function cbAntiSpamCheck($autoBack = true) { global $_POST; $validateValuePost = cbGetParam($_POST, 'cbvssps', ''); cbimport('cb.session'); $validateValueCookie = CBCookie::getcookie('cbvs'); $parts0 = explode('_', $validateValuePost); $parts1 = explode('_', $validateValueCookie); if (count($parts0) == 3 && count($parts1) == 3) { $validate = cbGetAntiSpams($parts0[2], $parts1[2]); } if (count($parts0) != 3 || count($parts1) != 3 || $validateValuePost !== $validate[0] || $validateValueCookie !== $validate[1]) { if ($autoBack) { _cbExpiredSessionJSterminate(); } else { return _UE_SESSION_EXPIRED . ' ' . _UE_PLEASE_REFRESH; } } return null; }
/** * Checks messaging anti-spam * * @param boolean $autoBack TRUE: returns code 403 and attempts a "back" in browser with Javascript, FALSE: Returns error text * @param boolean $allowPublic TRUE: Also checks for guests, FALSE: Only for registered and logged-in users * @return null|string NULL: Ok, String: translated error text */ function cbAntiSpamCheck($autoBack = true, $allowPublic = false) { global $_POST; $validateValuePost = cbGetParam($_POST, 'cbvssps', ''); cbimport('cb.session'); $validateValueCookie = CBCookie::getcookie('cbvs'); $parts0 = explode('_', $validateValuePost); $parts1 = explode('_', $validateValueCookie); $match = false; if (count($parts0) == 3 && count($parts1) == 3) { $validate = cbGetAntiSpams($parts0[2], $parts1[2], $allowPublic); $match = $validateValuePost === $validate[0] || $validateValueCookie === $validate[1]; } if (!$match) { if ($autoBack) { _cbExpiredSessionJSterminate(); } else { return CBTxt::Th('UE_SESSION_EXPIRED', 'Session expired or cookies are not enabled in your browser. Please press "reload page" in your browser, and enable cookies in your browser.') . ' ' . CBTxt::Th('UE_PLEASE_REFRESH', 'Please refresh/reload page before filling-in.'); } } return null; }
/** * Checks spoof value and other spoofing and injection tricks * * @param string $secret extra-hashing value for this particular spoofCheck * @param string $var 'POST', 'GET', 'REQUEST' * @param int $mode 1: exits with script to display error and go back, 2: returns true or false. * @return boolean or exit If $mode = 2 : returns false if session expired. */ function cbSpoofCheck( $secret = null, $var = 'POST', $mode = 1 ) { global $_POST, $_GET, $_REQUEST; if ( _CB_SPOOFCHECKS ) { if ( $var == 'GET' ) { $validateValue = cbGetParam( $_GET, cbSpoofField(), '' ); } elseif ( $var == 'REQUEST' ) { $validateValue = cbGetParam( $_REQUEST, cbSpoofField(), '' ); } else { $validateValue = cbGetParam( $_POST, cbSpoofField(), '' ); } if ( ( ! $validateValue ) || ( $validateValue != cbSpoofString( $validateValue, $secret ) ) ) { if ( $mode == 2 ) { return false; } _cbExpiredSessionJSterminate( 200 ); exit; } } // First, make sure the form was posted from a browser. // For basic web-forms, we don't care about anything // other than requests from a browser: if (!isset( $_SERVER['HTTP_USER_AGENT'] )) { header( 'HTTP/1.0 403 Forbidden' ); exit( _UE_NOT_AUTHORIZED ); } // Make sure the form was indeed POST'ed: // (requires your html form to use: action="post") if (!$_SERVER['REQUEST_METHOD'] == 'POST' ) { header( 'HTTP/1.0 403 Forbidden' ); exit( _UE_NOT_AUTHORIZED ); } // Attempt to defend against header injections: $badStrings = array( 'Content-Type:', 'MIME-Version:', 'Content-Transfer-Encoding:', 'bcc:', 'cc:' ); // Loop through each POST'ed value and test if it contains // one of the $badStrings: foreach ($_POST as $v){ foreach ($badStrings as $v2) { if (is_array($v)) { _cbjosSpoofCheck($v, $badStrings); } else if (strpos( $v, $v2 ) !== false) { header( "HTTP/1.0 403 Forbidden" ); exit( _UE_NOT_AUTHORIZED ); } } } // Made it past spammer test, free up some memory // and continue rest of script: unset( $v, $v2, $badStrings ); return true; }