Skip to content

Code. Security update #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
alexander-b-clean wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Code. Security update #39

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions cleantalk.antispam/include.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -418,7 +418,7 @@ public static function OnPageStartHandler()
}else{
if( $arUser['type'] == 'contact_form_bitrix_smt' ){

echo '<div class="smt-form smt-form_bordered"><div class="smt-alert smt-alert_warning">' . $aResult['ct_result_comment'] . '</div></div>';
echo '<div class="smt-form smt-form_bordered"><div class="smt-alert smt-alert_warning">' . htmlspecialcharsbx($aResult['ct_result_comment']) . '</div></div>';
die();

}elseif( $arUser['type'] == 'contact_form_bitrix_iblock_ajax' ){
Expand Down Expand Up @@ -1866,9 +1866,9 @@ static function SendFeedback($module, $id, $feedback) {
if(empty($feedback) || $feedback != 'Y' && $feedback != 'N')
return;

$request_id = $DB->Query('SELECT ct_request_id FROM cleantalk_cids WHERE module=\''. $module .'\' AND cid=' . $id)->Fetch();
$request_id = $DB->Query('SELECT ct_request_id FROM cleantalk_cids WHERE module=\''. $DB->ForSql($module) .'\' AND cid=' . (int)$id)->Fetch();
if($request_id !== FALSE){
$DB->Query('DELETE FROM cleantalk_cids WHERE module=\''. $module .'\' AND cid=' . $id);
$DB->Query('DELETE FROM cleantalk_cids WHERE module=\''. $DB->ForSql($module) .'\' AND cid=' . (int)$id);

$ct_key_site = COption::GetOptionString('cleantalk.antispam', '_key', '', $site["LID"]);
$ct_key = empty($ct_key_site) ? COption::GetOptionString('cleantalk.antispam', 'key', '') : $ct_key_site;
Expand Down Expand Up @@ -1905,7 +1905,7 @@ static function GetCleanTalkResume($module, $id) {
if(empty($id) || intval($id) < 0)
return;

$ret_val = $DB->Query('SELECT ct_request_id, ct_result_comment FROM cleantalk_cids WHERE module=\''. $module .'\' AND cid=' . $id)->Fetch();
$ret_val = $DB->Query('SELECT ct_request_id, ct_result_comment FROM cleantalk_cids WHERE module=\''. $DB->ForSql($module) .'\' AND cid=' . (int)$id)->Fetch();
return $ret_val;
}

Expand Down
1 change: 1 addition & 0 deletions cleantalk.antispam/lang/en/options.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,5 +59,6 @@
$MESS['CLEANTALK_MULTISITE_LABEL_KEY'] = 'If you want to use specific Access Key for this website paste it here. Otherwise, leave it empty.';
$MESS['CLEANTALK_USE_CUSTOM_SERVER'] = 'Use custom server';
$MESS['CLEANTALK_USE_CUSTOM_SERVER_DESCRIPTION'] = 'Use custom server for spam checking. You can enter cleantalk.ru and the plugin will use only ru servers. This option is for critical situations when it is impossible to choose the server automatically.';
$MESS['CLEANTALK_SERVER_NOT_ALLOWED'] = 'Only cleantalk server allowed.';
$MESS['CLEANTALK_CURL_NOT_AVAILABLE'] = 'cURL is not available.';
$MESS['CLEANTALK_CURL_NOT_AVAILABLE_DETAILS'] = 'cURL support is required';
1 change: 1 addition & 0 deletions cleantalk.antispam/lang/ru/options.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,5 +60,6 @@
$MESS['CLEANTALK_USE_CUSTOM_SERVER'] = 'Использовать кастомный сервер';
$MESS['CLEANTALK_USE_CUSTOM_SERVER_DESCRIPTION'] = 'Использовать кастомный сервер для проверки спама. Можете ввести cleantalk.ru и плагин будет использовать только ru сервера. Опция для критических ситуаций, когда невозможен выбор сервера автоматически.';
$MESS['CLEANTALK_SERVER_NOT_AVAILABLE'] = 'Указанные сервера не доступны, обратитесь в тех поддержку https://cleantalk.org/my/support/open';
$MESS['CLEANTALK_SERVER_NOT_ALLOWED'] = 'Разрешены только cleantalk сервера';
$MESS['CLEANTALK_CURL_NOT_AVAILABLE'] = 'cURL не установлен.';
$MESS['CLEANTALK_CURL_NOT_AVAILABLE_DETAILS'] = 'cURL необходим для работы модуля';
6 changes: 3 additions & 3 deletions cleantalk.antispam/lib/Cleantalk/Antispam/Cleantalk.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,10 +281,10 @@ private function sendRequest($data = null, $url, $server_timeout = 15) {
// see http://stackoverflow.com/a/23322368
curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disabling CA cert verivication and
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); // Disabling common name verification
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); // Verify CA certificate
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); // Verify common name matches host

if ($this->ssl_on && $this->ssl_path != '') {
if ($this->ssl_path != '') {
curl_setopt($ch, CURLOPT_CAINFO, $this->ssl_path);
}

Expand Down
6 changes: 3 additions & 3 deletions cleantalk.antispam/lib/Cleantalk/ApbctBitrix/SFW.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,11 +44,11 @@ public function _die( $result )
'{SFW_DIE_CLICK_TO_PASS}' => $this->__('Please click the link below to pass the protection,', 'cleantalk-spam-protect'),
'{SFW_DIE_YOU_WILL_BE_REDIRECTED}' => sprintf( $this->__('Or you will be automatically redirected to the requested page after %d seconds.', 'cleantalk-spam-protect'), 3),
'{CLEANTALK_TITLE}' => ($this->test ? $this->__('This is the testing page for SpamFireWall', 'cleantalk-spam-protect') : ''),
'{REMOTE_ADDRESS}' => $result['ip'],
'{REMOTE_ADDRESS}' => htmlspecialcharsbx($result['ip']),
'{SERVICE_ID}' => $net_count['net_count'],
'{HOST}' => '',
'{GENERATED}' => '<p>The page was generated at&nbsp;' . date( 'D, d M Y H:i:s' ) . "</p>",
'{REQUEST_URI}' => $request_uri,
'{REQUEST_URI}' => htmlspecialcharsbx($request_uri),

// Cookie
'{COOKIE_PREFIX}' => '',
Expand Down Expand Up @@ -99,7 +99,7 @@ public function _die( $result )

}

die( "IP BLACKLISTED. Blocked by SFW " . $result['ip'] );
die( "IP BLACKLISTED. Blocked by SFW " . htmlspecialcharsbx($result['ip']) );

}

Expand Down
6 changes: 6 additions & 0 deletions cleantalk.antispam/lib/Cleantalk/Common/Cron.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -234,8 +234,14 @@ public function runTasks( $tasks )
return;
}

$allowed_handlers = array('apbct_sfw_update', 'apbct_sfw_send_logs');

foreach( $tasks as $task ){

if( ! in_array( $this->tasks[$task]['handler'], $allowed_handlers, true ) ) {
continue;
}

if( method_exists( '\CleantalkAntispam',$this->tasks[$task]['handler'] ) ){

if( $this->debug ) {
Expand Down
7 changes: 4 additions & 3 deletions cleantalk.antispam/lib/Cleantalk/Common/RemoteCalls.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ public function perform()
$this->setLastCall( $action );

// Check API key
if( $token === strtolower( md5( $this->api_key ) ) ){
if( ! empty( $this->api_key ) && $token === strtolower( md5( $this->api_key ) ) ){

// Flag to let plugin know that Remote Call is running.
$this->rc_running = true;
Expand All @@ -100,8 +100,9 @@ public function perform()
if( method_exists( static::class, $action_method ) ){

// Delay before perform action;
if ( Get::get( 'delay' ) ) {
sleep(Get::get('delay'));
$delay = (int) Get::get( 'delay' );
if ( $delay > 0 ) {
sleep( min( $delay, 5 ) );
}

$action_result = static::$action_method();
Expand Down
63 changes: 39 additions & 24 deletions cleantalk.antispam/options.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,12 @@

$subTabControl = new CAdminViewTabControl("subTabControl", $sub_tabs);

$current_options = ct_get_options($sModuleId);
$current_options = ct_get_options($sModuleId);

if ( ! empty($REQUEST_METHOD) && $REQUEST_METHOD == 'POST' && $_POST['Update'] == 'Y' ) {
global $APPLICATION;
$ct_module_right = $APPLICATION->GetGroupRight($sModuleId);

if ( ! empty($REQUEST_METHOD) && $REQUEST_METHOD == 'POST' && $_POST['Update'] == 'Y' && check_bitrix_sessid() && $ct_module_right >= 'W' ) {
//try to get default options
$default_options = ct_get_default_options($sModuleId);

Expand Down Expand Up @@ -218,18 +221,30 @@
// Convert to lowercase and trim
$domain = strtolower(trim($domain));
// use default bitrix http client to make request
$httpClient = new \Bitrix\Main\Web\HttpClient();
$response = $httpClient->get('https://moderate.' . $domain);
if ($response === false) {
$allowed_servers = array('cleantalk.org', 'cleantalk.ru');
if ( ! in_array($domain, $allowed_servers, true) ) {
Option::set( $sModuleId, 'use_custom_server', '' );
CAdminNotify::Add(array(
'MESSAGE' => GetMessage( 'CLEANTALK_SERVER_NOT_AVAILABLE' ),
'TAG' => 'server_not_available',
'MESSAGE' => GetMessage( 'CLEANTALK_SERVER_NOT_ALLOWED' ),
'TAG' => 'server_not_allowed',
'MODULE_ID' => 'main',
'ENABLE_CLOSE' => 'Y'));
} else {
Option::set( $sModuleId, 'use_custom_server', $domain );
CAdminNotify::DeleteByTag('server_not_available');
// use default bitrix http client to make request
$httpClient = new \Bitrix\Main\Web\HttpClient();
$response = $httpClient->get('https://moderate.' . $domain);
if ($response === false) {
Option::set( $sModuleId, 'use_custom_server', '' );
CAdminNotify::Add(array(
'MESSAGE' => GetMessage( 'CLEANTALK_SERVER_NOT_AVAILABLE' ),
'TAG' => 'server_not_available',
'MODULE_ID' => 'main',
'ENABLE_CLOSE' => 'Y'));
} else {
Option::set( $sModuleId, 'use_custom_server', $domain );
CAdminNotify::DeleteByTag('server_not_available');
CAdminNotify::DeleteByTag('server_not_allowed');
}
}
}
}
Expand Down Expand Up @@ -404,16 +419,16 @@ function ctDisableInputLine(ct_input_line){
<!--LABEL-->
<td width="50%" valign="top"><label for="key"><?php echo GetMessage( 'CLEANTALK_LABEL_KEY' );?>:</td>
<td valign="top">
<input type="text" name="key" id="key" value="<?php echo $current_options['key'] ?>" /> <span><?php
<input type="text" name="key" id="key" value="<?php echo htmlspecialcharsbx($current_options['key']) ?>" /> <span><?php
if ($key_is_ok === '0') {
echo "<span style='color: red'>".GetMessage( 'CLEANTALK_KEY_NOT_VALID' )."</span>";
}
?></span>
<!--HIDDEN FIELDSET-->
<input type="hidden" name="is_paid" value="<?php echo $current_options['is_paid'] ?>" />
<input type="hidden" name="is_paid" value="<?php echo htmlspecialcharsbx($current_options['is_paid']) ?>" />
<input type="hidden" name="last_checked" value="0" />
<input type="hidden" name="moderate_ip" value="<?php echo $current_options['moderate_ip'] ?>" />
<input type="hidden" name="ip_license" value="<?php echo $current_options['ip_license'] ?>" />
<input type="hidden" name="moderate_ip" value="<?php echo htmlspecialcharsbx($current_options['moderate_ip']) ?>" />
<input type="hidden" name="ip_license" value="<?php echo htmlspecialcharsbx($current_options['ip_license']) ?>" />
</td>
<?php
}
Expand All @@ -423,7 +438,7 @@ function ctDisableInputLine(ct_input_line){
<?php if ( $key_is_ok === '0' ){ ?>
<tr>
<td width="50%" valign="top">
<a target="_blank" href="https://cleantalk.org/register?platform=bitrix&email=<?php echo Option::get("main", "email_from"); ?>&website=<?php echo $_SERVER["SERVER_NAME"]; ?>">
<a target="_blank" href="https://cleantalk.org/register?platform=bitrix&email=<?php echo urlencode(Option::get("main", "email_from")); ?>&website=<?php echo urlencode($_SERVER["SERVER_NAME"]); ?>">
<input
type="button"
name="getmanualkey"
Expand All @@ -443,13 +458,13 @@ function ctDisableInputLine(ct_input_line){
</tr>
<?php } ?>
<tr>
<td colspan='2' style='text-align: center;'><?php echo GetMessage( 'CLEANTALK_EMAIL_REGISTRATION_WARNING' )."(". Option::get("main", "email_from"); ?>).<br> <a target="_blank" href="https://cleantalk.org/publicoffer"><?php echo GetMessage( 'CLEANTALK_LICENSE_AGREEMENT' ); ?></a></td>
<td colspan='2' style='text-align: center;'><?php echo GetMessage( 'CLEANTALK_EMAIL_REGISTRATION_WARNING' )."(". htmlspecialcharsbx(Option::get("main", "email_from")); ?>).<br> <a target="_blank" href="https://cleantalk.org/publicoffer"><?php echo GetMessage( 'CLEANTALK_LICENSE_AGREEMENT' ); ?></a></td>
</tr>
<?php }else{ ?>
<tr>
<td width="50%"></td>
<td valign="top">
<a target="_blank" href="https://cleantalk.org/my?user_token=<?php echo $current_options['user_token']; ?>">
<a target="_blank" href="https://cleantalk.org/my?user_token=<?php echo urlencode($current_options['user_token']); ?>">
<input type="button" name="getmanualkey" value="<?php echo GetMessage( 'CLEANTALK_GET_TO_CP' ) ?>" />
</a>
</td>
Expand All @@ -473,7 +488,7 @@ function ctDisableInputLine(ct_input_line){
$api_key_subsite = Option::get($sModuleId, '_key', '', $site_id);
?>
<?= GetMessage( 'CLEANTALK_MULTISITE_LABEL_KEY' ) ?>
<input type="text" name="key_<?= $site_id ?>" id="key_<?= $site_id ?>" value="<?= $api_key_subsite ?>" />
<input type="text" name="key_<?= $site_id ?>" id="key_<?= $site_id ?>" value="<?= htmlspecialcharsbx($api_key_subsite) ?>" />
<?php }
$subTabControl->End();
?>
Expand Down Expand Up @@ -691,7 +706,7 @@ function ctDisableInputLine(ct_input_line){
<div class="ui-ctl ui-ctl-textarea">
<?php
echo ('<textarea class="ui-ctl-element" name="form_exclusions_url" id="form_exclusions_url" cols="45" rows="10">');
echo ($current_options['form_exclusions_url']);
echo htmlspecialcharsbx($current_options['form_exclusions_url']);
echo ('</textarea>');
?>
</div>
Expand All @@ -717,7 +732,7 @@ function ctDisableInputLine(ct_input_line){
<label for="form_exclusions_fields"><?php echo GetMessage( 'CLEANTALK_EXCLUSIONS_FIELDS' );?>:</td>
<td valign="top">
<div class="ui-ctl ui-ctl-textarea">
<input type="text" name="form_exclusions_fields" id="form_exclusions_fields" value="<?php echo $current_options['form_exclusions_fields']; ?>" />
<input type="text" name="form_exclusions_fields" id="form_exclusions_fields" value="<?php echo htmlspecialcharsbx($current_options['form_exclusions_fields']); ?>" />
</div>
<input
type="checkbox"
Expand All @@ -744,7 +759,7 @@ function ctDisableInputLine(ct_input_line){
type="text"
name="form_exclusions_webform"
id="form_exclusions_webform"
value="<?php echo $current_options['form_exclusions_webform']; ?>" />
value="<?php echo htmlspecialcharsbx($current_options['form_exclusions_webform']); ?>" />
<div style="padding: 10px 0 10px 0">
<?php echo GetMessage( 'CLEANTALK_EXCLUSIONS_WEBFORM_DESCRIPTION' ); ?>
</div>
Expand Down Expand Up @@ -773,17 +788,17 @@ function ctDisableInputLine(ct_input_line){
type="text"
name="use_custom_server"
id="use_custom_server"
value="<?php echo $current_options['use_custom_server']; ?>" />
value="<?php echo htmlspecialcharsbx($current_options['use_custom_server']); ?>" />
<div style="padding: 10px 0 10px 0">
<?php echo GetMessage( 'CLEANTALK_USE_CUSTOM_SERVER_DESCRIPTION' ); ?>
</div>
</td>
</tr>
<!--HIDDEN FIELDSET-->
<input type="hidden" name="is_paid" value="<?php echo $current_options['is_paid'] ?>" />
<input type="hidden" name="is_paid" value="<?php echo htmlspecialcharsbx($current_options['is_paid']) ?>" />
<input type="hidden" name="last_checked" value="0" />
<input type="hidden" name="moderate_ip" value="<?php echo $current_options['moderate_ip'] ?>" />
<input type="hidden" name="ip_license" value="<?php echo $current_options['ip_license'] ?>" />
<input type="hidden" name="moderate_ip" value="<?php echo htmlspecialcharsbx($current_options['moderate_ip']) ?>" />
<input type="hidden" name="ip_license" value="<?php echo htmlspecialcharsbx($current_options['ip_license']) ?>" />
<?php $oTabControl->Buttons(); ?>
<input type="submit" name="Update" value="<?php echo GetMessage( 'CLEANTALK_BUTTON_SAVE' ) ?>" />
<input type="submit" name="reset" value="<?php echo GetMessage( 'CLEANTALK_BUTTON_RESET' ) ?>" />
Expand Down
Loading