diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2021-05-28 11:13:28 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-28 11:13:28 +0300 |
| commit | fd5fa561389b1e72ddc966e6f575ddfb46072c67 (patch) | |
| tree | 7023ee8f11382ac4ff72d312f7b1bcb77b719c0a /page-includesubmit.php | |
| parent | 32f5772c9fdd641ba68112dbf29074fe05758c43 (diff) | |
Fix several security concerns (#1471)
* Use REMOTE_ADDR field
The other ones are not used at all. This would allow someone to spoof
the configured IP address and bypass any rate limit.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Add basic ratelimiting class
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Remove Mautic submission form
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Replace captcha with ratelimiter
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Space + tabs
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Dont check if no REDIS is defined in config
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'page-includesubmit.php')
| -rw-r--r-- | page-includesubmit.php | 18 |
1 files changed, 7 insertions, 11 deletions
diff --git a/page-includesubmit.php b/page-includesubmit.php index fc123ac0..b4734e8d 100644 --- a/page-includesubmit.php +++ b/page-includesubmit.php @@ -19,6 +19,12 @@ </div> <?php +require_once realpath(dirname(__FILE__)) . '/lib/ratelimiter.php'; + +if(!canPerformLimitedAction("appmarketing-submit-action", 10)) { + die("Too many requests. Please try again later."); +} + if(isset($_POST['email'])) { function died($error) { // error code goes here @@ -59,8 +65,6 @@ if(isset($_POST['email'])) { $contribute = $_POST['contribute']; // required $links = $_POST['links']; // required $others = $_POST['others']; // required - $checksum = $_POST['checksum']; // required - $captcha = $_POST['captcha']; $error_message = ""; $email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,10}$/'; if(!preg_match($email_exp,$email_from)) { @@ -70,15 +74,7 @@ if(isset($_POST['email'])) { if(!preg_match($string_exp,$yourname)) { $error_message .= 'The name you entered does not appear to be valid.<br />'; } - if (strlen($checksum) !== 75 || !strpos($checksum, ':')) { - $error_message .= 'The checksum is not valid.<br />'; - } else { - list($salt, $expectedHash) = explode(':', $checksum, 2); - $hash = hash('sha256', $salt . $captcha); - if ($hash !== $expectedHash) { - $error_message .= 'The captcha result you entered does not appear to be correct.<br />'; - } - } + $string_exp = "/^((\+|00)\d{1,3})?(\d+|\s+)+\d$/"; if(strlen($error_message) > 0) { |