));
// Specific checks
@($ua = $headers_mixed['User-Agent']);
// Search engines first
if (stripos($ua, "bingbot") !== FALSE || stripos($ua, "msnbot") !== FALSE || stripos($ua, "MS Search") !== FALSE) {
require_once BB2_CORE . "/msnbot.inc.php";
bb2_test($settings, $package, bb2_msnbot($package));
bb2_approved($settings, $package);
return true;
} elseif (stripos($ua, "Googlebot") !== FALSE || stripos($ua, "Mediapartners-Google") !== FALSE || stripos($ua, "Google Web Preview") !== FALSE) {
require_once BB2_CORE . "/google.inc.php";
bb2_test($settings, $package, bb2_google($package));
bb2_approved($settings, $package);
return true;
} elseif (stripos($ua, "Yahoo! Slurp") !== FALSE || stripos($ua, "Yahoo! SearchMonkey") !== FALSE) {
require_once BB2_CORE . "/yahoo.inc.php";
bb2_test($settings, $package, bb2_yahoo($package));
bb2_approved($settings, $package);
return true;
}
// MSIE checks
if (stripos($ua, "MSIE") !== FALSE) {
$package['is_browser'] = true;
if (stripos($ua, "Opera") !== FALSE) {
require_once BB2_CORE . "/opera.inc.php";
bb2_test($settings, $package, bb2_opera($package));
} else {
require_once BB2_CORE . "/msie.inc.php";
bb2_test($settings, $package, bb2_msie($package));
}
} elseif (stripos($ua, "Konqueror") !== FALSE) {
$package['is_browser'] = true;
require_once BB2_CORE . "/konqueror.inc.php";
bb2_test($settings, $package, bb2_konqueror($package));
} elseif (stripos($ua, "Opera") !== FALSE) {
$package['is_browser'] = true;
require_once BB2_CORE . "/opera.inc.php";
bb2_test($settings, $package, bb2_opera($package));
} elseif (stripos($ua, "Safari") !== FALSE) {
$package['is_browser'] = true;
require_once BB2_CORE . "/safari.inc.php";
bb2_test($settings, $package, bb2_safari($package));
} elseif (stripos($ua, "Lynx") !== FALSE) {
$package['is_browser'] = true;
require_once BB2_CORE . "/lynx.inc.php";
bb2_test($settings, $package, bb2_lynx($package));
} elseif (stripos($ua, "MovableType") !== FALSE) {
require_once BB2_CORE . "/movabletype.inc.php";
bb2_test($settings, $package, bb2_movabletype($package));
} elseif (stripos($ua, "Mozilla") !== FALSE && stripos($ua, "Mozilla") == 0) {
$package['is_browser'] = true;
require_once BB2_CORE . "/mozilla.inc.php";
bb2_test($settings, $package, bb2_mozilla($package));
}
// More intensive screening applies to POST requests
if (!strcasecmp('POST', $package['request_method'])) {
require_once BB2_CORE . "/post.inc.php";
bb2_test($settings, $package, bb2_post($settings, $package));
}
}
// Last chance screening.
require_once BB2_CORE . "/screener.inc.php";
bb2_screener($settings, $package);
// And that's about it.
bb2_approved($settings, $package);
return true;
}
function bb2_start($settings)
{
// Gather up all the information we need, first of all.
$headers = bb2_load_headers();
// Postprocess the headers to mixed-case
// TODO: get the world to stop using PHP as CGI
$headers_mixed = array();
foreach ($headers as $h => $v) {
$headers_mixed[uc_all($h)] = $v;
}
// IPv6 - IPv4 compatibility mode hack
$_SERVER['REMOTE_ADDR'] = preg_replace("/^::ffff:/", "", $_SERVER['REMOTE_ADDR']);
// Reconstruct the HTTP entity, if present.
$request_entity = array();
if (!strcasecmp($_SERVER['REQUEST_METHOD'], "POST") || !strcasecmp($_SERVER['REQUEST_METHOD'], "PUT")) {
foreach ($_POST as $h => $v) {
if (is_array($v)) {
# Workaround, see Bug #12
$v = "Array";
}
$request_entity[$h] = $v;
}
}
$request_uri = $_SERVER["REQUEST_URI"];
if (!$request_uri) {
$request_uri = $_SERVER['SCRIPT_NAME'];
}
# IIS
if ($settings['reverse_proxy'] && ($ip = bb2_reverse_proxy($settings, $headers_mixed))) {
$headers['X-Bad-Behavior-Remote-Address'] = $_SERVER['REMOTE_ADDR'];
$headers_mixed['X-Bad-Behavior-Remote-Address'] = $_SERVER['REMOTE_ADDR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
@($package = array('ip' => $ip, 'headers' => $headers, 'headers_mixed' => $headers_mixed, 'request_method' => $_SERVER['REQUEST_METHOD'], 'request_uri' => $request_uri, 'server_protocol' => $_SERVER['SERVER_PROTOCOL'], 'request_entity' => $request_entity, 'user_agent' => $_SERVER['HTTP_USER_AGENT'], 'is_browser' => false));
$result = bb2_screen($settings, $package);
if ($result && !defined('BB2_TEST')) {
bb2_banned($settings, $package, $result);
}
return $result;
}
function bb2_start($settings)
{
global $gShellScript;
if ($gShellScript) {
return;
}
// Gather up all the information we need, first of all.
$headers = bb2_load_headers();
// Postprocess the headers to mixed-case
// FIXME: get the world to stop using PHP as CGI
$headers_mixed = array();
foreach ($headers as $h => $v) {
$headers_mixed[uc_all($h)] = $v;
}
// We use these frequently. Keep a copy close at hand.
$ip = $_SERVER['REMOTE_ADDR'];
$request_method = $_SERVER['REQUEST_METHOD'];
$request_uri = $_SERVER['REQUEST_URI'];
$server_protocol = $_SERVER['SERVER_PROTOCOL'];
$user_agent = !empty($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : NULL;
// Reconstruct the HTTP entity, if present.
$request_entity = array();
if (!strcasecmp($request_method, "POST") || !strcasecmp($request_method, "PUT")) {
foreach ($_POST as $h => $v) {
$request_entity[$h] = $v;
}
}
$package = array('ip' => $ip, 'headers' => $headers, 'headers_mixed' => $headers_mixed, 'request_method' => $request_method, 'request_uri' => $request_uri, 'server_protocol' => $server_protocol, 'request_entity' => $request_entity, 'user_agent' => $user_agent, 'is_browser' => false);
// Please proceed to the security checkpoint and have your
// identification and boarding pass ready.
// First check the whitelist
require_once BB2_CORE . "/whitelist.inc.php";
if (!($whitelisted = bb2_whitelist($package))) {
// Now check the blacklist
require_once BB2_CORE . "/blacklist.inc.php";
bb2_test($settings, $package, bb2_blacklist($package));
// Check for common stuff
require_once BB2_CORE . "/common_tests.inc.php";
bb2_test($settings, $package, bb2_protocol($settings, $package));
bb2_test($settings, $package, bb2_misc_headers($settings, $package));
// Specific checks
$ua = $headers_mixed['User-Agent'];
// MSIE checks
if (stripos($ua, "MSIE") !== FALSE) {
$package['is_browser'] = true;
if (stripos($ua, "Opera") !== FALSE) {
require_once BB2_CORE . "/opera.inc.php";
bb2_test($settings, $package, bb2_opera($package));
} else {
require_once BB2_CORE . "/msie.inc.php";
bb2_test($settings, $package, bb2_msie($package));
}
} elseif (stripos($ua, "Konqueror") !== FALSE) {
$package['is_browser'] = true;
require_once BB2_CORE . "/konqueror.inc.php";
bb2_test($settings, $package, bb2_konqueror($package));
} elseif (stripos($ua, "Opera") !== FALSE) {
$package['is_browser'] = true;
require_once BB2_CORE . "/opera.inc.php";
bb2_test($settings, $package, bb2_opera($package));
} elseif (stripos($ua, "Safari") !== FALSE) {
$package['is_browser'] = true;
require_once BB2_CORE . "/safari.inc.php";
bb2_test($settings, $package, bb2_safari($package));
} elseif (stripos($ua, "Lynx") !== FALSE) {
$package['is_browser'] = true;
require_once BB2_CORE . "/lynx.inc.php";
bb2_test($settings, $package, bb2_lynx($package));
} elseif (stripos($ua, "MovableType") !== FALSE) {
require_once BB2_CORE . "/movabletype.inc.php";
bb2_test($settings, $package, bb2_movabletype($package));
} elseif (stripos($ua, "msnbot") !== FALSE || stripos($ua, "MS Search") !== FALSE) {
require_once BB2_CORE . "/msnbot.inc.php";
bb2_test($settings, $package, bb2_msnbot($package));
} elseif (stripos($ua, "Googlebot") !== FALSE || stripos($ua, "Mediapartners-Google") !== FALSE) {
require_once BB2_CORE . "/google.inc.php";
bb2_test($settings, $package, bb2_google($package));
} elseif (stripos($ua, "Google Keyword Tool") !== FALSE) {
bb2_approved($settings, $package);
return true;
} elseif (stripos($ua, "Mozilla") !== FALSE && stripos($ua, "Mozilla") == 0) {
$package['is_browser'] = true;
require_once BB2_CORE . "/mozilla.inc.php";
bb2_test($settings, $package, bb2_mozilla($package));
}
// More intensive screening applies to POST requests
if (!strcasecmp('POST', $package['request_method'])) {
require_once BB2_CORE . "/post.inc.php";
bb2_test($settings, $package, bb2_post($settings, $package));
}
}
// Last chance screening.
require_once BB2_CORE . "/screener.inc.php";
bb2_screener($settings, $package);
// And that's about it.
bb2_approved($settings, $package, $whitelisted);
return true;
}
function bb2_options()
{
$settings = bb2_read_settings();
$request_uri = $_SERVER["REQUEST_URI"];
if (!$request_uri) {
$request_uri = $_SERVER['SCRIPT_NAME'];
}
# IIS
if ($_POST) {
$_POST = array_map('stripslashes_deep', $_POST);
if ($_POST['display_stats']) {
$settings['display_stats'] = true;
} else {
$settings['display_stats'] = false;
}
if ($_POST['strict']) {
$settings['strict'] = true;
} else {
$settings['strict'] = false;
}
if ($_POST['verbose']) {
$settings['verbose'] = true;
} else {
$settings['verbose'] = false;
}
if ($_POST['logging']) {
if ($_POST['logging'] == 'verbose') {
$settings['verbose'] = true;
$settings['logging'] = true;
} else {
if ($_POST['logging'] == 'normal') {
$settings['verbose'] = false;
$settings['logging'] = true;
} else {
$settings['verbose'] = false;
$settings['logging'] = false;
}
}
} else {
$settings['verbose'] = false;
$settings['logging'] = false;
}
if ($_POST['httpbl_key']) {
if (preg_match("/^[a-z]{12}\$/", $_POST['httpbl_key'])) {
$settings['httpbl_key'] = $_POST['httpbl_key'];
} else {
$settings['httpbl_key'] = '';
}
} else {
$settings['httpbl_key'] = '';
}
if ($_POST['httpbl_threat']) {
$settings['httpbl_threat'] = intval($_POST['httpbl_threat']);
} else {
$settings['httpbl_threat'] = '25';
}
if ($_POST['httpbl_maxage']) {
$settings['httpbl_maxage'] = intval($_POST['httpbl_maxage']);
} else {
$settings['httpbl_maxage'] = '30';
}
if ($_POST['offsite_forms']) {
$settings['offsite_forms'] = true;
} else {
$settings['offsite_forms'] = false;
}
if ($_POST['eu_cookie']) {
$settings['eu_cookie'] = true;
} else {
$settings['eu_cookie'] = false;
}
if ($_POST['reverse_proxy']) {
$settings['reverse_proxy'] = true;
} else {
$settings['reverse_proxy'] = false;
}
if ($_POST['reverse_proxy_header']) {
$settings['reverse_proxy_header'] = sanitize_text_field(uc_all($_POST['reverse_proxy_header']));
} else {
$settings['reverse_proxy_header'] = 'X-Forwarded-For';
}
if ($_POST['reverse_proxy_addresses']) {
$settings['reverse_proxy_addresses'] = preg_split("/[\\s,]+/m", $_POST['reverse_proxy_addresses']);
$settings['reverse_proxy_addresses'] = array_map('sanitize_text_field', $settings['reverse_proxy_addresses']);
} else {
$settings['reverse_proxy_addresses'] = array();
}
bb2_write_settings($settings);
?>
<div id="message" class="updated fade"><p><strong><?php
_e('Options saved.');
?>
</strong></p></div>
<?php
}
?>
<div class="wrap">
<?php
echo bb2_donate_button(admin_url("options-general.php?page=bb2_options"));
?>
<h2><?php
_e("Bad Behavior");
?>
</h2>
<form method="post" action="<?php
echo admin_url("options-general.php?page=bb2_options");
?>
">
<p>For more information please visit the <a href="http://bad-behavior.ioerror.us/">Bad Behavior</a> homepage.</p>
<p>See also: <a href="<?php
echo admin_url("tools.php?page=bb2_manage");
?>
">Log</a> | <a href="<?php
echo admin_url("options-general.php?page=bb2_whitelist");
?>
">Whitelist</a></p>
<h3><?php
_e('Statistics');
?>
</h3>
<?php
bb2_insert_stats(true);
?>
<table class="form-table">
<tr><td><label><input type="checkbox" name="display_stats" value="true" <?php
if ($settings['display_stats']) {
?>
checked="checked" <?php
}
?>
/> <?php
_e('Display statistics in blog footer');
?>
</label></td></tr>
</table>
<h3><?php
_e('Logging');
?>
</h3>
<table class="form-table">
<tr><td><label><input type="radio" name="logging" value="verbose" <?php
if ($settings['verbose'] && $settings['logging']) {
?>
checked="checked" <?php
}
?>
/> <?php
_e('Verbose HTTP request logging');
?>
</label></td></tr>
<tr><td><label><input type="radio" name="logging" value="normal" <?php
if ($settings['logging'] && !$settings['verbose']) {
?>
checked="checked" <?php
}
?>
/> <?php
_e('Normal HTTP request logging (recommended)');
?>
</label></td></tr>
<tr><td><label><input type="radio" name="logging" value="false" <?php
if (!$settings['logging']) {
?>
checked="checked" <?php
}
?>
/> <?php
_e('Do not log HTTP requests (not recommended)');
?>
</label></td></tr>
</table>
<h3><?php
_e('Security');
?>
</h3>
<table class="form-table">
<tr><td><label><input type="checkbox" name="strict" value="true" <?php
if ($settings['strict']) {
?>
checked="checked" <?php
}
?>
/> <?php
_e('Strict checking (blocks more spam but may block some people)');
?>
</label></td></tr>
<tr><td><label><input type="checkbox" name="offsite_forms" value="true" <?php
if ($settings['offsite_forms']) {
?>
checked="checked" <?php
}
?>
/> <?php
_e('Allow form postings from other web sites (required for OpenID; increases spam received)');
?>
</label></td></tr>
</table>
<h3><?php
_e('http:BL');
?>
</h3>
<p>To use Bad Behavior's http:BL features you must have an <a href="http://www.projecthoneypot.org/httpbl_configure.php?rf=24694">http:BL Access Key</a>.</p>
<table class="form-table">
<tr><td><label><input type="text" size="12" maxlength="12" name="httpbl_key" value="<?php
echo sanitize_text_field($settings['httpbl_key']);
?>
" /> http:BL Access Key</label></td></tr>
<tr><td><label><input type="text" size="3" maxlength="3" name="httpbl_threat" value="<?php
echo intval($settings['httpbl_threat']);
?>
" /> Minimum Threat Level (25 is recommended)</label></td></tr>
<tr><td><label><input type="text" size="3" maxlength="3" name="httpbl_maxage" value="<?php
echo intval($settings['httpbl_maxage']);
?>
" /> Maximum Age of Data (30 is recommended)</label></td></tr>
</table>
<h3><?php
_e('European Union Cookie');
?>
</h3>
<p>Select this option if you believe Bad Behavior's site security cookie is not exempt from the 2012 EU cookie regulation. <a href="http://bad-behavior.ioerror.us/2012/05/04/eu-cookie-requirement-disclosure/">More info</a></p>
<table class="form-table">
<tr><td><label><input type="checkbox" name="eu_cookie" value="true" <?php
if ($settings['eu_cookie']) {
?>
checked="checked" <?php
}
?>
/> <?php
_e('EU cookie handling');
?>
</label></td></tr>
</table>
<h3><?php
_e('Reverse Proxy/Load Balancer');
?>
</h3>
<p>If you are using Bad Behavior behind a reverse proxy, load balancer, HTTP accelerator, content cache or similar technology, enable the Reverse Proxy option.</p>
<p>If you have a chain of two or more reverse proxies between your server and the public Internet, you must specify <em>all</em> of the IP address ranges (in CIDR format) of all of your proxy servers, load balancers, etc. Otherwise, Bad Behavior may be unable to determine the client's true IP address.</p>
<p>In addition, your reverse proxy servers must set the IP address of the Internet client from which they received the request in an HTTP header. If you don't specify a header, <a href="http://en.wikipedia.org/wiki/X-Forwarded-For">X-Forwarded-For</a> will be used. Most proxy servers already support X-Forwarded-For and you would then only need to ensure that it is enabled on your proxy servers. Some other header names in common use include <u>X-Real-Ip</u> (nginx) and <u>Cf-Connecting-Ip</u> (CloudFlare).</p>
<table class="form-table">
<tr><td><label><input type="checkbox" name="reverse_proxy" value="true" <?php
if ($settings['reverse_proxy']) {
?>
checked="checked" <?php
}
?>
/> <?php
_e('Enable Reverse Proxy');
?>
</label></td></tr>
<tr><td><label><input type="text" size="32" name="reverse_proxy_header" value="<?php
echo sanitize_text_field($settings['reverse_proxy_header']);
?>
" /> Header containing Internet clients' IP address</label></td></tr>
<tr><td><label>IP address or CIDR format address ranges for your proxy servers (one per line)<br/><textarea cols="24" rows="6" name="reverse_proxy_addresses"><?php
echo esc_textarea(implode("\n", $settings['reverse_proxy_addresses']));
?>
</textarea></td></tr>
</table>
<p class="submit"><input class="button" type="submit" name="submit" value="<?php
_e('Update »');
?>
" /></p>
</form>
</div>
<?php
}
