diff options
author | Lukas Reschke <lukas@statuscode.ch> | 2021-05-28 11:13:28 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-05-28 11:13:28 +0300 |
commit | fd5fa561389b1e72ddc966e6f575ddfb46072c67 (patch) | |
tree | 7023ee8f11382ac4ff72d312f7b1bcb77b719c0a /page-pr20190319.php | |
parent | 32f5772c9fdd641ba68112dbf29074fe05758c43 (diff) |
Fix several security concerns (#1471)
* Use REMOTE_ADDR field
The other ones are not used at all. This would allow someone to spoof
the configured IP address and bypass any rate limit.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Add basic ratelimiting class
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Remove Mautic submission form
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Replace captcha with ratelimiter
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Space + tabs
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Dont check if no REDIS is defined in config
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'page-pr20190319.php')
-rw-r--r-- | page-pr20190319.php | 25 |
1 files changed, 0 insertions, 25 deletions
diff --git a/page-pr20190319.php b/page-pr20190319.php index e0d33713..ff60338f 100644 --- a/page-pr20190319.php +++ b/page-pr20190319.php @@ -313,26 +313,6 @@ GreenNet, UK <h1>Signing the letter <small>(after publication)</small></h1> <p>If you want to sign the public letter with your company, please fill in the form below.<br>Note that your company name will be added to a separate list below the existing signatories.</p> -<?php - -$int1 = random_int(0, 15); -$int2 = random_int(0, 50); -$salt = bin2hex(random_bytes(5)); -$hash = hash('sha256', $salt . ($int1 + $int2)); -$checksum = $salt . ':' . $hash; - -$image = imagecreate(100, 20); -$background_color = imagecolorallocate($image, 255, 255, 255); -$text_color = imagecolorallocate($image, 0, 0, 0); -imagestring($image, 5, 3, 2, $int1 . ' + ' . $int2, $text_color); - -ob_start(); -imagepng($image); -$imagestring = ob_get_contents(); -ob_end_clean(); -imagedestroy($image); -?> - <form name="sign" method="post" action="../publiclettersubmit/"> <p><label for="companymail">Your business mail address<br> <input type="text" name="companymail" maxlength="60" size="60"></label></p> @@ -343,11 +323,6 @@ imagedestroy($image); <p><label for="country">Country<br> <input type="text" name="country" maxlength="80" size="60"></label></p> <td colspan="2" style="text-align:center"> - <div class="g-recaptcha" data-sitekey="<?php echo RECAPTCHA_SITEKEY; ?>"></div> - <p><label for="captcha">Please calculate the following sum: <span></span><br> - <img src="data:image/png;base64,<?php echo base64_encode($imagestring); ?>"><br> - <input type="text" name="captcha" maxlength="20" size="20" placeholder="13"></label></p> - <input type="hidden" name="checksum" value="<?php echo $checksum;?>"> <p>Please note that we only feature companies and business alliances on this list. We will not sign up private persons.<br>For that reason, we ask you to sign with your company email address.</p> <p>By clicking "submit" you confirm you used your business email address and you are authorized to sign this letter.<br>You will receive a confirmation email. Only after replying to that email will we add your email to the list. This is not a real-time process, we check manually.</p> <input type="submit" value=" Submit " class="button button--blue"> |