/** * Check the Spam Hurdles data for a posted form. * * When a form is posted, then this function has to be called to * check the data that was posted. * * @param string $form_id * An identifier for the current form. This must be the same form id * as the one that was used when calling {@link spamhurdles_api_init()}. * * @return array * An array, containing two elements. * The first element is the result status of the spam hurdle check. * This is one of SPAMHURDLES_OK, SPAMHURDLES_WARNING or SPAMHURDLES_FATAL. * The second element is the error message or NULL if there was no error. */ function spamhurdles_api_check_form($form_id) { global $PHORUM; $error = $PHORUM['DATA']['LANG']['mod_spamhurdles']['PostingRejected']; $status = SPAMHURDLES_FATAL; // Retrieve the spam hurdles data from the form. $data = spamhurdles_api_get_formdata($form_id); // Check if we were able to retrieve spam hurdles data from the form. if ($data === NULL) { spamhurdles_log("Spam Hurdles blocked post, form id \"{$form_id}\"", "The posting form was posted without or with invalid " . "Spam Hurdles data."); return array($status, $error); } // Check if the id in the form data is the same as the // id that we expect to see. if ($data['id'] != $form_id) { spamhurdles_log("Spam Hurdles blocked post, form id \"{$form_id}\"", "The posting form was posted with an invalid Spam Hurdles " . "form id.<br/>" . "<br/>" . "Posted form id = {$data['id']}<br/>" . "Expected form id = {$form_id}"); return array($status, $error); } // Check if the TTL on the data didn't expire. if ($data['ttl'] < time()) { // Only for 5.2. In 5.3 this was moved to formatting API functions. if (file_exists('./include/format_functions.php')) { require_once './include/format_functions.php'; } spamhurdles_log("Spam Hurdles blocked post, form id \"{$form_id}\"", "The posting form was posted with valid Spam Hurdles data, " . "but the data expired at " . phorum_date($PHORUM["short_date_time"], $data['ttl'])); return array($status, $error); } // Let the spam hurdles check the data. If one sees a problem, then // it can set the $data['error'] and $data['status'] elements. It can // also add log messages to the $data['log'] array. $data['error'] = NULL; $data['status'] = SPAMHURDLES_OK; $data['log'] = array(); $data = spamhurdles_hurdle_call('check_form', $data, $data['hurdles']); $status = $data['status']; if ($status !== SPAMHURDLES_OK) { spamhurdles_log("Spam Hurdles blocked post, form id \"{$form_id}\"", "Block type: " . ($status === SPAMHURDLES_FATAL ? 'fatal' : 'warning') . "\n" . "Block error: \"" . $data['error'] . "\"" . (empty($data['log']) ? '' : "\n\nInfo: " . implode(' ', $data['log']))); } return array($data['status'], $data['error']); }
function phorum_mod_spamhurdles_run_submitcheck($type) { $PHORUM = $GLOBALS["PHORUM"]; $spamhurdles = $PHORUM["SPAMHURDLES"]; $conf = $PHORUM["mod_spamhurdles"]; $do_block = FALSE; // We should have spamhurdles information at all time. If not, then // this probably means, somebody is trying to post data directly to // the form or is trying to repost using an already expired/used key. if (!isset($PHORUM["SPAMHURDLES"]["key"])) { // If we did not enable multipost blocking, then initialize // spamhurdles data and let the other checks do their work. // They will automatically fail if they are enabled. if (($spamhurdles == NULL || $spamhurdles["prev_key_expired"]) && do_spamhurdle("blockmultipost")) { spamhurdles_log("Spam Hurdles blocked \"{$type}\" post", "The posting form was posted without or with an expired " . "Spam Hurdles key."); $do_block = true; // initialize spamhurdles information for all other cases. // if other checks are enabled, they will take over. } else { $phorum["spamhurdles"] = phorum_mod_spamhurdles_init($type); $spamhurdles = $phorum["spamhurdles"]; } } // if the type of form in the spamhurdles data does not match the // real form type, then the key that was used for form type 1 is used // in form type 2. this is defenitely data tampering. no friendly // warning messages here. if (!$do_block && $PHORUM["SPAMHURDLES"]["form_type"] !== $type) { spamhurdles_log("Spam Hurdles blocked \"{$type}\" post", "The Spam Hurdles form type that is linked to the posting key " . "is \"{$PHORUM["SPAMHURDLES"]["form_type"]}\", but the real " . "form type is \"{$type}\"."); spamhurdles_blockerror(); } // Check if the minimum TTL is honoured for the message posting form. if (!$do_block && $type == "posting" && do_spamhurdle("blockquickpost")) { $delay = $conf["key_min_ttl"] - (time() - $spamhurdles["create_time"]); if ($delay > 0) { spamhurdles_log("Spam Hurdles blocked \"{$type}\" post", "The TTL for the Spam Hurdles key expired."); $do_block = TRUE; } } // Check if a HTML commented form field was submitted. if (!$do_block && do_spamhurdle("commentfieldcheck")) { if (array_key_exists("commentname", $_POST)) { spamhurdles_log("Spam Hurdles blocked \"{$type}\" post", "An HTML commented form field was submitted. This most " . "probably is a badly programmed posting bot."); $do_block = TRUE; } } // Check if javascript signing was done for the message posting form. if (!$do_block && $type == "posting" && do_spamhurdle("jsmd5check")) { $sig = md5($spamhurdles["key"] . $spamhurdles["signkey"]); if (!isset($_POST["spamhurdles_signature"]) || $_POST["spamhurdles_signature"] != $sig) { spamhurdles_log("Spam Hurdles blocked \"{$type}\" post", "Javascript signing is enabled, but the client either " . "did not sign the provided data or did sign it wrongly.\n\n" . "Expected signature: {$sig}\n" . "Received signature: " . (isset($_POST['spamhurdles_signature']) ? $_POST['spamhurdles_signature'] : 'n/a')); $do_block = TRUE; } } // Check if the captcha is filled in right. if (!$do_block && isset($spamhurdles["captcha"])) { $class = $spamhurdles["captcha_class"]; require_once "./mods/spamhurdles/captcha/class.{$class}.php"; $captcha = new $class(); $error = $captcha->check_answer($spamhurdles["captcha"]); if ($error) { spamhurdles_log("Spam Hurdles blocked \"{$type}\" post", "The CAPTCHA check failed: {$error}"); return $error; } } // Handle default blocking case. Which method of blocking to use for // message posting, can be configured from the module settings page. if ($do_block) { if ($type == "posting" && $conf["blockaction"] == "unapprove") { phorum_mod_spamhurdles_init($type, array("unapprove" => 1)); return $PHORUM["DATA"]["LANG"]["mod_spamhurdles"]["PostingUnapproveError"]; } else { spamhurdles_blockerror(); } } // All is okay! return NULL; }