From 8f5d485458ca63a62f3082b492a8eb80b52a3c6b Mon Sep 17 00:00:00 2001 From: fuzzykitten Date: Sun, 1 Jun 2025 14:11:37 -0400 Subject: [PATCH] cleaned up mobile index --- srv/mob/index.php | 1268 +++------------------------------------------ 1 file changed, 76 insertions(+), 1192 deletions(-) diff --git a/srv/mob/index.php b/srv/mob/index.php index f64dec8..ea6cc22 100644 --- a/srv/mob/index.php +++ b/srv/mob/index.php @@ -65,7 +65,7 @@ if ( file_exists($config_file) ) { // Give a new location to the browser. // Does not work with lynx, unfortunately, but then the link can be used. // For the mobile version, lynx does not matter, of course. -function answer_redirect($sub) +function answer_redirect_mob($sub) { header( "refresh:3;url=/mob/s/$sub" ); @@ -84,7 +84,7 @@ function answer_redirect($sub) // Translate simple bbcode to html, and highlight quotes, like so: // [b bold],[i italic],[u underlined],[s strikethrough] // [h headline],[sp spoiler],[li list element],[url link],>>quote\r\n -function bbcode_to_html($text, $settings) +function bbcode_to_html_mob($text, $settings) { if ( ($settings['enable_bbcode'] == FALSE) ) { return $text; @@ -118,322 +118,14 @@ function bbcode_to_html($text, $settings) } -// checks if the bot trap has been called recently from the ip. -// according to the parameters in the config file, the request is then -// either granted or blocked. -// if the blocking of tor is enabled, 127.0.0.1 will be included in the -// blocking, which can mean that no connections from tor or local are taken -// during the block time. -function bot_block($db, $settings, $ip) -{ - if ( ($settings['enable_bot_block'] != TRUE) ) { - return; - } - - if ( ($settings['enable_tor_block'] != TRUE) - && ($_SERVER['REMOTE_ADDR'] == '127.0.0.1') ) { - return; - } - - $current = time(); - $max_age = $current - ($settings['block_time'] * 60); - // max age is in minutes, so times 60 to go to seconds - - if ($settings['superstrict_block'] == TRUE) { - $statement = $db->prepare("SELECT unix_timestamp - FROM logs - WHERE type = 'bot' - AND ip = '$ip' - AND event in ('Level 2', - 'Level 1', - '429') - AND unix_timestamp > '$max_age'"); - } else { - $statement = $db->prepare("SELECT unix_timestamp - FROM logs - WHERE type = 'bot' - AND ip = '$ip' - AND event in ('Level 2', - 'Level 1') - AND unix_timestamp > '$max_age'"); - } - - $result = $statement->execute(); - - $trap_visits = 0; - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $trap_visits++; - } - - if ( ($trap_visits > $settings['max_trap_visits']) ) { - $bot_block_message = '429'; - log_event($db, $settings, 'bot', $bot_block_message, $ip); - header( 'HTTP/1.1 429 Too Many Requests' ); - quit($db, '429'); - } - - if ( ($settings['max_landing'] > 0) - && ($settings['superstrict_block'] == TRUE) ) { - $statement = $db->prepare("SELECT unix_timestamp - FROM logs - WHERE type = 'bot' - AND ip = '$ip' - AND event in ('landing page bot request', - '429') - AND unix_timestamp > '$max_age'"); - } elseif ( ($settings['max_landing'] > 0) ) { - $statement = $db->prepare("SELECT unix_timestamp - FROM logs - WHERE type = 'bot' - AND ip = '$ip' - AND event = 'landing page bot request' - AND unix_timestamp > '$max_age'"); - } else { - return; - } - - $result = $statement->execute(); - - $landing_visits = 0; - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $landing_visits++; - } - - if ( ($landing_visits > $settings['max_landing']) ) { - $bot_block_message = '429'; - log_event($db, $settings, 'bot', $bot_block_message, $ip); - header( 'HTTP/1.1 429 Too Many Requests' ); - quit($db, '429'); - } - - return; -} - -// If the post is a reply, put the original post on top. -function bump_message($db, $org_id, $sub) -{ - return; - // REWRITE TO INCLUDE ORIGINAL - - $statement = $db->prepare("SELECT text, global_id, text_id - FROM threads - WHERE post_id = '$org_id' - AND org_id = '$org_id' - AND sub = '$sub'"); - $result = $statement->execute(); - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $text = "{$row[0]}"; - $global_id = "{$row[1]}"; - $text_id = "{$row[2]}"; - } - - $statement = $db->prepare("DELETE FROM threads - WHERE post_id = '$org_id' - AND org_id = '$org_id' - AND sub = '$sub'"); - $result = $statement->execute(); - - $statement = $db->prepare("INSERT INTO threads(post_id, sub, text, - org_id, shadow, - global_id, text_id) - VALUES ('$org_id', '$sub', ?, '$org_id', - 'no', '$global_id', '$text_id')"); - $statement->bindParam(1, $text); - - $statement->execute(); - -} - -// Break text according to config.php, also transform \r\n to
-function break_text($text) -{ - - $post_text = nl2br($text, FALSE); - return $post_text; - -} - -// Check the hashed captcha against the hashed solutions in the db. -function check_captcha($db, $settings) -{ - if ( (!isset($_POST['post_token'])) ) { - quit($db, '

What are you up to ? Use the postform.

'); - } - - if ( ($settings['use_captcha'] == FALSE) ){ - $post_hash = hash('sha512', $_POST['post_token']); - } elseif ( (!isset($_POST['math_one'])) - || (!isset($_POST['math_two'])) - || (!isset($_POST['math_type'])) - || (!isset($_POST['math_answer'])) ) { - quit($db, '

What are you up to ? Use the postform.

'); - } else { - $post_summary = ($_POST['math_one'] . $_POST['math_two'] . - $_POST['math_type'] . $_POST['math_answer'] . - $_POST['post_token']); - $post_hash = hash('sha512', $post_summary); - } - - $current = time(); - $max_age = $current - $settings['lifetime_captcha'] * 60 * 60; - // lifetime is in hours in the configfile, - // so times 60 * 60 to go to seconds - - $statement = $db->prepare("SELECT hash, unix_timestamp - FROM captchas - WHERE hash = '$post_hash' - AND unix_timestamp > '$max_age'"); - $result = $statement->execute(); - - $counter = 0; - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $counter++; - } - - if ( ($settings['use_captcha'] == FALSE) && ($counter < 1) ) { - $quit_message = '

Unauthorized attempt to post.' - . 'Use a newly opened postform.

'; - quit($db, $quit_message); - } elseif ( ($counter < 1) ) { - quit($db, '

wrong answer or captcha expired, try again

'); - } else { - $statement = $db->prepare("DELETE FROM captchas - WHERE hash = '$post_hash'"); - $result = $statement->execute(); - } -} - -// Check if we have enough free space on the harddisk to allow new posts -function check_free_space($db, $settings) -{ - - $free_space = disk_free_space($settings['work_dir']); - - if ($free_space < ($settings['min_space'] * 1024 * 1024)) { - // the setting is in Megabyte, free space operates in bytes - return FALSE; - } - - return TRUE; -} - -// Check if the maximum requests as defined in the config file are -// exhausted or not -function check_max_requests($db, $settings, $ip) -{ - - $current = time(); - - if ( ($settings['max_requests_ip'] > 0) - && ($_SERVER['REMOTE_ADDR'] != '127.0.0.1') ) { - $max_age = $current - ($settings['max_requests_timeframe'] * 60); - // max age is in minutes, so times 60 to go to seconds - $max_visits = $settings['max_requests_ip']; - } elseif ( ($settings['max_requests_tor'] > 0) - && ($_SERVER['REMOTE_ADDR'] == '127.0.0.1') ) { - $max_age = $current - ($settings['max_requests_tor_timeframe'] * 60); - // max age is in minutes, so times 60 to go to seconds - $max_visits = $settings['max_requests_tor']; - } else { - return; - } - - $statement = $db->prepare("SELECT unix_timestamp - FROM logs - WHERE type = 'portal' - AND ip = '$ip' - AND event in ('visit') - AND unix_timestamp > '$max_age'"); - - $result = $statement->execute(); - - $visits = 0; - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $visits++; - } - - if ( ($visits > $max_visits) ) { - $block_message = '429'; - log_event($db, $settings, 'user', $block_message, $ip); - header( 'HTTP/1.1 429 Too Many Requests' ); - quit($db, '429'); - } -} - - -// checks if content has been posted before, according the config file. -function check_original_content($db, $settings, $sub, $text_id, $org_id) -{ - $statement = $db->prepare("SELECT post_id, sub, org_id - FROM threads - WHERE text_id = '$text_id'"); - $result = $statement->execute(); - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $result_post_id = "{$row[0]}"; - $result_sub = "{$row[1]}"; - $result_org_id = "{$row[2]}"; - if ( ($settings['original_content_global'] == TRUE) ){ - return FALSE; - } elseif ( ($settings['original_content_sub'] == TRUE) - && ($sub == $result_sub) ){ - return FALSE; - } elseif ( ($settings['original_content_thread'] == TRUE) - && ($sub == $result_sub) - && ($org_id == $result_org_id) ){ - return FALSE; - } - } - - return TRUE; -} - -// Check if a message actually exists in the database when replying. -// Note that if the links of the site are used for navigation, this is -// always the case (unless it was deleted meanwhile). -// This routine is mostly to prevent malicious users from creating -// ghost messages that are in the db but are never displayed -// (because the threadstart is missing). -function check_org_id_exists($db, $sub, $org_id) -{ - - $statement = $db->prepare("SELECT post_id - FROM threads - WHERE sub = '$sub' - AND shadow = 'no' - AND org_id = '$org_id'"); - $result = $statement->execute(); - - $counter = 0; - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $counter++; - break; - } - - if ( ($counter < 1) ) { - // if the counter is smaller 1, there is no match - return FALSE; - } else { - return TRUE; - } -} - // check if the ip has already passed the portal, in this case return. // if not, display a simple text and button to click to proceed. // the page displayed is done with inline styling, so that no // additional files will be requested. // Update: what started with the checking of the ip, has now expanded to // up to six parameters, which are concantenated and hashed. -function check_portal($db, $settings, $ip) +function check_portal_mob($db, $settings, $ip) { - - return; if ( ($settings['enable_portal'] != TRUE) ) { return; @@ -482,20 +174,9 @@ function check_portal($db, $settings, $ip) log_event($db, $settings, "portal", $portal_message, $ip); return; } else { - $characters = 'abcdefghijklmnopqrstuvwxyz' - . 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; - - $random_string = ''; - - for ($i = 0; $i < 20; $i++) { - // token length is set to 20 characters - $index = random_int(0, 51); - // we have 62 to choose, so 0 to 61 - $random_string .= $characters[$index]; - } - $request = '/mob/' . $random_string; -// $request = $_SERVER['REQUEST_URI'] . '/' . $random_string; -// $request = $_SERVER['REQUEST_URI']; + $random_string = make_token(10, 'alpha'); + $request = $_SERVER['REQUEST_URI'] . '/random=' . $random_string; + header( 'HTTP/1.1 202 Accepted' ); header( 'Cache-Control: no-store', FALSE ); @@ -529,633 +210,8 @@ function check_portal($db, $settings, $ip) } } -// Check if a message exists already in the database when importing. -function check_post_exists($db, $sub, $org_id, $post_id) -{ - - $statement = $db->prepare("SELECT post_id - FROM threads - WHERE sub = '$sub' - AND org_id = '$org_id' - AND post_id = '$post_id'"); - $result = $statement->execute(); - - $counter = 0; - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $counter++; - } - - if ( ($counter < 1) ) { - // if the counter is smaller 1, there is no match - return FALSE; - } else { - return TRUE; - } -} - -// A simple check if the post is spam or not, also if it is too long -// or too short. -// These are a few of the only original lines of code left from smolBBS. -function check_spam($db, $text, $settings) -{ - - if (preg_match('/^(.)\1*$/u ', $text)) { - quit($db, '

Spam detected!

'); - } - - $post_length = strlen($text); - - if ($post_length < $settings['min_char']) { - quit($db, '

Post too short!

'); - } - - if ($post_length > $settings['max_char']) { - quit($db, '

Post too long!

'); - } - - $text = str_replace(array("\n","\r"), '', $text); - - if (substr_count($text, ' ') === strlen($text)) { - quit($db, '

Spam detected! Post contained only spaces!

'); - } -//rewrite, does not work for all cases - if (ctype_space($text)) { - $quit_message = '

Spam detected! Post contained only spaces ' - . '(yeah, Unicode...)!

'; - quit($db, $quit_message); - } - -} - -// Check if a sub exists before display -// If the name does not exist, name* is searched -function check_sub_exists($db, $sub) -{ - - if ( ($sub == 'overboard') || ($sub == 'main') ) { - return $sub; - } - - $statement = $db->prepare("SELECT sub - FROM threads - WHERE sub = '$sub' - AND shadow = 'no'"); - - $result = $statement->execute(); - - $counter = 0; - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $counter++; - $sub = "{$row[0]}"; - } - - if ( ($counter < 1) ) { - // if the counter is smaller 1, there is no match - $statement = $db->prepare("SELECT sub - FROM threads - WHERE sub GLOB '$sub*' - AND shadow = 'no' - ORDER BY sub - ASC LIMIT 1"); - - $result = $statement->execute(); - - $counter_2 = 0; - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $counter_2++; - $sub = "{$row[0]}"; - } - - if ( ($counter_2 < 1) ) { - // if the counter is smaller 1, there is no match - return FALSE; - } else { - return $sub; - } - - } else { - return $sub; - } -} - -// Dump the contents of a sub,a thread or the whole board to a json -// file and send it to the browser. -// If used on the overboard, it will dump everything, including the -// messages from subs that are not actually displayed on the overboard. -function dump($db, $sub, $org_id, $settings) -{ -// rewrite to include ranges - header( 'Content-Type: application/json' ); - - $json_dump = array(); - - if ( (!empty($org_id)) ) { - $statement = $db->prepare("SELECT post_id, text - FROM threads - WHERE sub = '$sub' - AND shadow = 'no' - AND org_id = '$org_id'"); - $result = $statement->execute(); - $json_dump['sub'] = $sub; - $json_dump['org_id'] = $org_id; - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $post = array(); - $post['post_id'] = "{$row[0]}"; - $post['text'] = "{$row[1]}"; - array_push($json_dump, $post); - } - } elseif ($sub == 'overboard') { - $statement = $db->prepare("SELECT post_id, org_id, sub, text - FROM threads - WHERE shadow = 'no'"); - $result = $statement->execute(); - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $post = array(); - $post['post_id'] = "{$row[0]}"; - $post['org_id'] = "{$row[1]}"; - $post['sub'] = "{$row[2]}"; - $post['text'] = "{$row[3]}"; - array_push($json_dump, $post); - } - } else { - $statement = $db->prepare("SELECT post_id, org_id, text - FROM threads - WHERE sub = '$sub' - AND shadow = 'no'"); - $result = $statement->execute(); - $json_dump['sub'] = $sub; - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $post = array(); - $post['post_id'] = "{$row[0]}"; - $post['org_id'] = "{$row[1]}"; - $post['text'] = "{$row[2]}"; - array_push($json_dump, $post); - } - } - - echo json_encode($json_dump, JSON_PRETTY_PRINT - | JSON_NUMERIC_CHECK - | JSON_UNESCAPED_UNICODE); - -} - -// filter a variable according to different parameters and return the -// result -function filter($text, $type, $length) -{ - if ( ( $type == 'alnum') ) { - $filtered_text = substr( - preg_replace("/[^0-9a-zA-Z]/", "", $text), - 0, $length); - } elseif ( ($type == 'num') ) { - $filtered_text = substr( - preg_replace("/[^0-9]/", "", $text), - 0, $length); - } elseif ( ($type == 'email') ) { - $filtered_text = substr( - preg_replace("/[^0-9a-zA-Z@._]/", "", $text), - 0, $length); - } - - return $filtered_text; -} - -// Select a new post_id for a new post. It is one higher than the -// previous existing highest number. -// This means in theory that if a message is deleted the number could -// be assigned to a different one (if it was the latest message that -// was deleted). -// This behavior can be prevented when working with a moderators account. -// Note that in contrast to previous versions, replies are inside -// the same numbering system. -function get_new_post_id($db, $sub) -{ - - $largest = 0; - - $statement = $db->prepare("SELECT post_id - FROM threads - WHERE sub = '$sub' - ORDER BY post_id DESC - LIMIT 1"); - // we just want the highest element - $result = $statement->execute(); - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $largest = "{$row[0]}"; - } - - $largest++; - // we increase the largest number by one to get the new post_id - - return $largest; -} - -// Get the admin or mod token from the post stream. -function get_post_token() -{ - - $token = ''; - - if ( (!empty($_POST['token'])) ) { - $token = filter($_POST['token'], 'alnum', 250); - // length of token is 250 characters - } - - return $token; -} - -// Check how many pretty vars have been sent -function get_pretty_vars_count() -{ - - $raw_vars = explode('/', $_SERVER['REQUEST_URI']); - $count = count($raw_vars); - - return $count; - -} - -// Return number of posts in sub or overboard, with or without replies. -function give_total_posts($db, $sub, $original_only, $settings) -{ - - if ( ($original_only) && ($sub != 'overboard') ) { - $statement = $db->prepare("SELECT post_id - FROM threads - WHERE sub = '$sub' - AND post_id = org_id - AND shadow = 'no'"); - $result = $statement->execute(); - $counter = 0; - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $counter++; - } - } elseif ( ($sub == 'overboard') ) { - - $no_overboard = ''; - $last = array_pop($settings['no_overboard']); - - foreach($settings['no_overboard'] as $ex_sub) { - $str = "'" . $ex_sub . "', "; - $no_overboard .= $str; - } - - $no_overboard .= "'" . $last . "'"; - $statement = $db->prepare("SELECT post_id - FROM threads - WHERE post_id = org_id - AND sub NOT IN ($no_overboard) - AND shadow = 'no'"); - $result = $statement->execute(); - $counter = 0; - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $counter++; - } - } else { - $statement = $db->prepare("SELECT post_id - FROM threads - WHERE sub = '$sub' - AND shadow = 'no'"); - $result = $statement->execute(); - $counter = 0; - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $counter++; - } - } - - return $counter; - -} - -// Log an event to the db. Also, delete the overflow of logs as -// defined in the config file. -function log_event($db, $settings, $type, $text, $ip) -{ - - if ( ($settings['enable_logging'] != TRUE) ) { - return; - } - - $current = time(); - $timestamp = date('Y-m-d H:i:s', $_SERVER['REQUEST_TIME']); - - $statement = $db->prepare("INSERT INTO logs(event, type, timestamp, - unix_timestamp, ip) - VALUES (?, '$type', '$timestamp', - '$current', ?)"); - $statement->bindParam(1, $text); - $statement->bindParam(2, $ip); - $statement->execute(); - - if ( ($settings['cap_logs'] > 0) ) { - $statement = $db->prepare("DELETE FROM logs - WHERE ROWID IN - (SELECT ROWID FROM logs - ORDER BY ROWID DESC - LIMIT -1 OFFSET ?)"); - // to prevent the db from bloating (and to prevent attacks), we - // allow only so many lines of logs at any one time, and we check - // this with each call. - $statement->bindParam(1, $settings['cap_logs']); - $result = $statement->execute(); - -} - -} - -// Do some magic number trickery (easteregg) -function make_id_text($post_id) -{ - - switch($post_id) { - case 1: - $id_text = 'first post - yeah'; - break; - case 42: - $id_text = '...and thanks for all the fish...'; - break; - case 69: - $id_text = "$post_id 😏"; - break; - case 104: - $id_text = '10-4 affirmative'; - break; - case 143: - $id_text = "$post_id πŸ’Œ"; - break; - case 404: - $id_text = 'content not found'; - break; - case 420: - $id_text = '🌿🌿🌿'; - break; - case 666: - $id_text = 'πŸ‘ΏπŸ‘ΏπŸ‘Ώ '; - break; - case 911: - $id_text = 'How can I help you ?'; - break; - case 1312: - $id_text = 'all cats are beautiful'; - break; - default: - $id_text = $post_id; - } - - return $id_text; - -} - -// Make all tables that are needed (one each for posts, keys, hashes -// (captchas), hashes (passwords) and logs). -// Also, the hashes for the captchas are cropped to 20000. -function make_tables($db) -{ - - // make basic tables: threads, captchas, logs, keys - $db->exec('CREATE TABLE IF NOT EXISTS "captchas" ( - "id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, - "hash" TEXT UNIQUE, - "unix_timestamp" INTEGER - )'); - - $db->exec('CREATE TABLE IF NOT EXISTS "logs" ( - "id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, - "timestamp" TEXT, - "unix_timestamp" INTEGER, - "type" TEXT, - "event" TEXT, - "ip" TEXT - )'); - - $db->exec('CREATE TABLE IF NOT EXISTS "keys" ( - "id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, - "name" TEXT UNIQUE NOT NULL, - "type" INTEGER NOT NULL, - "email" TEXT, - "key" TEXT, - "subs" TEXT, - "token" TEXT, - "timestamp_token" INTEGER - )'); - - $db->exec('CREATE TABLE IF NOT EXISTS "threads" ( - "id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, - "post_id" INTEGER NOT NULL, - "shadow" TEXT NOT NULL, - "sub" TEXT NOT NULL, - "global_id" TEXT NOT NULL UNIQUE, - "text_id" TEXT NOT NULL, - "text" TEXT NOT NULL, - "org_id" INTEGER NOT NULL, - "timestamp" TEXT, - UNIQUE(post_id, sub) ON CONFLICT IGNORE - )'); - - $statement = $db->prepare("DELETE FROM captchas - WHERE ROWID IN - (SELECT ROWID FROM captchas - ORDER BY ROWID DESC - LIMIT -1 OFFSET 20000)"); - // to prevent the db from bloating (and to prevent attacks), we - // allow only 20000 captchas at any one time, and we check this - // with each call. This should be enough if your site is getting - // less or equal to 100.000 visitors a day. - // Total combinations of captcha and token are ca. 2000 * 62^250. - $result = $statement->execute(); - -} - -// Make a new post to a sub -function make_post($db, $sub, $settings, $text, $org_id) -{ - - $post_id = get_new_post_id($db, $sub); - - if ($org_id == '') { - $org_id = $post_id; - } elseif ( (!check_org_id_exists($db, $sub, $org_id)) ) { - quit($db, "

Post $org_id on sub $sub does not exist.

"); - } - - $global_id = hash('sha512', $sub . $post_id . $org_id . $text); - $text_id = hash('sha512', $text); - - $statement = $db->prepare("INSERT INTO threads(post_id, sub, text, - org_id, shadow, - global_id, text_id, - timestamp, name, - tripcode, original) - VALUES ('$post_id', '$sub', ?, '$org_id', - 'no', '$global_id', '$text_id', - '$timestamp', '$name', '$tripcode', - '$post_id')"); - $statement->bindParam(1, $text); - $statement->execute(); - - if ( ($org_id != $post_id) && ($settings['enable_bumping'] == TRUE) ){ - bump_message($db, $org_id, $sub); - } - - return $post_id; -} - -// Make a token to grant access to the admin panel or the mod panel for -// a limited time. A way of having sessions without cookies. -// Also used as a hidden field in the post form to prevent double -// posting by sending the same input twice. -function make_token() -{ - - $characters = '0123456789' - . 'abcdefghijklmnopqrstuvwxyz' - . 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; - - $random_string = ''; - - for ($i = 0; $i < 250; $i++) { - // token length is set to 250 characters - $index = random_int(0, 61); - // we have 62 to choose, so 0 to 61 - $random_string .= $characters[$index]; - } - - return $random_string; -} - -// checks if posts from bots can be received or not -function post_block_bot($db, $settings, $visitor_ip) -{ - - $current = time(); - $max_age = $current - ($settings['max_post_timeframe'] * 60); - // the number from settings is in minutes, so times 60 for secs - - if ( ($settings['max_post_global'] > 0) ) { - $statement = $db->prepare("SELECT unix_timestamp - FROM logs - WHERE type in ('bot', 'user') - AND event = 'post attempt' - AND unix_timestamp > '$max_age'"); - - $result = $statement->execute(); - - $counter = 0; - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $counter++; - } - - if ( ($counter > $settings['max_post_global']) ) { - return FALSE; - } - } - - if ( ($settings['max_post_ip'] > 0) ) { - $statement = $db->prepare("SELECT unix_timestamp - FROM logs - WHERE type in ('bot', 'user') - AND event = 'post attempt' - AND ip = '$visitor_ip' - AND unix_timestamp > '$max_age'"); - - $result = $statement->execute(); - - $counter = 0; - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $counter++; - } - - if ( ($counter > $settings['max_post_ip']) ) { - return FALSE; - } - } - - if ( ($settings['max_post_bot'] > 0) ) { - $statement = $db->prepare("SELECT unix_timestamp - FROM logs - WHERE type = 'bot' - AND event = 'post attempt' - AND unix_timestamp > '$max_age'"); - - $result = $statement->execute(); - - $counter = 0; - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $counter++; - } - - if ( ($counter > $settings['max_post_bot']) ) { - return FALSE; - } - - } - - return TRUE; -} -// checks if posts from users can be received or not -function post_block_user($db, $settings, $visitor_ip) -{ - - $current = time(); - $max_age = $current - ($settings['max_post_timeframe'] * 60); - // the number from settings is in minutes, so times 60 for secs - - if ( ($settings['max_post_global'] > 0) ) { - $statement = $db->prepare("SELECT unix_timestamp - FROM logs - WHERE type in ('bot', 'user') - AND event = 'post attempt' - AND unix_timestamp > '$max_age'"); - - $result = $statement->execute(); - - $counter = 0; - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $counter++; - } - - if ( ($counter > $settings['max_post_global']) ) { - return FALSE; - } - } - - if ( ($settings['max_post_ip'] > 0) ) { - $statement = $db->prepare("SELECT unix_timestamp - FROM logs - WHERE type in ('bot', 'user') - AND event = 'post attempt' - AND ip = '$visitor_ip' - AND unix_timestamp > '$max_age'"); - - $result = $statement->execute(); - - $counter = 0; - - while ($row = $result->fetchArray(SQLITE3_NUM)) { - $counter++; - } - - if ( ($counter > $settings['max_post_ip']) ) { - return FALSE; - } - } - - return TRUE; -} - // Show each post in a thread -function print_thread($db, $sub, $settings, $org_id) +function print_thread_mob($db, $sub, $settings, $org_id) { $html_string = '
'; @@ -1171,7 +227,7 @@ function print_thread($db, $sub, $settings, $org_id) $post_id = "{$row[0]}"; $org_id = "{$row[1]}"; $post_text = "{$row[3]}"; - $post_text = break_text(bbcode_to_html($post_text), + $post_text = break_text(bbcode_to_html_mob($post_text), $settings); $id_text = make_id_text($post_id); @@ -1188,7 +244,7 @@ function print_thread($db, $sub, $settings, $org_id) // Show each post of the overboard (so all original posts in their // sequence, including bumps, except for the subs that are excluded) -function print_overboard($db, $settings, $page) +function print_overboard_mob($db, $settings, $page) { $out = ''; @@ -1245,7 +301,7 @@ function print_overboard($db, $settings, $page) $org_id = "{$row[1]}"; $sub = "{$row[2]}"; $text = "{$row[3]}"; - $post_text = break_text(bbcode_to_html($text, $settings)); + $post_text = break_text(bbcode_to_html_mob($text, $settings)); $link_string_1 = "/mob/r/$sub/$org_id/op"; $link_string_2 = "/mob/r/$sub/$org_id"; @@ -1258,14 +314,14 @@ function print_overboard($db, $settings, $page) echo "$html_string"; - print_replies($db, $sub, $post_id, $org_id, $settings); + print_replies_mob($db, $sub, $post_id, $org_id, $settings); echo '
'; } } // Show each post of an individual feed -function print_individual_feed($db, $settings, $ex_subs, $in_subs) +function print_individual_feed_mob($db, $settings, $ex_subs, $in_subs) { echo '
'; @@ -1321,7 +377,7 @@ function print_individual_feed($db, $settings, $ex_subs, $in_subs) $sub = "{$row[2]}"; $text = "{$row[3]}"; - $post_text = break_text(bbcode_to_html($text, $settings)); + $post_text = break_text(bbcode_to_html_mob($text, $settings)); $link_string_1 = "/mob/r/$sub/$org_id/op"; $link_string_2 = "/mob/r/$sub/$org_id"; @@ -1334,7 +390,7 @@ function print_individual_feed($db, $settings, $ex_subs, $in_subs) echo "$html_string"; - print_replies($db, $sub, $post_id, $org_id, $settings); + print_replies_mob($db, $sub, $post_id, $org_id, $settings); echo '
'; } @@ -1407,7 +463,7 @@ $html_string = '
' // Give all the http-headers to the client, mostly for opsec reasons. // After, print the html header to open the document for the browser. -function print_header() +function print_header_mob() { // header( 'Content-Type: text/html; charset=utf-8'); @@ -1438,7 +494,7 @@ function print_header() } // Show all replies to a given post -function print_replies($db, $sub, $post_id, $org_id, $settings) +function print_replies_mob($db, $sub, $post_id, $org_id, $settings) { // REWRITE TO FIX, css is different now. @@ -1568,7 +624,7 @@ function print_replies($db, $sub, $post_id, $org_id, $settings) // Show each post in a sub -function print_sub($db, $sub, $settings, $page) +function print_sub_mob($db, $sub, $settings, $page) { echo '
'; @@ -1611,7 +667,7 @@ function print_sub($db, $sub, $settings, $page) $post_id = "{$row[0]}"; $org_id = "{$row[1]}"; $text = "{$row[3]}"; - $post_text = break_text(bbcode_to_html($text, $settings)); + $post_text = break_text(bbcode_to_html_mob($text, $settings)); $id_text = make_id_text($post_id); $link_string_1 = "/mob/r/$sub/$org_id/op"; @@ -1623,7 +679,7 @@ function print_sub($db, $sub, $settings, $page) echo "$html_string"; - print_replies($db, $sub, $post_id, $org_id, $settings); + print_replies_mob($db, $sub, $post_id, $org_id, $settings); echo '
'; } @@ -1631,197 +687,8 @@ function print_sub($db, $sub, $settings, $page) } -// Close the database, so to not let this work for the garbage collector -// and loose time. -// Also display a final message (optionally), and exit. -function quit($db, $text) -{ - - $db->close(); - - if ($text != '') { - echo "$text"; - } - - exit; -} - -// Parse pretty vars at different positions and with different filters -function read_pretty_vars($position, $filter, $length) -{ - - $var = ''; - - $raw_vars = explode('/', $_SERVER['REQUEST_URI']); - $pretty_vars = array(); - - foreach($raw_vars as $raw_var) { - if ($filter == 'number') { - $pretty_var = substr(preg_replace("/[^0-9]/", "", - $raw_var), 0, $length); - } elseif ($filter == 'alnum') { - $pretty_var = substr(preg_replace("/[^0-9a-zA-Z]/", "", - $raw_var), 0, $length); - } elseif ($filter == 'alnumplus') { - $pretty_var = substr(preg_replace("/[^0-9a-zA-Z+-]/", "", - $raw_var), 0, $length); - } - array_push($pretty_vars, $pretty_var); - } - - if ($position == 'last') { - $var = array_pop($pretty_vars); - } elseif ( (isset($pretty_vars[$position])) ) { - $var = $pretty_vars[$position]; - } - - return $var; - -} - -// brings the user to the actual target that was requested before the -// portal took over -function redirect_target() -{ - - $target = $_POST['portal']; - - header( "refresh:0;url=$target" ); - - $html_string = "


" - . "Redirection ongoing. If that does not work, click" - . " here."; - - echo "$html_string"; - -} - -// Check what is expected from the request, and set mode accordingly. -// The variable "$short_mode" is read from the request. -// The elements in the triggers array other than 'tr', capture requests -// that are standard scans for vulns + target discovery. -// Part of the bot trap, which can be disabled in the config file -function set_mode($short_mode, $settings) -{ - - $short_modes = array ( - 'su', 'iv', 'p', 'r', - 'v', 's', 'd' - ); - - $long_modes = array ( - 'subs', 'individual_view', 'post', 'reply', - 'view', 'view', 'dump' - ); - - if ( (!in_array($short_mode, $short_modes)) ) { - $mode = 'landing'; - // if nothing fits, we display the landing page - } else { - for ($i = 0; $i < count($short_modes); $i++) { - if ( ($short_modes[$i] == $short_mode) ) { - $mode = $long_modes[$i]; - break; - } - } - } - - return $mode; -} - -// In case of replies, check which post we are replying to -// (based on the pretty vars in GET requests) -function set_org_id() -{ - - $org_id = read_pretty_vars(4, 'number', 10); - // we read from the third position, and a message does not need more - // than 10 digits (=max 9 999 999 999 messages) - return $org_id; - -} - -// Get the page if it is defined, otherwise set to 1 -function set_page() -{ - - if (get_pretty_vars_count() == 5) { - // the page is only defined if there are five vars - $page = read_pretty_vars(4, 'number', 10); - // read from third position, and a page does not need more - // than 10 digits - } else { - $page = 0; - // if there is no page given, we set it to zero - } - - if ( ($page < 1) ) { - // if the page is zero, it means we did not - // get a number before - - $page = read_pretty_vars(4, 'alnum', 3); - // read from the third position, and a page does not need more - // than 10 digits, this time we allow letters, too. - - if ( ($page != 'all') ) { - - $page = 1; - // if page is not "all", we start with the first - } - } - - return $page; -} - -// Determine if there is an original post_id given in the poststream -// (in case of replies) -function set_post_org_id() -{ - - $org_id = ''; - - if ( (!empty($_POST['org_id'])) ) { - $org_id = filter($_POST['org_id'], 'num', 10); - // no post id needs more than 10 digits - // (= 9 999 999 999 messages) - - } - - return $org_id; -} - -// Determine which sub we use currently, first read from POST, -// than from the pretty vars (GET) -function set_sub($settings) -{ - - $sub = ''; - - if ( (!empty($_POST['sub'])) ) { - $sub = filter($_POST['sub'], 'alnum', $settings['max_name_sub']); - } elseif (get_pretty_vars_count() > 1) { - $sub = read_pretty_vars(3, 'alnum', $settings['max_name_sub']); - // read the sub from the second position - } - - if ($sub == '') { - $sub = 'main'; - } - - return $sub; -} - // Get the quote, if there is one. -function set_quote() +function set_quote_mob() { if (get_pretty_vars_count() == 7) { @@ -1836,9 +703,30 @@ function set_quote() } +// Determine which sub we use currently, first read from POST, +// than from the pretty vars (GET) +function set_sub_mob($settings) +{ + + $sub = ''; + + if ( (!empty($_POST['sub'])) ) { + $sub = filter($_POST['sub'], 'alnum', $settings['max_name_sub']); + } elseif (get_pretty_vars_count() > 1) { + $sub = read_pretty_vars(3, 'alnum', $settings['max_name_sub']); + // read the sub from the third position + } + + if ($sub == '') { + $sub = 'main'; + } + + return $sub; +} + // Show the postform with or without the captcha (according to setting), // if on main show also the field to create new subs -function show_post_form($db, $msg, $sub, $settings, $org_id, $quote, $ip) +function show_post_form_mob($db, $msg, $sub, $settings, $org_id, $quote, $ip) { if ( (check_free_space($db, $settings) == FALSE) ) { @@ -1883,7 +771,7 @@ function show_post_form($db, $msg, $sub, $settings, $org_id, $quote, $ip) // Differentiates between subs with > 10 posts (high-traffic) // and lower (low-traffic). Also shows the last five subs that // were posted to. -function show_subs_count($db, $settings) +function show_subs_count_mob($db, $settings) { $out = ''; @@ -2002,7 +890,7 @@ function show_subs_count($db, $settings) } // Show the existing subs to a user, without the count -function show_subs_no_count($db) +function show_subs_no_count_mob($db) { $html_string = "

overboard"; @@ -2026,25 +914,6 @@ function show_subs_no_count($db) echo "$html_string"; } -// Show the form that allows to set individual feeds. -function show_set_feeds_form($db, $settings) -{ - - $html_string = '


Set your multifeed:

' - . '
' - . 'Show everything except: ' - . '


' - . 'OR Show nothing but: ' - . '


' - . '
'; - - echo "$html_string"; -} - //++++++++++++++++ Actual control flow starts here +++++++++++++++++++// $db_file = $settings['work_dir'] . $settings['board_file']; @@ -2060,6 +929,23 @@ if ( (!file_exists($db_file)) ) { exit; } +require_once('/opt/endboard/base.php'); +// get the basic functions used in most cases +require_once('/opt/endboard/bot.php'); +// get the functions used to deal with bots +require_once('/opt/endboard/display.php'); +// get the functions needed for display +require_once('/opt/endboard/post.php'); +// get the functions needed to make posts +require_once('/opt/endboard/search.php'); +// get the functions needed to perform fulltext searches +require_once('/opt/endboard/show.php'); +// get the functions needed to show forms, subs and post history + +// Note: these are _almost_ all files which are sourced, with one exception: +// the haikubot in display.php needs one big file with an array of words, +// which is not always needed and therefore not sourced here. + //make tables if needed make_tables($db); @@ -2103,7 +989,7 @@ if ( (!empty($_SERVER['REMOTE_ADDR'])) $visitor_ip = hash('sha512', $visitor_ip); if ( (empty($_POST['portal'])) && ($short_mode != 'b') ) { - check_portal($db, $settings, $visitor_ip); + check_portal_mob($db, $settings, $visitor_ip); } elseif ( (!empty($_POST['portal'])) ) { $portal_message = 'pass'; log_event($db, $settings, 'portal', $portal_message, $visitor_ip); @@ -2126,7 +1012,7 @@ $sub_wanted = array( ); if ( (in_array($mode, $sub_wanted)) ) { - $sub = set_sub($settings); + $sub = set_sub_mob($settings); } $check_sub = array( @@ -2137,7 +1023,7 @@ if ( (in_array($mode, $check_sub)) ) { $sub_check = check_sub_exists($db, $sub); if ($sub_check == FALSE) { - print_header(); + print_header_mob(); quit($db, "

Sub '$sub' does not exist.

"); } else { $sub = $sub_check; @@ -2151,7 +1037,7 @@ $show_header = array( ); if ( (in_array($mode, $show_header)) ) { - print_header(); + print_header_mob(); } // Do particular actions for the mode we have been called with and exit. @@ -2230,7 +1116,7 @@ switch($mode) { print_hamburger_menu($db, $settings, 'overboard', '0', '0'); - $total_posts = print_individual_feed($db, $settings, + $total_posts = print_individual_feed_mob($db, $settings, $ex_subs, $in_subs); quit($db, ""); @@ -2256,7 +1142,7 @@ switch($mode) { echo '
'; show_landing_page(''); - show_subs_no_count($db); + show_subs_no_count_mob($db); echo '
'; quit($db, ""); @@ -2300,7 +1186,7 @@ switch($mode) { log_event($db, $settings, 'user', $post_message, $visitor_ip); make_post($db, $sub, $settings, $text, $org_id); - answer_redirect($sub); + answer_redirect_mob($sub); quit($db, ""); @@ -2312,18 +1198,17 @@ switch($mode) { quit($db, "

Post $org_id on sub $sub does not exist.

"); } - $quote = set_quote(); + $quote = set_quote_mob(); $msg = ($sub . '/' . $org_id); $html_string = "$msg" . '
'; -// . '
'; echo "$html_string"; - print_thread($db, $sub, $settings, $org_id); - show_post_form($db, $msg, $sub, $settings, $org_id, - $quote, $visitor_ip); + print_thread_mob($db, $sub, $settings, $org_id); + show_post_form_mob($db, $msg, $sub, $settings, $org_id, + $quote, $visitor_ip); quit($db, ''); @@ -2333,8 +1218,7 @@ switch($mode) { . '
' . '
'; echo $html_string; - show_subs_count($db, $settings); - // show_set_feeds_form($db, $settings); + show_subs_count_mob($db, $settings); echo '
'; quit($db, ""); @@ -2364,10 +1248,10 @@ switch($mode) { print_hamburger_menu($db, $settings, $sub, $total_posts, $page); if ( ($sub != 'overboard') ) { - print_sub($db, $sub, $settings, $page); - show_post_form($db, '', $sub, $settings, '', '', $visitor_ip); + print_sub:mob($db, $sub, $settings, $page); + show_post_form_mob($db, '', $sub, $settings, '', '', $visitor_ip); } else { - print_overboard($db, $settings, $page); + print_overboard_mob($db, $settings, $page); } echo '
';