Changeset 1737

Timestamp:

Jan 19, 2007, 3:56:54 AM (17 years ago)

Author:

rvelices

Message:

feature 625: comment anti-spam - protect against some of the spam robots

Location:

trunk

Files:

• include/picture_comment.inc.php (modified) (4 diffs)
• install/config.sql (modified) (1 diff)
• install/db/43-database.php (added)
• template/yoga/picture.tpl (modified) (1 diff)

trunk/include/picture_comment.inc.php

@@ -3 +3 @@
 // | PhpWebGallery - a PHP based picture gallery                           |
 // | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net |
-// | Copyright (C) 2003-2005 PhpWebGallery Team - http://phpwebgallery.net |
+// | Copyright (C) 2003-2007 PhpWebGallery Team - http://phpwebgallery.net |
 // +-----------------------------------------------------------------------+
 // | branch        : BSF (Best So Far)
-// | file          : $RCSfile$
+// | file          : $Id$
 // | last update   : $Date$
 // | last modifier : $Author$
@@ -30 +30 @@
  *
  */
+
+if (!function_exists('hash_hmac'))
+{
+function hash_hmac($algo, $data, $key, $raw_output=false)
+{
+  /* md5 and sha1 only */
+  $algo=strtolower($algo);
+  $p=array('md5'=>'H32','sha1'=>'H40');
+  if ( !isset($p[$algo]) or !function_exists($algo) )
+  {
+    $algo = 'md5';
+  }
+  if(strlen($key)>64) $key=pack($p[$algo],$algo($key));
+  if(strlen($key)<64) $key=str_pad($key,64,chr(0));
+
+  $ipad=substr($key,0,64) ^ str_repeat(chr(0x36),64);
+  $opad=substr($key,0,64) ^ str_repeat(chr(0x5C),64);
+
+  $ret = $algo($opad.pack($p[$algo],$algo($ipad.$data)));
+  if ($raw_output)
+  {
+    $ret = pack('H*', $ret);
+  }
+  return $ret;
+}
+}
+
 //returns string action to perform on a new comment: validate, moderate, reject
 function user_comment_check($action, $comment, $picture)
@@ -138 +165 @@
   }
 
+  $key = explode(':', @$_POST['key']);
+  if ( count($key)!=2
+        or $key[0]>time() or $key[0]<time()-1800 // 30 minutes expiration
+        or hash_hmac('md5', $key[0], $conf['secret_key'])!=$key[1]
+      )
+  {
+    $comment_action='reject';
+  }
+  
   if ($comment_action!='reject' and $conf['anti-flood_time']>0 )
   { // anti-flood system
@@ -317 +353 @@
       or ($user['is_the_guest'] and $conf['comments_forall']))
   {
-    $template->assign_block_vars('comments.add_comment', array());
+    $key = time();
+    $key .= ':'.hash_hmac('md5', $key, $conf['secret_key']);
+    $template->assign_block_vars('comments.add_comment',
+        array(
+          'key' => $key
+        ));
     // display author field if the user is not logged in
     if ($user['is_the_guest'])

trunk/install/config.sql

@@ -24 +24 @@
 INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('login_history','true','keep a history of user logins on your website');
 INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('allow_user_registration','true','allow visitors to register?');
+INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('secret_key', MD5(RAND()), 'a secret key specific to the gallery for internal use');
 -- Notification by mail
 INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('nbm_send_mail_as','','Send mail as param value for notification by mail');

trunk/template/yoga/picture.tpl

@@ -191 +191 @@
       <label>{lang:upload_author}<input type="text" name="author"></label>
       <!-- END author_field -->
-      <label>{lang:comment}<textarea name="content" rows="10" cols="80"></textarea></label>
+      <label>{lang:comment}<textarea name="content" rows="5" cols="80"></textarea></label>
+      <input type="hidden" name="key" value="{comments.add_comment.key}" />
       <input type="submit" value="{lang:submit}">
     </fieldset>