/**
* Block 'posted' spam: In either comments or trackbacks. Returns true
* if checks were succesfull, false if not, dies if spam is detected.
*
* @return boolean
*/
function block_postedspam()
{
global $blockArray;
// load blockarray, if needed.
if (!isset($blockArray)) {
$blockArray = array();
if (file_exists(dirname(__FILE__) . "/db/ignored_domains.txt.php")) {
$blockArray = array_merge($blockArray, file(dirname(__FILE__) . "/db/ignored_domains.txt.php"));
}
if (file_exists(dirname(__FILE__) . "/db/ignored_global.txt.php")) {
$blockArray = array_merge($blockArray, file(dirname(__FILE__) . "/db/ignored_global.txt.php"));
}
}
if (isset($blockArray)) {
$postedData = array_merge($_GET, $_POST);
// ignore a few parameters..
unset($postedData['p']);
unset($postedData['f_title']);
unset($postedData['f_subtitle']);
unset($postedData['f_introduction_text']);
unset($postedData['f_body_text']);
unset($postedData['f_introduction']);
unset($postedData['f_body']);
unset($postedData['f_vialink']);
unset($postedData['f_viatitle']);
unset($postedData['tb_url']);
// ignoring some more (irrelevant) parameters from the comment form
unset($postedData['piv_spkey']);
unset($postedData['piv_code']);
unset($postedData['piv_weblog']);
unset($postedData['piv_notify']);
unset($postedData['piv_discreet']);
unset($postedData['piv_rememberinfo']);
unset($postedData['post']);
$tmpData = "";
foreach ($postedData as $value) {
if (is_array($value)) {
$tmpData .= implode(" ", $value);
} else {
$tmpData .= " {$value}";
}
}
$postedData = strtolower($tmpData);
if (strlen($postedData) < 3) {
// if there's no posted data, we can skip the checks.
return true;
} else {
// else run the checks.
foreach ($blockArray as $blockPhrase) {
if (strpos($blockPhrase, "*") === false) {
if (strpos($postedData, trim($blockPhrase)) !== false) {
echo "Spam is not appreciated.";
include_once dirname(__FILE__) . "/modules/module_spamkiller.php";
logspammer($postedData, "bpcomment");
die;
}
}
}
return true;
}
} else {
return false;
}
}
/**
* Block 'posted' spam: In either comments or trackbacks. Returns true
* if checks were succesfull, false if not, dies if spam is detected.
*
* @return boolean
*/
function block_postedspam()
{
global $blockArray;
// load blockarray, if needed.
if (!isset($blockArray)) {
$blockArray = array();
if (file_exists(dirname(__FILE__) . "/db/blocked_phrases.txt")) {
$blockArray = array_merge($blockArray, file(dirname(__FILE__) . "/db/blocked_phrases.txt"));
}
}
if (isset($blockArray)) {
$postedData = array_merge((array) $_POST, (array) $_GET);
// Keeping track of which entry was spammed.
if (isset($postedData['id'])) {
$id = $postedData['id'];
unset($postedData['id']);
} else {
$id = '';
}
// ignore a few parameters..
unset($postedData['p']);
unset($postedData['f_title']);
unset($postedData['f_subtitle']);
unset($postedData['f_introduction_text']);
unset($postedData['f_body_text']);
unset($postedData['f_introduction']);
unset($postedData['f_body']);
unset($postedData['f_vialink']);
unset($postedData['f_viatitle']);
unset($postedData['tb_url']);
// ignoring some more (irrelevant) parameters from the comment form
unset($postedData['piv_spkey']);
unset($postedData['piv_code']);
unset($postedData['piv_weblog']);
unset($postedData['piv_notify']);
unset($postedData['piv_discreet']);
unset($postedData['piv_rememberinfo']);
unset($postedData['post']);
$tmpData = "";
foreach ($postedData as $value) {
if (is_array($value)) {
$tmpData .= implode(" ", $value);
} else {
$tmpData .= " {$value}";
}
}
$postedData = strtolower($tmpData);
if (strlen($postedData) < 3) {
// if there's no posted data, we can skip the checks.
return true;
} else {
// else run the checks.
foreach ($blockArray as $blockPhrase) {
if (strpos($blockPhrase, "*") === false) {
if (strpos($postedData, trim($blockPhrase)) !== false) {
echo "Spam is not appreciated.";
include_once dirname(__FILE__) . "/modules/module_spamkiller.php";
$text = "Request %entry% matched blocked phrase '" . trim($blockPhrase) . "'";
if ($id != '') {
$text = str_replace('%entry%', "(on entry {$id})", $text);
} else {
$text = str_replace('%entry% ', '', $text);
}
$text .= ' * Posted data: ' . $postedData;
logspammer($text, "bpcomment");
die;
}
}
}
return true;
}
} else {
return false;
}
}
/**
* Enter description here...
*
*/
function handlePostComment()
{
global $weblogmessage, $PIVOTX, $temp_comment;
$entry = $PIVOTX['db']->read_entry($_POST['piv_code']);
// Check if we're allowed to comment on this entry. 'isset' is needed, because old entries
// might not have 'allow comments' set to either choice.
if (isset($entry['allow_comments']) && $entry['allow_comments'] == 0) {
echo "Spam is not appreciated.";
logspammer($_POST['piv_comment'], "closedcomments");
die;
}
// execute a hook here before a comment is processed
$PIVOTX['extensions']->executeHook('comment_before_processing', $entry);
$registered = 0;
// check if the current poster is a (logged in) registered visitor.
require_once $PIVOTX['paths']['pivotx_path'] . 'modules/module_userreg.php';
$visitors = new Visitors();
if ($visitor = $visitors->isLoggedIn()) {
if ($visitor['name'] == $_POST['piv_name']) {
$registered = 1;
}
}
// Strip out HTML from input..
$_POST['piv_name'] = strip_tags($_POST['piv_name']);
$_POST['piv_email'] = strip_tags($_POST['piv_email']);
$_POST['piv_url'] = strip_tags($_POST['piv_url']);
if ($PIVOTX['config']->get('allow_html_in_comments') == 1) {
$_POST['piv_comment'] = stripTagsAttributes($_POST['piv_comment'], "*");
} else {
$_POST['piv_comment'] = stripTagsAttributes($_POST['piv_comment'], "<b><em><i><strong>");
}
// Do some more processing on the comment itself: trimming, standardizing line-breaks.
$comment_text = stripTrailingSpace($_POST['piv_comment']);
$comment_text = str_replace("\r\n", "\n", $comment_text);
// CRLF(Win) to LF
$comment_text = str_replace("\r", "\n", $comment_text);
// CR(Mac) to LF
$temp_comment = array('entry_uid' => intval($_POST['piv_code']), 'name' => encodeText($_POST['piv_name']), 'email' => encodeText($_POST['piv_email']), 'url' => encodeText($_POST['piv_url']), 'ip' => $_SERVER['REMOTE_ADDR'], 'useragent' => $_SERVER['HTTP_USER_AGENT'], 'date' => formatDate("", "%year%-%month%-%day%-%hour24%-%minute%"), 'comment' => $comment_text, 'registered' => $registered, 'notify' => intval($_POST['piv_notify']), 'discreet' => intval($_POST['piv_discreet']), 'rememberinfo' => intval($_POST['piv_rememberinfo']), 'moderate' => $PIVOTX['config']->get('moderate_comments'), 'spamscore' => 0);
if ($temp_comment['rememberinfo'] == 1) {
rememberCommentInfo($temp_comment);
}
//here we do a check to prevent double entries...
$duplicate = FALSE;
if (isset($entry['comments']) && count($entry['comments']) > 0) {
foreach ($entry['comments'] as $loop_comment) {
$diff = 1 / (min(strlen($loop_comment['comment']), 200) / (levenshtein(substr($loop_comment['comment'], 0, 200), substr($temp_comment['comment'], 0, 200)) + 1));
if ($diff < 0.25 && $loop_comment['ip'] == $temp_comment['ip']) {
$duplicate = TRUE;
break;
}
}
}
// Check for Hashcash violations..
if ($PIVOTX['config']->get('hashcash') == 1 && !hashcash_check_hidden_tag()) {
$weblogmessage = getDefault($PIVOTX['config']->get('hashcash_message'), __('The Hashcash code was not valid, so this comment could not be posted. If you believe this is an error, please make sure you have a modern browser, and that Javascript is enabled. If it still doesn\'t work, contact the maintainer of this website.'));
unset($_POST['post']);
$_POST['preview'] = true;
$spammessage = substr(implode(", ", $temp_comment), 0, 250);
logspammer($_SERVER["REMOTE_ADDR"], "hashcash", "pom pom pom", $spammessage);
}
// Check for SpamQuiz violations, but not when previewing..
if ($PIVOTX['config']->get('spamquiz') == 1 && !isset($_POST['preview'])) {
// Is the entry old enough?
$entryDate = substr($PIVOTX['db']->entry['date'], 0, 10);
$then = strtotime($entryDate);
$secsPerDay = 60 * 60 * 24;
$now = strtotime('now');
$diff = $now - $then;
$dayDiff = $diff / $secsPerDay;
$numDaysOld = (int) $dayDiff;
if ($numDaysOld > $PIVOTX['config']->get("spamquiz_age")) {
if (strtolower($_POST['spamquiz_answer']) != strtolower($PIVOTX['config']->get("spamquiz_answer"))) {
$weblogmessage = __('The Spamquiz answer was not correct, so this comment could not be posted. If you believe this is an error, please try again. If it still doesn\'t work, contact the maintainer of this website.');
unset($_POST['post']);
$_POST['preview'] = true;
logspammer($_SERVER["REMOTE_ADDR"], "spamquiz");
} else {
// Store the correct answer in a cookie.
$sess = $PIVOTX['session'];
setcookie("spamquiz_answer", $_POST["spamquiz_answer"], time() + $sess->cookie_lifespan, $sess->cookie_path, $sess->cookie_domain);
}
}
}
// set the message and take proper action:
if (isset($_POST['preview'])) {
// Add a 'show in preview' flag to $temp_comment, otherwise it would be suppressed on display
$temp_comment['showpreview'] = 1;
// update the current entry
$entry['comments'][] = $temp_comment;
if (empty($weblogmessage)) {
$weblogmessage = __('You are previewing your comment. Be sure to click on "Post Comment" to store it.');
}
unset($_POST['post']);
$_POST['preview'] = TRUE;
} else {
if ($temp_comment['spamscore'] > $PIVOTX['config']->get('spamthreshold')) {
// Add a 'show in preview' flag to $temp_comment, otherwise it would be suppressed on display
$temp_comment['showpreview'] = 1;
$weblogmessage = __('Your comment has not been stored, because it seems to be spam.');
unset($_POST['post']);
$_POST['preview'] = TRUE;
} else {
if ($duplicate) {
$temp_comment['duplicate'] = true;
// Add a 'show in preview' flag to $temp_comment, otherwise it would be suppressed on display
$temp_comment['showpreview'] = 1;
$weblogmessage = __('Your comment has not been stored, because it seems to be a duplicate of a previous entry.');
unset($_POST['post']);
$_POST['preview'] = TRUE;
} else {
if ($PIVOTX['config']->get('moderate_comments') == 1) {
// update the current entry
$entry['comments'][] = $temp_comment;
$weblogmessage = __('Your comment has been stored. Because comment moderation is enabled, it is now waiting for approval by an editor.');
$_POST['post'] = TRUE;
} else {
// update the current entry
$entry['comments'][] = $temp_comment;
$weblogmessage = __('Your comment has been stored.');
$_POST['post'] = TRUE;
}
}
}
}
// if comment or name is missing, give a notice, and show the form again..
if (strlen($temp_comment['name']) < 2) {
$weblogmessage = __('You should type your name (or an alias) in the "name"-field. Be sure to click on "Post Comment" to store it permanently.');
unset($_POST['post']);
$_POST['preview'] = TRUE;
}
if (strlen($temp_comment['comment']) < 3) {
$weblogmessage = __('You should type something in the "comment"-field. Be sure to click on "Post Comment" to store it permanently.');
unset($_POST['post']);
$_POST['preview'] = TRUE;
}
if ($PIVOTX['config']->get('maxhrefs') > 0) {
$low_comment = strtolower($temp_comment['comment']);
$low_comment_formatted = strtolower(commentFormat($temp_comment['comment']));
if (substr_count($low_comment, "href=") > $PIVOTX['config']->get('maxhrefs') || substr_count($low_comment_formatted, "href=") > $PIVOTX['config']->get('maxhrefs')) {
$weblogmessage = __('The maximum number of hyperlinks was exceeded. Stop spamming.');
unset($_POST['post']);
$_POST['preview'] = TRUE;
}
}
// execute a hook here after a comment is processed but before that comment is saved
$PIVOTX['extensions']->executeHook('comment_before_save', $entry);
if (isset($_POST['post'])) {
$PIVOTX['db']->set_entry($entry);
$PIVOTX['db']->save_entry(FALSE);
// do not update the index.
// Remove the compiled/parsed pages from the cache.
if ($PIVOTX['config']->get('smarty_cache')) {
$PIVOTX['template']->clear_cache();
}
//update the 'latest comments' file
if (isset($temp_comment)) {
if ($PIVOTX['config']->get('moderate_comments') != 1) {
generateLatestComments($temp_comment);
debug("comment from '" . $_POST['piv_name'] . "' added.");
} else {
generateModerationQueue($temp_comment);
debug("comment from '" . $_POST['piv_name'] . "' added to moderation queue.");
}
}
// Handle the users that want to be notified via email..
if ($PIVOTX['config']->get('dont_send_mail_notification') != 1) {
$notifications = sendMailNotification('comment', array($PIVOTX['db']->entry, $temp_comment, $PIVOTX['config']->get('moderate_comments')));
}
// send mail..
sendMailComment($temp_comment, $notifications);
// Don't display the 'preview' of the comment after posting.
$temp_comment = array();
unset($_POST);
// Clean the simple cache..
$PIVOTX['cache']->clear();
// Remove the compiled/parsed pages from the cache.
if ($PIVOTX['config']->get('smarty_cache')) {
$PIVOTX['template']->clear_cache();
}
// Redirect to the entrypage from which we came. (prevents reload-resubmit)
$uri = $_SERVER['REQUEST_URI'];
if (strpos($uri, "?") > 0) {
$uri .= "&weblogmessage=" . urlencode($weblogmessage);
} else {
$uri .= "?weblogmessage=" . urlencode($weblogmessage);
}
header('Location: ' . $uri);
exit;
}
// Set the 'you are previewing' message..
if (isset($_POST['preview']) && empty($weblogmessage)) {
$weblogmessage = __('You are previewing your comment. Be sure to click on "Post Comment" to store it.');
}
// execute a hook here after a comment is saved and the mails are sent
$PIVOTX['extensions']->executeHook('comment_after_save', $entry);
// After messing about with the comments, clear the cache.
$PIVOTX['cache']->cache['entries'] = array();
}
$db->save_entry(FALSE);
// do not update the index.
$db->unread_entry($entry['code']);
generate_pages($Pivot_Vars['piv_code'], TRUE, TRUE, FALSE, FALSE, FALSE);
}
echo $message;
echo "<script>self.focus(); </script>";
echo "<br /><br /><div align=\"center\"><input type='button' value='ok' onclick='if (window.opener) { window.opener.location.reload(); } self.close();'></div>";
die;
} else {
// we comment !!
// Check if we're allowed to comment on this entry. 'isset' is needed, because old entries
// might not have 'allow comments' set to either choice.
if (isset($entry['allow_comments']) && $entry['allow_comments'] == 0) {
echo "Spam is not appreciated.";
logspammer($Pivot_Vars['piv_comment'], "closedcomments");
die;
}
$registered = 0;
// check if we are TEH REG USER..
if (strlen($_COOKIE['piv_reguser']) > 4) {
list($reg_name, $reg_hash) = explode("|", $_COOKIE['piv_reguser']);
debug("reg: {$reg_name}, {$reg_hash}");
if (check_user_hash($reg_name, $reg_hash) && $reg_name == $Pivot_Vars['piv_name']) {
$registered = 1;
}
}
// If magic_quotes_gpc is set, we need to strip slashes..
if (get_magic_quotes_gpc()) {
$Pivot_Vars['piv_name'] = stripslashes($Pivot_Vars['piv_name']);
$Pivot_Vars['piv_email'] = stripslashes($Pivot_Vars['piv_email']);
/**
* Check the trackback for spam (currently using Hardened Trackback if enabled).
*
* @return void
*/
function killtrackbackspam()
{
global $Pivot_Vars, $Paths, $Cfg;
// Do nothing if hardened trackback isn't enabled.
if ($Cfg["hardened_trackback"] != 1) {
return true;
}
$keydir = $Paths["pivot_path"] . "db/tbkeys/";
if (strlen($Pivot_Vars["key"]) < 32) {
logspammer('tampered key: invalid length', "htrackback", urldecode($Pivot_Vars['url']));
exit;
} else {
if (!preg_match('/^[a-f0-9]{32}$/', $Pivot_Vars["key"])) {
logspammer('tampered key: invalid characters found', "htrackback", urldecode($Pivot_Vars['url']));
exit;
}
if (file_exists($keydir . $Pivot_Vars["key"])) {
$offset = timediffwebfile();
if (time() - filectime($keydir . $Pivot_Vars["key"]) > 900 + $offset) {
@unlink($keydir . $Pivot_Vars["key"]);
// pbl_suspectIP($aConfig["blockstrikes"]);
logspammer(stripslashes(urldecode($Pivot_Vars['excerpt'])), "htrackback", urldecode($Pivot_Vars['url']));
exit;
}
} else {
logspammer('key not found', "htrackback");
exit;
}
unlink($keydir . $Pivot_Vars["key"]);
}
}
/**
* Check the trackback for spam (currently using Hardened Trackback if enabled).
*
* @return void
*/
function killtrackbackspam()
{
global $PIVOTX;
// Do nothing if hardened trackback isn't enabled.
if ($PIVOTX['config']->get('hardened_trackback') != 1) {
return true;
}
$keydir = $PIVOTX['paths']["db_path"] . "tbkeys/";
$key = $_GET["key"];
if (strlen($key) < 32) {
logspammer('tampered key: invalid length', "htrackback", $_POST['url']);
exit;
} else {
if (!preg_match('/^[a-f0-9]{32}$/', $_GET["key"])) {
logspammer('tampered key: invalid characters found', "htrackback", $_POST['url']);
exit;
}
if (file_exists($keydir . $key)) {
$offset = timediffwebfile();
if (time() - filectime($keydir . $key) > 900 + $offset) {
@unlink($keydir . $key);
// pbl_suspectIP($aConfig["blockstrikes"]);
logspammer(stripslashes($_POST['excerpt']), "htrackback", $_POST['url']);
exit;
}
} else {
logspammer('key not found', "htrackback");
exit;
}
unlink($keydir . $key);
}
}
