feature 625: comment anti-spam - protect against some of the spam robots

git-svn-id: http://piwigo.org/svn/trunk@1737 68402e56-0260-453c-a942-63ccdbb3a9ee
Piwigo · Jan 19, 2007 · 96a0c2b · 96a0c2b
1 parent 6381378
commit 96a0c2b
Show file tree

Hide file tree

Showing 4 changed files with 98 additions and 4 deletions.
diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php
@@ -2,10 +2,10 @@
 // +-----------------------------------------------------------------------+
 // | PhpWebGallery - a PHP based picture gallery                           |
 // | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net |
-// | Copyright (C) 2003-2005 PhpWebGallery Team - http://phpwebgallery.net |
+// | Copyright (C) 2003-2007 PhpWebGallery Team - http://phpwebgallery.net |
 // +-----------------------------------------------------------------------+
 // | branch        : BSF (Best So Far)
-// | file          : $RCSfile$
+// | file          : $Id$
 // | last update   : $Date$
 // | last modifier : $Author$
 // | revision      : $Revision$
@@ -29,6 +29,33 @@
  * This file is included by the picture page to manage user comments
  *
  */
+
+if (!function_exists('hash_hmac'))
+{
+function hash_hmac($algo, $data, $key, $raw_output=false)
+{
+  /* md5 and sha1 only */
+  $algo=strtolower($algo);
+  $p=array('md5'=>'H32','sha1'=>'H40');
+  if ( !isset($p[$algo]) or !function_exists($algo) )
+  {
+    $algo = 'md5';
+  }
+  if(strlen($key)>64) $key=pack($p[$algo],$algo($key));
+  if(strlen($key)<64) $key=str_pad($key,64,chr(0));
+
+  $ipad=substr($key,0,64) ^ str_repeat(chr(0x36),64);
+  $opad=substr($key,0,64) ^ str_repeat(chr(0x5C),64);
+
+  $ret = $algo($opad.pack($p[$algo],$algo($ipad.$data)));
+  if ($raw_output)
+  {
+    $ret = pack('H*', $ret);
+  }
+  return $ret;
+}
+}
+
 //returns string action to perform on a new comment: validate, moderate, reject
 function user_comment_check($action, $comment, $picture)
 {
@@ -137,6 +164,15 @@ function user_comment_check($action, $comment, $picture)
     $comment_action='reject';
   }
 
+  $key = explode(':', @$_POST['key']);
+  if ( count($key)!=2
+        or $key[0]>time() or $key[0]<time()-1800 // 30 minutes expiration
+        or hash_hmac('md5', $key[0], $conf['secret_key'])!=$key[1]
+      )
+  {
+    $comment_action='reject';
+  }
+
   if ($comment_action!='reject' and $conf['anti-flood_time']>0 )
   { // anti-flood system
     $reference_date = time() - $conf['anti-flood_time'];
@@ -316,7 +352,12 @@ function user_comment_check($action, $comment, $picture)
   if (!$user['is_the_guest']
       or ($user['is_the_guest'] and $conf['comments_forall']))
   {
-    $template->assign_block_vars('comments.add_comment', array());
+    $key = time();
+    $key .= ':'.hash_hmac('md5', $key, $conf['secret_key']);
+    $template->assign_block_vars('comments.add_comment',
+        array(
+          'key' => $key
+        ));
     // display author field if the user is not logged in
     if ($user['is_the_guest'])
     {

diff --git a/install/config.sql b/install/config.sql
@@ -23,6 +23,7 @@ INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('history_admin','
 INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('history_guest','true','keep a history of guest visits on your website');
 INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('login_history','true','keep a history of user logins on your website');
 INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('allow_user_registration','true','allow visitors to register?');
+INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('secret_key', MD5(RAND()), 'a secret key specific to the gallery for internal use');
 -- Notification by mail
 INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('nbm_send_mail_as','','Send mail as param value for notification by mail');
 INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('nbm_send_detailed_content','true','Send detailed content for notification by mail');

diff --git a/install/db/43-database.php b/install/db/43-database.php
@@ -0,0 +1,51 @@
+<?php
+// +-----------------------------------------------------------------------+
+// | PhpWebGallery - a PHP based picture gallery                           |
+// | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net |
+// | Copyright (C) 2003-2005 PhpWebGallery Team - http://phpwebgallery.net |
+// +-----------------------------------------------------------------------+
+// | branch        : BSF (Best So Far)
+// | file          : $Id$
+// | last update   : $Date$
+// | last modifier : $Author$
+// | revision      : $Revision$
+// +-----------------------------------------------------------------------+
+// | This program is free software; you can redistribute it and/or modify  |
+// | it under the terms of the GNU General Public License as published by  |
+// | the Free Software Foundation                                          |
+// |                                                                       |
+// | This program is distributed in the hope that it will be useful, but   |
+// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
+// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
+// | General Public License for more details.                              |
+// |                                                                       |
+// | You should have received a copy of the GNU General Public License     |
+// | along with this program; if not, write to the Free Software           |
+// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
+// | USA.                                                                  |
+// +-----------------------------------------------------------------------+
+
+if (!defined('PHPWG_ROOT_PATH'))
+{
+  die('Hacking attempt!');
+}
+
+$upgrade_description = 'Insert secret_key into #config';
+
+include_once(PHPWG_ROOT_PATH.'include/constants.php');
+
+// +-----------------------------------------------------------------------+
+// |                            Upgrade content                            |
+// +-----------------------------------------------------------------------+
+
+$query = '
+INSERT INTO '.PREFIX_TABLE."config (param,value,comment) VALUES ('secret_key', MD5(RAND()), 'a secret key specific to the gallery for internal use');";
+pwg_query($query);
+
+echo
+"\n"
+. $upgrade_description
+."\n"
+;
+
+?>
diff --git a/template/yoga/picture.tpl b/template/yoga/picture.tpl
@@ -190,7 +190,8 @@
       <!-- BEGIN author_field -->
       <label>{lang:upload_author}<input type="text" name="author"></label>
       <!-- END author_field -->
-      <label>{lang:comment}<textarea name="content" rows="10" cols="80"></textarea></label>
+      <label>{lang:comment}<textarea name="content" rows="5" cols="80"></textarea></label>
+      <input type="hidden" name="key" value="{comments.add_comment.key}" />
       <input type="submit" value="{lang:submit}">
     </fieldset>
   </form>