diff --git a/cms/comment_process.php b/cms/comment_process.php index 446eb81..bf270e5 100755 --- a/cms/comment_process.php +++ b/cms/comment_process.php @@ -1,9 +1,12 @@ $v) { @@ -11,15 +14,15 @@ foreach($_GET as $k => $v) { } if ( $num_get_args !== 2 ){ # they are trying to GET on a POST request - naughty("638709cc1d7f107c024eb2a663675e8c"); + naughty("638709cc1d7f107c024eb2a663675e8c num_get_args $num_get_args"); } if ( empty($_GET["key"]) or empty($_GET["action"]) ) { - naughty("991ce46448d64b90bc8a837b58b7ad20"); + naughty("991ce46448d64b90bc8a837b58b7ad20 missing key"); } if ( empty($_GET["key"]) or strlen($_GET["key"]) !== 45 ) { - naughty("c9e5ea8d870dda8db08bc570cbed7f84"); + naughty("c9e5ea8d870dda8db08bc570cbed7f84 wrong key length"); } if ( !empty($_GET["key"]) and @@ -31,11 +34,11 @@ if ( !empty($_GET["key"]) and $key = htmlspecialchars( stripslashes( strip_tags( $_GET['key'] ) ) ); } else { - naughty("868d9cc49b2f1e4a9319a8e8755d6189"); + naughty("868d9cc49b2f1e4a9319a8e8755d6189 wrong key type"); } if ( !in_array($_GET["action"], array('approve','delete','block'), true ) ) { - naughty("c0ca62c918f9bb0ab72da0cdf2f2e8df "); + naughty("c0ca62c918f9bb0ab72da0cdf2f2e8df wrong action"); } else { $action = $_GET["action"]; @@ -45,12 +48,12 @@ $comment_directory = "/home/hpr/comments"; if ( ! file_exists( $comment_directory ) ) { # Looks like the comments directory has not been created - naughty("0fdffa1dbe94e0730cef457be93ebf40"); + naughty("0fdffa1dbe94e0730cef457be93ebf40 cant find comment directory"); } $files = glob( "${comment_directory}/[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]T[0-9][0-9]:[0-9][0-9]:[0-9][0-9]Z_*_${key}.json" ); if (count($files) === 0) { - naughty("3efef2971727905064855d7866cb0059"); + naughty("3efef2971727905064855d7866cb0059 cant find comment file - has the comment already been processed ?"); } else { $file = $files[0]; @@ -59,7 +62,7 @@ else { list($begin, $file_ip, $end) = explode('_', $file); if ( ! filter_var($file_ip, FILTER_VALIDATE_IP) ) { - naughty("70ebe39c92b393c288e41a4d3128b5da"); + naughty("70ebe39c92b393c288e41a4d3128b5da not a valid file format"); } if ( $action === 'block' ) { @@ -76,96 +79,187 @@ if ( $action === 'delete' ) { } if ( $action === 'approve' ) { - $comment = file_get_contents("$file"); -$json = json_decode($comment, true); -echo '
' . print_r($json, true) . '
'; + $json = json_decode($comment, true); - // check json + if ( empty($json["comment_author_name"]) or strlen($json["comment_author_name"]) > 40 ) { + naughty("15f377e657196bb8192ec11755b0ca75 empty comment_author_name"); + } + $comment_author_name = $json["comment_author_name"]; - if ( empty($json["eps_id"]) ) { - naughty("6740e9b34590fe5b8f1829aeb5da099d"); + if ( empty($json["comment_title"]) or strlen($json["comment_title"]) > 100) { + naughty("ce604e6bf3c1e0aa0ec7ab78ae07e6cb empty comment_title"); } + $comment_title = $json["comment_title"]; - if ( empty($json["comment_timestamp"]) ) { - naughty("4850b4b0006a60d86bafee8a8592b3f8"); + if ( empty($json["comment_text"]) or strlen($json["comment_text"]) > 2000 ) { + naughty("d4101542e2d0264c0cdb8ac4bdf6bf09 empty comment_text"); } + $comment_text = $json["comment_text"]; - if ( empty($json["comment_author_name"]) ) { - naughty("15f377e657196bb8192ec11755b0ca75"); + if ( empty($json["justification"]) or strlen($json["justification"]) > 200 or strlen($json["justification"]) < 20 ) { + naughty("f87785f8eda5d75de8cb08c386c66c56 empty justification"); } + $justification = $json["justification"]; - if ( empty($json["comment_title"]) ) { - naughty("ce604e6bf3c1e0aa0ec7ab78ae07e6cb"); - } - - if ( empty($json["comment_text"]) ) { - naughty("d4101542e2d0264c0cdb8ac4bdf6bf09"); - } - if ( empty($json["justification"]) ) { - naughty("f87785f8eda5d75de8cb08c386c66c56"); - } if ( empty($json["key"]) ) { - naughty("f87785f8eda5d75de8cb08c386c66c56"); + naughty("f87785f8eda5d75de8cb08c386c66c56 empty key"); + } + + if ( $key !== $json["key"] ) { + naughty("9d7f5e1a7a075a925ed1231decc16965 provided key is not matching json key"); } - // check ip - + // check ip // + // if ( empty($json["ip"]) ) { - naughty("025622ea15552a7b8a3ae71405cf1fbf"); + naughty("025622ea15552a7b8a3ae71405cf1fbf empty ip"); } $ip = $json["ip"]; if ( ! filter_var($ip, FILTER_VALIDATE_IP)) { - naughty("571f2d51046da9c923e01ae8bbfc037e"); + naughty("571f2d51046da9c923e01ae8bbfc037e not an IP"); } - // check ep_num - + // check ep_num // + // + if ( empty($json["eps_id"]) ) { + naughty("6740e9b34590fe5b8f1829aeb5da099d empty eps_id"); + } $ep_num = $json["eps_id"]; - + if ( intval($ep_num) === 0 ) { - $x = intval($ep_num); - naughty("fdae5c63eb5608820b13c9d096166c84"); + naughty("fdae5c63eb5608820b13c9d096166c84 ep_num not int"); } else { $ep_num = intval($ep_num); } if ( ( $ep_num <= 0 ) OR ( $ep_num >= 9999) ) { - naughty("eb90a1a69fd531d5c649e3f5367bd570"); + naughty("eb90a1a69fd531d5c649e3f5367bd570 ep_num outside range"); } - - $show_array = array (); - + $ep_retrieve = "SELECT id FROM eps WHERE id=$ep_num;"; - if ($result = mysqli_query($connection, $ep_retrieve)) { if ( ! $result->fetch_assoc()) { - naughty("b9ac28c5c661d7ed1c4c009de0279e07"); + naughty("b9ac28c5c661d7ed1c4c009de0279e07 ep_num not a real show"); } } - // date + // date // + // + if ( empty($json["comment_timestamp"]) ) { + naughty("bdc8352b3cc66626c3cb9e24b197eea6 empty comment_timestamp"); + } + $comment_timestamp = $json["comment_timestamp"]; + + // 2023-12-23T12:21:29Z + if ( !preg_match("/\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$/", $comment_timestamp) ) { + naughty("ad7f805c2f42be77122ec52f114fe318 comment_timestamp not matching regex"); + } + + if ( strtotime($comment_timestamp) === false ) { + naughty("fa8cfb5266783bfb4dc06120bfdf5675 comment_timestamp not a date"); + } -$date = '2011-10-02T23:25:42Z'; -var_dump(validateDate($date)); - - + $comment_timestamp_epoch = strtotime($comment_timestamp); + $a_week_ago = strtotime(date("Y-m-d H:i:s", time()) . " -1 week" ); + +// if ( $comment_timestamp_epoch <= $a_week_ago ) { +// naughty("f3fae30aec607f499108db240ec28456 comment_timestamp older than a week"); +// } + + $date = new DateTime( $comment_timestamp ); + $comment_timestamp_db = $date->format('Y-m-d H:i:s'); + + // anti spam + + if (file_exists($naughty_stings_file)) { + $comment = strtolower( "$comment_author_name, $comment_text, $comment_title, $justification" ); + $naughty_words = file("$naughty_stings_file", FILE_SKIP_EMPTY_LINES|FILE_IGNORE_NEW_LINES); + foreach ( $naughty_words as $naughty_word) { + if ( strpos( $comment, strtolower( $naughty_word ) ) !== false ) { + naughty("b5fd199bfeb4c1bbd4923b4af5415ce3 fails banned wordcheck \"$naughty_word\""); + } + } + } // OK I believe you + + if ( strcmp($justification, "No justification is asked for or required.") !== 0 ) { + file_put_contents($justification_file, "$justification\n", FILE_APPEND | LOCK_EX ); + } + + $ep_retrieve = "SELECT id FROM comments WHERE comment_timestamp='$comment_timestamp' AND comment_author_name='$comment_author_name'"; + + if ($result = mysqli_query($connection, $ep_retrieve)) { + if ( $result->fetch_assoc()) { + naughty("9422f4e06ded59e4e7c2e426e62ffa5e comment already in database. comment_timestamp='$comment_timestamp_db' and comment_author_name='$comment_author_name'"); + } + } + + $query_add = "INSERT INTO comments (eps_id,comment_timestamp,comment_author_name,comment_title,comment_text) VALUES ( '{$ep_num}', '{$comment_timestamp_db}', '{$comment_author_name}', '{$comment_title}', '{$comment_text}')"; - // INSERT INTO comments (eps_id,comment_timestamp,comment_author_name,comment_title,comment_text), VALUES ( $ep_num, $comment_timestamp, $comment_author_name, $comment_title, $comment_text); - // unlink( "${file}" );*/ + $result = mysqli_query($connection, $query_add ); + if(!$result) { + problem("ERROR: DB problem - The comment was not added to the db."); + } + if (mysqli_errno( $connection )) { + $error = "MySQL error ".mysqli_errno( $connection ).": ".mysqli_error()."\n"; + problem("ERROR: MySQL error- The comment was not added to the db.\n$error"); + } + + $query = "SELECT * FROM comments WHERE comment_timestamp='$comment_timestamp_db' AND comment_author_name='$comment_author_name'"; + $result = @mysqli_query($connection, $query); + $db = mysqli_fetch_array($result, MYSQLI_ASSOC); + + if ( empty($db["id"]) ) { + naughty("1caead2716fb4e793b11f978eddd7559 could not find the id of the entry. comment_timestamp='$comment_timestamp_db' and comment_author_name='$comment_author_name'"); + } http_response_code(200); + header('Content-Type: application/json; charset=utf-8'); + echo json_encode($db); + unlink( "${file}" ); exit; } // exit; - http_response_code(500); ?> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/hub/comment_confirm.php b/hub/comment_confirm.php index 66dd656..e60e408 100644 --- a/hub/comment_confirm.php +++ b/hub/comment_confirm.php @@ -63,18 +63,39 @@ if ( empty($_POST["comment_author_name"]) or strlen($_POST["comment_author_name" $comment_author_name = $_POST["comment_author_name"]; $comment_author_name_json = json_encode( $_POST["comment_author_name"] ); +if ( $comment_author_name === preg_replace('/[^a-zA-Z0-9_ ]/', '', $comment_author_name) ) { + $comment_author_name_ascii = "ASCII"; +} +else { + $comment_author_name_ascii = "EXTENDED"; +} + if ( empty($_POST["comment_title"]) or strlen($_POST["comment_title"]) > 100 ) { naughty("a89efb428cfe36996a65b371d5f4e303"); } $comment_title = $_POST["comment_title"]; $comment_title_json = json_encode( $_POST["comment_title"] ); +if ( $comment_title === preg_replace('/[^a-zA-Z0-9_ ]/', '', $comment_title) ) { + $comment_title_ascii = "ASCII"; +} +else { + $comment_title_ascii = "EXTENDED"; +} + if ( empty($_POST["comment_text"]) or strlen($_POST["comment_text"]) > 2000 or strpos(strtolower($_POST["comment_text"]), "outlook.con") !== false ) { naughty("cd57ab4d7b77a131ed3deb441bd93dcd"); } $comment_text = $_POST["comment_text"]; $comment_text_json = json_encode( $_POST["comment_text"] ); +if ( $comment_text === preg_replace('/[^a-zA-Z0-9_ ]/', '', $comment_text) ) { + $comment_text_ascii = "ASCII"; +} +else { + $comment_text_ascii = "EXTENDED"; +} + if ( empty($_POST["spammer"]) or strcmp($_POST["spammer"], "No") !== 0 ) { naughty("b2ec68bd04cee0f64143ce4827a97e7c"); } @@ -172,7 +193,12 @@ else { } } - +if ( $justification === preg_replace('/[^a-zA-Z0-9_ ]/', '', $justification) ) { + $justification_ascii = "ASCII"; +} +else { + $justification_ascii = "EXTENDED"; +} if ( empty($_SERVER["REMOTE_ADDR"]) ) { naughty("611144d4c0d575fffbf8f3ef11f8ad68"); @@ -212,6 +238,9 @@ if ( filesize( $comment_file ) > 4000 ) { naughty("56e00e793a27168511d1cfda11d3bc55"); } +$user_agent = preg_replace('/ \(/', "\n", $_SERVER["HTTP_USER_AGENT"] ); +$user_agent = preg_replace('/\) /', "\n", $user_agent ); + // Mail the comment use PHPMailer\PHPMailer\PHPMailer; @@ -230,6 +259,7 @@ $mailer->Host = "$mailerHost"; $mailer->SMTPAuth = true; $mailer->SMTPSecure = "ssl"; $mailer->Port = "465"; +$mailer->CharSet = 'UTF-8'; $mailer->Username = "$mailerUsername"; $mailer->Password = "$mailerPassword"; @@ -260,26 +290,31 @@ There are now " . ++$unprocessed_comments . " unprocessed comments. Thanks,
HPR Bot

-
" . date('Y-m-d\TH:i:s') . "\t" . getUserIP() . "\t" . $key . "\t" . $_SERVER["HTTP_USER_AGENT"] . "
+
+$timestamp
+$ip
+$key
+$user_agent
+

-eps_id: $eps_id,
-ip: $ip,
-key: $key
-justification: $justification,
-comment_timestamp: $timestamp,
-comment_author_name: $comment_author_name,
-comment_title: $comment_title,
-comment_text: -

+Comment on eps_id: $eps_id,
+
+comment_author_name ($comment_author_name_ascii): $comment_author_name,
+comment_title ($comment_title_ascii): $comment_title,
+comment_text ($comment_text_ascii): 
 $comment_text
-
-comment_text_json: +justification ($justification_ascii): 
-$comment_text_json
+$justification
+

+
+comment_title_json: $comment_title_json,
+comment_text_json: $comment_text_json,
+justification_json: $justification_json,
" ); $mailer->AltBody = "hpr${eps_id} on ${ep_date} by ${host} with the title ${title} \"${summary}\"

@@ -290,7 +325,11 @@ There are now ${unprocessed_comments} unprocessed comments. Thanks, HPR Bot -" . date('Y-m-d\TH:i:s') . "\t" . getUserIP() . "\t" . $key . "\t" . $_SERVER["HTTP_USER_AGENT"] . "\n"; +$timestamp +$ip +$key +$user_agent +"; $mailer->addAttachment($comment_file, "${key}.json", "base64", "application/json"); //send the message, check for errors @@ -320,7 +359,7 @@ include 'header.html'; 

 		
-		
+		
 		

 	
 
diff --git a/ini/credentials.php b/ini/credentials.php
index 39efd9d..d5de31c 100644
--- a/ini/credentials.php
+++ b/ini/credentials.php
@@ -13,4 +13,10 @@ $mailerPassword = 'THE_SMTP_MAIL_PASSWORD_HERE';
 
 $hubBaseurl = "https://hub.hackerpublicradio.org/";
 $baseurl = "https://hackerpublicradio.org/";
+
+$naughtyfile = '/path/to/naughty.txt';
+$naughty_stings_file = '/path/to/strings.txt';
+$justification_file = '/path/to/justification.txt';
+# Read more: http://vidiame.com/php/how-to-block-multiple-ip-addresses-using-php
+
 ?>
diff --git a/ini/include.php b/ini/include.php
index f13b09b..6198fa0 100644
--- a/ini/include.php
+++ b/ini/include.php
@@ -287,8 +287,6 @@ function getUserIP()
     }
     return $ip . "\t" . $_SERVER['REQUEST_URI'] . "\t" . $_SERVER["HTTP_USER_AGENT"] . "\n";
 }
-$naughtyfile = '/home/hpr/logs/naughty-ip.txt';
-# Read more: http://vidiame.com/php/how-to-block-multiple-ip-addresses-using-php
 
 if ( strlen($_SERVER['QUERY_STRING']) > 15 ) {
   file_put_contents($naughtyfile, getUserIP(), FILE_APPEND | LOCK_EX );