function cbAntiSpamCheck($autoBack = true)
{
global $_POST;
$validateValuePost = cbGetParam($_POST, 'cbvssps', '');
cbimport('cb.session');
$validateValueCookie = CBCookie::getcookie('cbvs');
$parts0 = explode('_', $validateValuePost);
$parts1 = explode('_', $validateValueCookie);
if (count($parts0) == 3 && count($parts1) == 3) {
$validate = cbGetAntiSpams($parts0[2], $parts1[2]);
}
if (count($parts0) != 3 || count($parts1) != 3 || $validateValuePost !== $validate[0] || $validateValueCookie !== $validate[1]) {
if ($autoBack) {
_cbExpiredSessionJSterminate();
} else {
return _UE_SESSION_EXPIRED . ' ' . _UE_PLEASE_REFRESH;
}
}
return null;
}
/**
* Checks messaging anti-spam
*
* @param boolean $autoBack TRUE: returns code 403 and attempts a "back" in browser with Javascript, FALSE: Returns error text
* @param boolean $allowPublic TRUE: Also checks for guests, FALSE: Only for registered and logged-in users
* @return null|string NULL: Ok, String: translated error text
*/
function cbAntiSpamCheck($autoBack = true, $allowPublic = false)
{
global $_POST;
$validateValuePost = cbGetParam($_POST, 'cbvssps', '');
cbimport('cb.session');
$validateValueCookie = CBCookie::getcookie('cbvs');
$parts0 = explode('_', $validateValuePost);
$parts1 = explode('_', $validateValueCookie);
$match = false;
if (count($parts0) == 3 && count($parts1) == 3) {
$validate = cbGetAntiSpams($parts0[2], $parts1[2], $allowPublic);
$match = $validateValuePost === $validate[0] || $validateValueCookie === $validate[1];
}
if (!$match) {
if ($autoBack) {
_cbExpiredSessionJSterminate();
} else {
return CBTxt::Th('UE_SESSION_EXPIRED', 'Session expired or cookies are not enabled in your browser. Please press "reload page" in your browser, and enable cookies in your browser.') . ' ' . CBTxt::Th('UE_PLEASE_REFRESH', 'Please refresh/reload page before filling-in.');
}
}
return null;
}
/**
* Checks spoof value and other spoofing and injection tricks
*
* @param string $secret extra-hashing value for this particular spoofCheck
* @param string $var 'POST', 'GET', 'REQUEST'
* @param int $mode 1: exits with script to display error and go back, 2: returns true or false.
* @return boolean or exit If $mode = 2 : returns false if session expired.
*/
function cbSpoofCheck( $secret = null, $var = 'POST', $mode = 1 ) {
global $_POST, $_GET, $_REQUEST;
if ( _CB_SPOOFCHECKS ) {
if ( $var == 'GET' ) {
$validateValue = cbGetParam( $_GET, cbSpoofField(), '' );
} elseif ( $var == 'REQUEST' ) {
$validateValue = cbGetParam( $_REQUEST, cbSpoofField(), '' );
} else {
$validateValue = cbGetParam( $_POST, cbSpoofField(), '' );
}
if ( ( ! $validateValue ) || ( $validateValue != cbSpoofString( $validateValue, $secret ) ) ) {
if ( $mode == 2 ) {
return false;
}
_cbExpiredSessionJSterminate( 200 );
exit;
}
}
// First, make sure the form was posted from a browser.
// For basic web-forms, we don't care about anything
// other than requests from a browser:
if (!isset( $_SERVER['HTTP_USER_AGENT'] )) {
header( 'HTTP/1.0 403 Forbidden' );
exit( _UE_NOT_AUTHORIZED );
}
// Make sure the form was indeed POST'ed:
// (requires your html form to use: action="post")
if (!$_SERVER['REQUEST_METHOD'] == 'POST' ) {
header( 'HTTP/1.0 403 Forbidden' );
exit( _UE_NOT_AUTHORIZED );
}
// Attempt to defend against header injections:
$badStrings = array(
'Content-Type:',
'MIME-Version:',
'Content-Transfer-Encoding:',
'bcc:',
'cc:'
);
// Loop through each POST'ed value and test if it contains
// one of the $badStrings:
foreach ($_POST as $v){
foreach ($badStrings as $v2) {
if (is_array($v)) {
_cbjosSpoofCheck($v, $badStrings);
} else if (strpos( $v, $v2 ) !== false) {
header( "HTTP/1.0 403 Forbidden" );
exit( _UE_NOT_AUTHORIZED );
}
}
}
// Made it past spammer test, free up some memory
// and continue rest of script:
unset( $v, $v2, $badStrings );
return true;
}
