From de988ed8f8808cf0d85bc3b8fdb3082b3b110d5c Mon Sep 17 00:00:00 2001 From: Gernot Date: Tue, 18 Dec 2012 17:43:05 +0000 Subject: [PATCH 1/3] replaced custom function get_post_field with standard PHP function filter_input removed blacklisting approach for filtering spam in favor of plausibility checks and warnings --- php/commentsubmit.php | 69 ++++++++++++++++++++++++++++--------------- 1 file changed, 46 insertions(+), 23 deletions(-) diff --git a/php/commentsubmit.php b/php/commentsubmit.php index b1f66f6..6df0704 100644 --- a/php/commentsubmit.php +++ b/php/commentsubmit.php @@ -35,7 +35,7 @@ // The contents of the following file (relative to this PHP file) will be // displayed if the comment contains spam. Customise it to your heart's // content. -$COMMENT_CONTAINS_SPAM = "comment_contains_spam.html"; +//$COMMENT_CONTAINS_SPAM = "comment_contains_spam.html"; // If the emails arrive in your client "garbled", you may need to change this // line to "\n" instead. @@ -47,12 +47,6 @@ ****************************************************************************/ require_once 'mail.php'; -require_once 'spamfilter.php'; - -function get_post_field($key, $defaultValue = "") -{ - return (isset($_POST[$key]) && !empty($_POST[$key])) ? $_POST[$key] : $defaultValue; -} function get_post_data_as_yaml() { @@ -75,32 +69,61 @@ function get_post_data_as_yaml() return $yaml_data; } -$COMMENTER_NAME = get_post_field('name', "Anonymous"); -$COMMENTER_EMAIL_ADDRESS = get_post_field('email', $EMAIL_ADDRESS); -$COMMENTER_WEBSITE = get_post_field('link'); -$COMMENT_BODY = get_post_field('comment', ""); -$COMMENT_DATE = date($DATE_FORMAT); - -$POST_TITLE = get_post_field('post_title', "Unknown post"); -$POST_ID = get_post_field('post_id', ""); -unset($_POST['post_id']); - - -$SPAM = spam_check_text($COMMENT_BODY); -if (!empty($SPAM)) +function get_warnings_for($name, $email, $url) { - include $COMMENT_CONTAINS_SPAM; - die(); + $warnings = ''; + + // http://php.net/manual/en/filter.filters.validate.php + $name_is_a_url = filter_var($name, FILTER_VALIDATE_URL); + $name_is_an_email_address = filter_var($name, FILTER_VALIDATE_EMAIL); + $email_is_invalid = !filter_var($email, FILTER_VALIDATE_EMAIL); + $url_is_invalid = !filter_var($url, FILTER_VALIDATE_URL); + + if (!$email_is_invalid) { + // TODO only retrieve $domain + list($user, $domain) = explode('@', $email, 2); + $email_a_record_invalid = !checkdnsrr($domain, 'A'); + $mx_record_erroneous = !checkdnsrr($domain, 'MX'); + } + + if (!$url_is_invalid) { + list($protocol, $domain) = explode('/', str_replace('//', '/', $url), 2); + $url_a_record_invalid = !checkdnsrr($domain, 'A'); + } + + $name_is_a_url ? $warnings .= "* Name is a URL.\n" : ''; + $name_is_an_email_address ? $warnings .= "* Name is an email address.\n" : ''; + $email_is_invalid ? $warnings .= "* Email address is invalid.\n" : ''; + $email_a_record_invalid ? $warnings .= "* Domain A record of email is invalid.\n" : ''; + $mx_record_erroneous ? $warnings .= "* Domain MX record of email is invalid\n" : ''; + $url_is_invalid ? $warnings .= "* Website URL is invalid.\n" : ''; + $url_a_record_invalid ? $warnings .= "* Domain A record of website URL is invalid.\n" : ''; + + // This is of minor elegance and error prone, I know. + $warnings_count = substr_count($warnings, "\n"); + return strlen($warnings) > 0 ? "\n$warnings_count WARNINGS:\n$warnings" : ''; } +$COMMENT_DATE = date($DATE_FORMAT); -$subject = "Comment from $COMMENTER_NAME on '$POST_TITLE'"; +$COMMENTER_NAME = filter_input(INPUT_POST, 'name'); +$COMMENTER_EMAIL_ADDRESS = filter_input(INPUT_POST, 'email'); +$COMMENTER_WEBSITE = filter_input(INPUT_POST, 'link'); +$COMMENT_BODY = filter_input(INPUT_POST, 'comment'); + +$POST_TITLE = filter_input(INPUT_POST, 'post_title'); +$POST_ID = filter_input(INPUT_POST, 'post_id'); +unset($_POST['post_id']); + +$subject = "$COMMENTER_NAME on '$POST_TITLE'"; $message = "$COMMENT_BODY\n\n"; $message .= "----------------------\n"; $message .= "$COMMENTER_NAME\n"; $message .= "$COMMENTER_WEBSITE\n"; +$message .= get_warnings_for($COMMENTER_NAME, $COMMENTER_EMAIL_ADDRESS, $COMMENTER_WEBSITE); + $mail = new Mail($subject, $message); $mail->set_from($EMAIL_ADDRESS, $COMMENTER_NAME); $mail->set_reply_to($COMMENTER_EMAIL_ADDRESS, $COMMENTER_NAME); From 98c8759606e7d422e9a20951913534d697a5ffd9 Mon Sep 17 00:00:00 2001 From: Gernot Date: Wed, 19 Dec 2012 20:51:54 +0000 Subject: [PATCH 2/3] corrected an error in regards to checking the A record of the url and improved output of get_warnings_for() --- php/commentsubmit.php | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/php/commentsubmit.php b/php/commentsubmit.php index 6df0704..bf831f3 100644 --- a/php/commentsubmit.php +++ b/php/commentsubmit.php @@ -25,7 +25,7 @@ // the From: address. Whilst you could, in theory, change this to take the // address out of the form, it's *incredibly* highly recommended you don't, // because that turns you into an open relay, and that's not cool. -$EMAIL_ADDRESS = "blogger@example.com"; +$EMAIL_ADDRESS = "root"; // The contents of the following file (relative to this PHP file) will be // displayed after the comment is received. Customise it to your heart's @@ -39,7 +39,7 @@ // If the emails arrive in your client "garbled", you may need to change this // line to "\n" instead. -$HEADER_LINE_ENDING = "\r\n"; +$HEADER_LINE_ENDING = "\n"; /**************************************************************************** @@ -69,6 +69,7 @@ function get_post_data_as_yaml() return $yaml_data; } +/* NOTE the checkdnsrr function seems to be unreliable */ function get_warnings_for($name, $email, $url) { $warnings = ''; @@ -78,30 +79,33 @@ function get_warnings_for($name, $email, $url) $name_is_an_email_address = filter_var($name, FILTER_VALIDATE_EMAIL); $email_is_invalid = !filter_var($email, FILTER_VALIDATE_EMAIL); $url_is_invalid = !filter_var($url, FILTER_VALIDATE_URL); + $url_a_record_invalid = false; + $email_a_record_invalid = false; + $email_mx_record_invalid = false; if (!$email_is_invalid) { // TODO only retrieve $domain list($user, $domain) = explode('@', $email, 2); $email_a_record_invalid = !checkdnsrr($domain, 'A'); - $mx_record_erroneous = !checkdnsrr($domain, 'MX'); + $email_mx_record_invalid = !checkdnsrr($domain, 'MX'); } if (!$url_is_invalid) { - list($protocol, $domain) = explode('/', str_replace('//', '/', $url), 2); + list($protocol, $domain) = explode('/', str_replace('//', '/', $url)); $url_a_record_invalid = !checkdnsrr($domain, 'A'); } - $name_is_a_url ? $warnings .= "* Name is a URL.\n" : ''; - $name_is_an_email_address ? $warnings .= "* Name is an email address.\n" : ''; - $email_is_invalid ? $warnings .= "* Email address is invalid.\n" : ''; - $email_a_record_invalid ? $warnings .= "* Domain A record of email is invalid.\n" : ''; - $mx_record_erroneous ? $warnings .= "* Domain MX record of email is invalid\n" : ''; - $url_is_invalid ? $warnings .= "* Website URL is invalid.\n" : ''; - $url_a_record_invalid ? $warnings .= "* Domain A record of website URL is invalid.\n" : ''; + $name_is_a_url ? $warnings .= "* Name: Is a URL\n" : ''; + $name_is_an_email_address ? $warnings .= "* Name: Is an email address\n" : ''; + $email_is_invalid ? $warnings .= "* Email: Invalid address\n" : ''; + $email_a_record_invalid ? $warnings .= "* Email: Invalid Domain A record\n" : ''; + $email_mx_record_invalid ? $warnings .= "* Email: Invalid Domain MX record\n" : ''; + !empty($url) && $url_is_invalid ? $warnings .= "* Website: Invalid URL\n" : ''; + $url_a_record_invalid ? $warnings .= "* Website: Invalid Domain A record\n" : ''; // This is of minor elegance and error prone, I know. $warnings_count = substr_count($warnings, "\n"); - return strlen($warnings) > 0 ? "\n$warnings_count WARNINGS:\n$warnings" : ''; + return strlen($warnings) > 0 ? "\n$warnings_count WARNING/S:\n$warnings" : ''; } $COMMENT_DATE = date($DATE_FORMAT); From 4674e8ed39bac1437283d99b5f37dd45b77d0a8a Mon Sep 17 00:00:00 2001 From: Gernot Date: Mon, 6 May 2013 04:15:47 -0300 Subject: [PATCH 3/3] added dynamic message-id to email headers --- php/mail.php | 1 + 1 file changed, 1 insertion(+) diff --git a/php/mail.php b/php/mail.php index 20ddbf8..5ed8a7b 100644 --- a/php/mail.php +++ b/php/mail.php @@ -106,6 +106,7 @@ public function send($recipient_email, $recipient_name = "") if (!empty($reply_to)) $headers []= "Reply-To: $reply_to"; $headers []= "X-Mailer: PHP/" . phpversion(); + $headers []= "Message-ID: <" . sha1(microtime()) . "@" . $_SERVER['SERVER_NAME'] . ">"; $headers []= "MIME-Version: 1.0"; $headers []= "Content-Type: multipart/mixed; boundary=\"$uid\""; $headers []= "";