danwin1210/le-chat-php
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Generate fixed postid for new messages to make spamming harder

Browse Source
This commit is contained in:
Daniel Winzen
2021-05-13 15:06:03 +02:00
parent f7fc91e2fb
commit 36b8446602
1 changed files with 17 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
chat.php
View File

@ -1790,7 +1790,7 @@ function send_post(string $rejected=''){
$_REQUEST['sendto']=''; $_REQUEST['sendto']='';
} }
echo '<table><tr><td>'.form('post'); echo '<table><tr><td>'.form('post');
echo hidden('postid', substr(time(), -6)); echo hidden('postid', $U['postid']);
if(isset($_POST['multi'])){ if(isset($_POST['multi'])){
echo hidden('multi', 'on'); echo hidden('multi', 'on');
} }
@ -2344,6 +2344,11 @@ function create_session(bool $setup, string $nickname, string $password){
send_error($I['wrongglobalpass']); send_error($I['wrongglobalpass']);
} }
} }
try {
$U[ 'postid' ] = bin2hex( random_bytes( 3 ) );
} catch(Exception $e) {
send_error($e->getMessage());
}
write_new_session($password); write_new_session($password);
} }
@ -2434,8 +2439,8 @@ function write_new_session(string $password){
}else{ }else{
$ip=''; $ip='';
} }
$stmt=$db->prepare('INSERT INTO ' . PREFIX . 'sessions (session, nickname, status, refresh, style, lastpost, passhash, useragent, bgcolour, entry, timestamps, embed, incognito, ip, nocache, tz, eninbox, sortupdown, hidechatters, nocache_old) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);'); $stmt=$db->prepare('INSERT INTO ' . PREFIX . 'sessions (session, nickname, status, refresh, style, lastpost, passhash, useragent, bgcolour, entry, timestamps, embed, incognito, ip, nocache, tz, eninbox, sortupdown, hidechatters, nocache_old, postid) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);');
$stmt->execute([$U['session'], $U['nickname'], $U['status'], $U['refresh'], $U['style'], $U['lastpost'], $U['passhash'], $useragent, $U['bgcolour'], $U['entry'], $U['timestamps'], $U['embed'], $U['incognito'], $ip, $U['nocache'], $U['tz'], $U['eninbox'], $U['sortupdown'], $U['hidechatters'], $U['nocache_old']]); $stmt->execute([$U['session'], $U['nickname'], $U['status'], $U['refresh'], $U['style'], $U['lastpost'], $U['passhash'], $useragent, $U['bgcolour'], $U['entry'], $U['timestamps'], $U['embed'], $U['incognito'], $ip, $U['nocache'], $U['tz'], $U['eninbox'], $U['sortupdown'], $U['hidechatters'], $U['nocache_old'], $U['postid']]);
$session = $U['session']; $session = $U['session'];
set_secure_cookie(COOKIENAME, $U['session']); set_secure_cookie(COOKIENAME, $U['session']);
if($U['status']>=3 && !$U['incognito']){ if($U['status']>=3 && !$U['incognito']){
@ -3017,9 +3022,7 @@ function validate_input() : string {
if(!isset($_POST['postid'])){ // auto-kick spammers not setting a postid if(!isset($_POST['postid'])){ // auto-kick spammers not setting a postid
kick_chatter([$U['nickname']], '', false); kick_chatter([$U['nickname']], '', false);
} }
if($U['postid']===$_POST['postid']){ // ignore double post=reload from browser or proxy if($U['postid'] !== $_POST['postid'] || (time() - $U['lastpost']) <= 1){ // reject bogus messages
$message='';
}elseif((time()-$U['lastpost'])<=1){ // time between posts too short, reject!
$rejected=$_POST['message']; $rejected=$_POST['message'];
$message=''; $message='';
} }
@ -3052,6 +3055,8 @@ function validate_input() : string {
}elseif($_POST['sendto']==='s _' && $U['status']>=6){ }elseif($_POST['sendto']==='s _' && $U['status']>=6){
$poststatus=6; $poststatus=6;
$displaysend=sprintf(get_setting('msgsendadm'), style_this(htmlspecialchars($U['nickname']), $U['style'])); $displaysend=sprintf(get_setting('msgsendadm'), style_this(htmlspecialchars($U['nickname']), $U['style']));
}elseif($_POST['sendto'] === $U['nickname']){ // message to yourself?
return '';
}else{ // known nick in room? }else{ // known nick in room?
if(get_setting('disablepm')){ if(get_setting('disablepm')){
//PMs disabled //PMs disabled
@ -3094,8 +3099,13 @@ function validate_input() : string {
} }
if(add_message($message, $recipient, $U['nickname'], (int) $U['status'], $poststatus, $displaysend, $U['style'])){ if(add_message($message, $recipient, $U['nickname'], (int) $U['status'], $poststatus, $displaysend, $U['style'])){
$U['lastpost']=time(); $U['lastpost']=time();
try {
$U[ 'postid' ] = bin2hex( random_bytes( 3 ) );
} catch(Exception $e) {
$U['postid'] = substr(time(), -6);
}
$stmt=$db->prepare('UPDATE ' . PREFIX . 'sessions SET lastpost=?, postid=? WHERE session=?;'); $stmt=$db->prepare('UPDATE ' . PREFIX . 'sessions SET lastpost=?, postid=? WHERE session=?;');
$stmt->execute([$U['lastpost'], $_POST['postid'], $U['session']]); $stmt->execute([$U['lastpost'], $U['postid'], $U['session']]);
$stmt=$db->prepare('SELECT id FROM ' . PREFIX . 'messages WHERE poster=? ORDER BY id DESC LIMIT 1;'); $stmt=$db->prepare('SELECT id FROM ' . PREFIX . 'messages WHERE poster=? ORDER BY id DESC LIMIT 1;');
$stmt->execute([$U['nickname']]); $stmt->execute([$U['nickname']]);
$id=$stmt->fetch(PDO::FETCH_NUM); $id=$stmt->fetch(PDO::FETCH_NUM);