diff --git a/checkin_notes b/checkin_notes index 1a73f4878d..98aed636b7 100644 --- a/checkin_notes +++ b/checkin_notes @@ -9900,3 +9900,14 @@ Charlie 25 Oct 2007 mac_build/ boinc.xcodeproj/ project.pbxproj + +Rytis 25 Oct 2007 + - User web: add reCAPTCHA to profile creation/modification page. + Documented in http://boinc.berkeley.edu/trac/wiki/ProtectionFromSpam + + html/ + inc/ + profile.inc + recaptchalib.php (from recaptcha.net/plugins/php) + user/ + create_profile.php diff --git a/html/inc/profile.inc b/html/inc/profile.inc index aa0c963f4e..30a13733c7 100644 --- a/html/inc/profile.inc +++ b/html/inc/profile.inc @@ -9,6 +9,7 @@ require_once("../inc/user.inc"); require_once("../inc/translation.inc"); require_once("../inc/text_transform.inc"); require_once("../inc/db_forum.inc"); +require_once("../inc/recaptchalib.php"); define('SMALL_IMG_WIDTH', 64); define('SMALL_IMG_HEIGHT', 64); @@ -75,7 +76,19 @@ function show_profile_creation_page($user) { // fill in the fields with their current values. // $profile = get_profile($user->id); - if (isset($_POST['submit']) && $_POST['submit']) { + if (post_str("submit", true)) { + $config = get_config(); + $privatekey = parse_config($config, ""); + if ($privatekey) { + $resp = recaptcha_check_answer($privatekey, $_SERVER["REMOTE_ADDR"], + $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]); + + if (!$resp->is_valid) { + error_page("The reCAPTCHA wasn't entered correctly. Go back and try it again.
". + "(reCAPTCHA said: " . $resp->error . ")"); + } + } + process_create_profile($user, $profile); exit(); } @@ -109,15 +122,24 @@ function show_description() { } function show_questions($profile) { + $response1 = ""; + $response2 = ""; + if (isset($profile->response1)) { + $response1 = stripslashes($profile->response1); + } + if (isset($profile->response2)) { + $response2 = stripslashes($profile->response2); + } + row1(show_profile_heading1()); rowify(show_profile_question1().html_info()); rowify("
"); - show_textarea("response1", stripslashes($profile->response1)); + show_textarea("response1", $response1); rowify("
"); row1( show_profile_heading2()); rowify( show_profile_question2().html_info()); rowify("
"); - show_textarea("response2", stripslashes($profile->response2)); + show_textarea("response2", $response2); rowify("
"); show_language_selection($profile); rowify("
"); @@ -158,7 +180,7 @@ function show_picture_option($profile) { $warning = offensive_profile_warning($profile->verification); } - if ($profile->has_picture) { + if (($profile) && ($profile->has_picture)) { echo " "; - if (strlen($profile->language)) { + if (isset($profile->language)) { show_combo_box("language", LANGUAGE_FILE, $profile->language); } else { show_combo_box("language", LANGUAGE_FILE, "English"); @@ -207,7 +229,14 @@ function show_language_selection($profile) { function show_submit() { row1("Submit profile"); - rowify("

"); + echo ""; // White looks better :) + $config = get_config(); + $publickey = parse_config($config, ""); + if ($publickey) { + table_row("To protect project's webpages from spam, we ask you to type in two words shown in the image:
\n". + recaptcha_get_html($publickey)); + } + table_row("

"); } // If the user with id = $userid has uploaded a picture his/herself, diff --git a/html/inc/recaptchalib.php b/html/inc/recaptchalib.php new file mode 100644 index 0000000000..aea6e0d75e --- /dev/null +++ b/html/inc/recaptchalib.php @@ -0,0 +1,276 @@ + $value ) + $req .= $key . '=' . urlencode( stripslashes($value) ) . '&'; + + // Cut the last '&' + $req=substr($req,0,strlen($req)-1); + return $req; +} + + + +/** + * Submits an HTTP POST to a reCAPTCHA server + * @param string $host + * @param string $path + * @param array $data + * @param int port + * @return array response + */ +function _recaptcha_http_post($host, $path, $data, $port = 80) { + + $req = _recaptcha_qsencode ($data); + + $http_request = "POST $path HTTP/1.0\r\n"; + $http_request .= "Host: $host\r\n"; + $http_request .= "Content-Type: application/x-www-form-urlencoded;\r\n"; + $http_request .= "Content-Length: " . strlen($req) . "\r\n"; + $http_request .= "User-Agent: reCAPTCHA/PHP\r\n"; + $http_request .= "\r\n"; + $http_request .= $req; + + $response = ''; + if( false == ( $fs = @fsockopen($host, $port, $errno, $errstr, 10) ) ) { + die ('Could not open socket'); + } + + fwrite($fs, $http_request); + + while ( !feof($fs) ) + $response .= fgets($fs, 1160); // One TCP-IP packet + fclose($fs); + $response = explode("\r\n\r\n", $response, 2); + + return $response; +} + + + +/** + * Gets the challenge HTML (javascript and non-javascript version). + * This is called from the browser, and the resulting reCAPTCHA HTML widget + * is embedded within the HTML form it was called from. + * @param string $pubkey A public key for reCAPTCHA + * @param string $error The error given by reCAPTCHA (optional, default is null) + * @param boolean $use_ssl Should the request be made over ssl? (optional, default is false) + + * @return string - The HTML to be embedded in the user's form. + */ +function recaptcha_get_html ($pubkey, $error = null, $use_ssl = false) +{ + if ($pubkey == null || $pubkey == '') { + die ("To use reCAPTCHA you must get an API key from http://recaptcha.net/api/getkey"); + } + + if ($use_ssl) { + $server = RECAPTCHA_API_SECURE_SERVER; + } else { + $server = RECAPTCHA_API_SERVER; + } + + $errorpart = ""; + if ($error) { + $errorpart = "&error=" . $error; + } + return ' + + '; +} + + + + +/** + * A ReCaptchaResponse is returned from recaptcha_check_answer() + */ +class ReCaptchaResponse { + var $is_valid; + var $error; +} + + +/** + * Calls an HTTP POST function to verify if the user's guess was correct + * @param string $privkey + * @param string $remoteip + * @param string $challenge + * @param string $response + * @return ReCaptchaResponse + */ +function recaptcha_check_answer ($privkey, $remoteip, $challenge, $response) +{ + if ($privkey == null || $privkey == '') { + die ("To use reCAPTCHA you must get an API key from http://recaptcha.net/api/getkey"); + } + + if ($remoteip == null || $remoteip == '') { + die ("For security reasons, you must pass the remote ip to reCAPTCHA"); + } + + + + //discard spam submissions + if ($challenge == null || strlen($challenge) == 0 || $response == null || strlen($response) == 0) { + $recaptcha_response = new ReCaptchaResponse(); + $recaptcha_response->is_valid = false; + $recaptcha_response->error = 'incorrect-captcha-sol'; + return $recaptcha_response; + } + + $response = _recaptcha_http_post (RECAPTCHA_VERIFY_SERVER, "/verify", + array ( + 'privatekey' => $privkey, + 'remoteip' => $remoteip, + 'challenge' => $challenge, + 'response' => $response + ) + ); + + $answers = explode ("\n", $response [1]); + $recaptcha_response = new ReCaptchaResponse(); + + if (trim ($answers [0]) == 'true') { + $recaptcha_response->is_valid = true; + } + else { + $recaptcha_response->is_valid = false; + $recaptcha_response->error = $answers [1]; + } + return $recaptcha_response; + +} + +/** + * gets a URL where the user can sign up for reCAPTCHA. If your application + * has a configuration page where you enter a key, you should provide a link + * using this function. + * @param string $domain The domain where the page is hosted + * @param string $appname The name of your application + */ +function recaptcha_get_signup_url ($domain = null, $appname = null) { + return "http://recaptcha.net/api/getkey?" . _recaptcha_qsencode (array ('domain' => $domain, 'app' => $appname)); +} + +function _recaptcha_aes_pad($val) { + $block_size = 16; + $numpad = $block_size - (strlen ($val) % $block_size); + return str_pad($val, strlen ($val) + $numpad, chr($numpad)); +} + +/* Mailhide related code */ + +function _recaptcha_aes_encrypt($val,$ky) { + if (! function_exists ("mcrypt_encrypt")) { + die ("To use reCAPTCHA Mailhide, you need to have the mcrypt php module installed."); + } + $mode=MCRYPT_MODE_CBC; + $enc=MCRYPT_RIJNDAEL_128; + $val=_recaptcha_aes_pad($val); + return mcrypt_encrypt($enc, $ky, $val, $mode, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"); +} + + +function _recaptcha_mailhide_urlbase64 ($x) { + return strtr(base64_encode ($x), '+/', '-_'); +} + +/* gets the reCAPTCHA Mailhide url for a given email, public key and private key */ +function recaptcha_mailhide_url($pubkey, $privkey, $email) { + if ($pubkey == '' || $pubkey == null || $privkey == "" || $privkey == null) { + die ("To use reCAPTCHA Mailhide, you have to sign up for a public and private key, " . + "you can do so at http://mailhide.recaptcha.net/apikey"); + } + + + $ky = pack('H*', $privkey); + $cryptmail = _recaptcha_aes_encrypt ($email, $ky); + + return "http://mailhide.recaptcha.net/d?k=" . $pubkey . "&c=" . _recaptcha_mailhide_urlbase64 ($cryptmail); +} + +/** + * gets the parts of the email to expose to the user. + * eg, given johndoe@example,com return ["john", "example.com"]. + * the email is then displayed as john...@example.com + */ +function _recaptcha_mailhide_email_parts ($email) { + $arr = preg_split("/@/", $email ); + + if (strlen ($arr[0]) <= 4) { + $arr[0] = substr ($arr[0], 0, 1); + } else if (strlen ($arr[0]) <= 6) { + $arr[0] = substr ($arr[0], 0, 3); + } else { + $arr[0] = substr ($arr[0], 0, 4); + } + return $arr; +} + +/** + * Gets html to display an email address given a public an private key. + * to get a key, go to: + * + * http://mailhide.recaptcha.net/apikey + */ +function recaptcha_mailhide_html($pubkey, $privkey, $email) { + $emailparts = _recaptcha_mailhide_email_parts ($email); + $url = recaptcha_mailhide_url ($pubkey, $privkey, $email); + + return htmlentities($emailparts[0]) . "...@" . htmlentities ($emailparts [1]); + +} + + +?> diff --git a/html/user/create_profile.php b/html/user/create_profile.php index 644f0c8628..7de0a8232c 100644 --- a/html/user/create_profile.php +++ b/html/user/create_profile.php @@ -5,14 +5,6 @@ require_once("../inc/profile.inc"); db_init(); $user = get_logged_in_user(true); -if ($user->total_credit > 0) { - show_profile_creation_page($user); -} else { - page_head("Not available"); - echo "You must have returned results and received credit - before you can create a profile. - "; - page_tail(); -} +show_profile_creation_page($user); ?>