diff options
author | Lukas Reschke <lukas@statuscode.ch> | 2021-05-28 11:13:28 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-05-28 11:13:28 +0300 |
commit | fd5fa561389b1e72ddc966e6f575ddfb46072c67 (patch) | |
tree | 7023ee8f11382ac4ff72d312f7b1bcb77b719c0a /page-trialsubmit.php | |
parent | 32f5772c9fdd641ba68112dbf29074fe05758c43 (diff) |
Fix several security concerns (#1471)
* Use REMOTE_ADDR field
The other ones are not used at all. This would allow someone to spoof
the configured IP address and bypass any rate limit.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Add basic ratelimiting class
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Remove Mautic submission form
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Replace captcha with ratelimiter
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Space + tabs
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Dont check if no REDIS is defined in config
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'page-trialsubmit.php')
-rw-r--r-- | page-trialsubmit.php | 42 |
1 files changed, 7 insertions, 35 deletions
diff --git a/page-trialsubmit.php b/page-trialsubmit.php index 359c8a7f..bb85cb98 100644 --- a/page-trialsubmit.php +++ b/page-trialsubmit.php @@ -18,6 +18,12 @@ </section> <?php +require_once realpath(dirname(__FILE__)) . '/lib/ratelimiter.php'; + +if(!canPerformLimitedAction("trial-submit-action", 10)) { + die("Too many requests. Please try again later."); +} + if(isset($_POST['email'])) { function died($error) { // error code goes here @@ -41,9 +47,7 @@ if(isset($_POST['email'])) { if(!isset($_POST['yourname']) || !isset($_POST['email']) || !isset($_POST['organization']) || - !isset($_POST['users']) || - !isset($_POST['checksum']) || - !isset($_POST['captcha'])) { + !isset($_POST['users'])) { died('We are sorry, but there appears to be a problem with the form you submitted - did you fill in all mandatory fields?'); } $yourname = $_POST['yourname']; // required $organization= $_POST['organization']; // required @@ -62,9 +66,7 @@ if(isset($_POST['email'])) { $webconferencing = $_POST['webconferencing']; $outlook = $_POST['outlook']; $partner = $_POST['partner']; - $checksum = $_POST['checksum']; // required $gdprcheck = $_POST['gdprcheck']; - $captcha = $_POST['captcha']; $error_message = ""; $email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,10}$/'; if(!preg_match($email_exp,$email_from)) { @@ -78,41 +80,11 @@ if(isset($_POST['email'])) { if(!($gdprcheck=="gdprchecked")) { $error_message .= 'You did not agree with our privacy policy so we would not be allowed to read and reply to your inquiry.<br />'; } - if (strlen($checksum) !== 75 || !strpos($checksum, ':')) { - $error_message .= 'The checksum is not valid.<br />'; - } else { - list($salt, $expectedHash) = explode(':', $checksum, 2); - $hash = hash('sha256', $salt . $captcha); - if ($hash !== $expectedHash) { - $error_message .= 'The captcha result you entered does not appear to be correct.<br />'; - } - } $string_exp = "/^((\+|00)\d{1,3})?(\d+|\s+)+\d$/"; // if(!preg_match($string_exp,$phone)) { // $error_message .= 'The phone number you entered does not appear to be valid, did you add a country code like +49?<br />'; // } -// if(RECAPTCHA_SECRET !== '' && isset($_POST['g-recaptcha-response'])) { -// $url = 'https://www.google.com/recaptcha/api/siteverify'; -// $ch = curl_init(); -// -// curl_setopt($ch, CURLOPT_URL, $url); -// curl_setopt($ch, CURLOPT_POST, 1); -// curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array('secret' => RECAPTCHA_SECRET, 'response' => $_POST['g-recaptcha-response']))); -// curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); -// -// $server_output = curl_exec($ch); -// -// $server_output = json_decode($server_output, true); -// -// curl_close($ch); -// -// if (!isset($server_output['success']) || $server_output['success'] !== true) { -// $error_message .= 'The captcha result was invalid.<br />'; -// } -// } else { -// $error_message .= 'Captcha code is missing.<br />'; -// } if(strlen($error_message) > 0) { died($error_message); |