From fed7fa31618320f28ae73af4f19d008012d75849 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Mon, 21 Jan 2013 20:27:47 +0000 Subject: [PATCH] Extension ext-blacklist continued: - Added check in ext-register/mydata to check for email address - Added filters for above check + unfinsihed logging - TODOs.txt updated --- .gitattributes | 1 + DOCS/TODOs.txt | 5 +- inc/extensions/ext-blacklist.php | 21 ++++- inc/filter/blacklist_filter.php | 70 +++++++++++++++ inc/language/de.php | 1 + inc/libs/blacklist_functions.php | 139 ++++++++++++++++------------- inc/libs/register_functions.php | 20 +++-- inc/modules/member/what-mydata.php | 18 +++- 8 files changed, 196 insertions(+), 79 deletions(-) create mode 100644 inc/filter/blacklist_filter.php diff --git a/.gitattributes b/.gitattributes index 34919c11b9..8072e2256f 100644 --- a/.gitattributes +++ b/.gitattributes @@ -266,6 +266,7 @@ inc/filter/_filter.php svneol=native#text/plain inc/filter/active_filter.php svneol=native#text/plain inc/filter/admins_filter.php svneol=native#text/plain inc/filter/beg_filter.php svneol=native#text/plain +inc/filter/blacklist_filter.php svneol=native#text/plain inc/filter/bonus_filter.php svneol=native#text/plain inc/filter/booking_filter.php svneol=native#text/plain inc/filter/cache_filter.php svneol=native#text/plain diff --git a/DOCS/TODOs.txt b/DOCS/TODOs.txt index 56d24cb2dc..3c9593516c 100644 --- a/DOCS/TODOs.txt +++ b/DOCS/TODOs.txt @@ -61,6 +61,7 @@ ./inc/extensions/sponsor/mode-setup.php:43:// @TODO Remove double tabs ./inc/extensions/sql_patches/mode-update.php:43:// @TODO Remove double-tabs ./inc/extensions/user/mode-update.php:43:// @TODO Remove double tabs +./inc/filter/blacklist_filter.php:63: // @TODO Insert log entry ./inc/filter/bonus_filter.php:56: // @TODO This query isn't right, it will only update if the user was for a longer time away! ./inc/filter/cache_filter.php:94: // @TODO This should be rewritten not to load the cache file for just checking if it is there for save removal. ./inc/filter/forced_filter.php:73: // @TODO This part is unfinished @@ -77,8 +78,8 @@ ./inc/header.php:66:// @TODO Find a way to not use direct module comparison ./inc/install-functions.php:446: // @TODO Comparing with DEFAULT_MAIN_TITLE doesn't work ./inc/install-functions.php:97: // @TODO DEACTIVATED: changeDataInLocalConfigurationFile('OUTPUT-MODE', "setConfigEntry('OUTPUT_MODE', '", "');", postRequestElement('omode'), 0); -./inc/language/de.php:1161: // @TODO Rewrite these two constants -./inc/language/de.php:1177: // @TODO Rewrite these three constants +./inc/language/de.php:1162: // @TODO Rewrite these two constants +./inc/language/de.php:1178: // @TODO Rewrite these three constants ./inc/language/de.php:46: // @TODO Please sort these language elements ./inc/language/de.php:749:// @TODO Are these constants longer used? ./inc/language-functions.php:254: // @TODO These are all valid languages, again hard-coded diff --git a/inc/extensions/ext-blacklist.php b/inc/extensions/ext-blacklist.php index 50fd459df6..a34fdeaed5 100644 --- a/inc/extensions/ext-blacklist.php +++ b/inc/extensions/ext-blacklist.php @@ -56,20 +56,28 @@ switch (getExtensionMode()) { addCreateTableSql('blacklist', " `id` BIGINT(20) UNSIGNED NOT NULL AUTO_INCREMENT, `data` VARCHAR(255) NOT NULL DEFAULT '', -`type` VARCHAR(20) NOT NULL DEFAULT 'INVALID', `pool_id` BIGINT(20) UNSIGNED NULL DEFAULT NULL, +`provider` VARCHAR(255) NOT NULL DEFAULT 'BLACKLIST', +`type` VARCHAR(20) NOT NULL DEFAULT 'INVALID', `added` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, PRIMARY KEY (`id`), +INDEX (`provider`), +INDEX (`type`), INDEX (`pool_id`)", 'Generic blacklist'); // Add admin menu - addAdminMenuSql('setup','config_blacklist','Sperrlisten','Einstellungen zu den Sperrlisten.',8); - addAdminMenuSql('misc','list_blacklist','Sperrlisten...','Zeigt gesperrte Email-Adressen und/oder URLs an.',3); + addAdminMenuSql('setup', 'config_blacklist', 'Sperrlisten', 'Einstellungen zu den Sperrlisten.', 8); + addAdminMenuSql('misc', 'list_blacklist', 'Sperrlisten...', 'Zeigt gesperrte Email-Adressen und/oder URLs an.', 3); // Add configuration - addConfigAddSql('url_blacklist', "ENUM('Y','N') NOT NULL DEFAULT 'Y'"); addConfigAddSql('email_blacklist', "ENUM('Y','N') NOT NULL DEFAULT 'Y'"); + addConfigAddSql('url_blacklist', "ENUM('Y','N') NOT NULL DEFAULT 'Y'"); + + // Register filters + registerFilter(__FILE__, __LINE__, 'pre_user_registration', 'CHECK_EMAIL_BLACKLISTED', FALSE, TRUE, isExtensionDryRun()); + registerFilter(__FILE__, __LINE__, 'pre_update_user_data', 'CHECK_EMAIL_BLACKLISTED', FALSE, TRUE, isExtensionDryRun()); + registerFilter(__FILE__, __LINE__, 'post_email_blacklisted', 'LOG_EMAIL_BLACKLISTED', FALSE, TRUE, isExtensionDryRun()); break; case 'remove': // Do stuff when removing extension @@ -78,6 +86,11 @@ INDEX (`pool_id`)", // Remove menu addExtensionSql("DELETE LOW_PRIORITY FROM `{?_MYSQL_PREFIX?}_admin_menu` WHERE `what` IN('config_blacklist', 'list_blacklist') LIMIT 1"); + + // Unregister filters + unregisterFilter(__FILE__, __LINE__, 'pre_user_registration', 'CHECK_EMAIL_BLACKLISTED', TRUE, isExtensionDryRun()); + unregisterFilter(__FILE__, __LINE__, 'pre_update_user_data', 'CHECK_EMAIL_BLACKLISTED', TRUE, isExtensionDryRun()); + unregisterFilter(__FILE__, __LINE__, 'post_email_blacklisted', 'LOG_EMAIL_BLACKLISTED', FALSE, TRUE, isExtensionDryRun()); break; case 'activate': // Do stuff when admin activates this extension diff --git a/inc/filter/blacklist_filter.php b/inc/filter/blacklist_filter.php new file mode 100644 index 0000000000..289d27105f --- /dev/null +++ b/inc/filter/blacklist_filter.php @@ -0,0 +1,70 @@ + diff --git a/inc/language/de.php b/inc/language/de.php index 709a5ffc6b..f68a739f07 100644 --- a/inc/language/de.php +++ b/inc/language/de.php @@ -1026,6 +1026,7 @@ addMessages(array( 'UNKNOWN_ERROR_CODE' => "Unbekannter Fehlercode 0x{%%pipe,getHexErrorCode=%s%%} erkannt.", 'LOADER_SECURITY_HASH_MISMATCH' => "Der Sicherheitshash für den Dereferrer stimmt nicht mit der URL überein.", 'URL_IS_BLACKLISTED' => "URL ist gesperrt.", + 'MEMBER_EMAIL_BLACKLISTED' => "Ihre Email-Adresse darf bei uns nicht verwendet werden. Bitte setzen Sie sich mit uns in Verbindung.", 'DATA_IS_HIDDEN' => "Daten sind verdeckt.", 'ADMIN_BOOKING_PACKAGE_ID' => "Buchungspaket", 'ADMIN_BOOKING_PACKAGE_LINK' => "Zum Paket ...", diff --git a/inc/libs/blacklist_functions.php b/inc/libs/blacklist_functions.php index 92e0b2b4d1..05803c8c27 100644 --- a/inc/libs/blacklist_functions.php +++ b/inc/libs/blacklist_functions.php @@ -40,40 +40,39 @@ if (!defined('__SECURITY')) { die(); } // END - if -// Inserts a given email (pattern) in blacklist if not found -function insertEmailInBlacklist ($email, $id) { - // Is this feature turned on and is the URL not there? - if (!isEmailBlacklistEnabled()) { - // Not enabled, then please don't call this function - reportBug(__FUNCTION__, __LINE__, 'URL blacklisting is disabled, email=' . $email . ',id=' . $id); - } elseif (!isEmailBlacklisted($email)) { - // Did not find a record so we can add it... :) - SQL_QUERY_ESC("INSERT INTO `{?_MYSQL_PREFIX?}_blacklist` (`data`, `pool_id`, `type`) VALUES ('%s', %s, 'EMAIL')", - array( - $email, - $id - ), __FUNCTION__, __LINE__); - } // END - if -} - -// Checks whether given email is blacklisted -function isEmailBlacklisted ($email) { +// Checks whether given data is blacklisted +function isGenericBlacklisted ($type, $data) { // Mark it as not listed by default $listed = FALSE; // Is black-listing enbaled? - if (!isEmailBlacklistEnabled()) { + if (!isGenericBlacklistEnabled($type)) { // No, then all emails are not in this list return FALSE; - } elseif (!isset($GLOBALS['blacklist_data']['email'][$email])) { + } elseif (!isset($GLOBALS['blacklist_data'][$type][$data])) { // Check black-list for given email - $result = SQL_QUERY_ESC("SELECT UNIX_TIMESTAMP(`added`) AS `added` FROM `{?_MYSQL_PREFIX?}_blacklist` WHERE '%s' REGEXP `data` AND `type`='EMAIL' LIMIT 1", - array($email), __FUNCTION__, __LINE__); + $result = SQL_QUERY_ESC("SELECT + `id`, + `data`, + `pool_id`, + `provider`, + `type`, + UNIX_TIMESTAMP(`added`) AS `added` +FROM + `{?_MYSQL_PREFIX?}_blacklist` +WHERE + '%s' REGEXP `data` AND + `type`='%s' +LIMIT 1", + array( + $data, + strtoupper($type) + ), __FUNCTION__, __LINE__); // Is there an entry? if (SQL_NUMROWS($result) == 1) { // Jupp, we got one listed - $GLOBALS['blacklist_data']['email'][$email] = SQL_FETCHARRAY($result); + $GLOBALS['blacklist_data'][$type][$data] = SQL_FETCHARRAY($result); // Mark it as listed $listed = TRUE; @@ -90,60 +89,76 @@ function isEmailBlacklisted ($email) { return $listed; } +// Inserts a given email (pattern) in blacklist if not found +function insertEmailInBlacklist ($email, $provider = 'BLACKLIST') { + // Call inner function + insertGenericInBlacklist ('email', $email, NULL, $provider); +} + +// Inserts a given URL in blacklist if not found +function insertUrlInBlacklist ($url, $poolId, $provider = 'BLACKLIST') { + // Call inner function + insertGenericInBlacklist ('url', $url, $poolId, $provider); +} + // Inserts a given URL in blacklist if not found -function insertUrlInBlacklist ($url, $id) { +function insertGenericInBlacklist ($type, $data, $poolId = NULL, $provider = 'BLACKLIST') { // Is this feature turned on and is the URL not there? - if (!isUrlBlacklistEnabled()) { + if (!isGenericBlacklistEnabled($type)) { // Not enabled, then please don't call this function - reportBug(__FUNCTION__, __LINE__, 'URL blacklisting is disabled, url=' . $url . ',id=' . $id); - } elseif (!isUrlBlacklisted($url)) { + reportBug(__FUNCTION__, __LINE__, 'Blacklisting of type ' . $type . ' is disabled, data=' . $data . ',poolId=' . convertZeroToNull($poolId)); + } elseif (!isUrlBlacklisted($data)) { // Did not find a record so we can add it... :) - SQL_QUERY_ESC("INSERT INTO `{?_MYSQL_PREFIX?}_blacklist` (`data`, `pool_id`, `type`) VALUES ('%s', %s, 'URL')", - array( - $url, - $id - ), __FUNCTION__, __LINE__); + SQL_QUERY_ESC("INSERT INTO + `{?_MYSQL_PREFIX?}_blacklist` +( + `data`, + `pool_id`, + `provider`, + `type` +) VALUES ( + '%s', + %s, + '%s', + '%s' +)", + array( + $data, + convertZeroToNull($poolId), + $provider, + strtoupper($type) + ), __FUNCTION__, __LINE__); } // END - if } +// Checks whether given email is blacklisted +function isEmailBlacklisted ($email) { + // Call inner function + return isGenericBlacklisted('email', $email); +} + // Checks whether given URL is blacklisted function isUrlBlacklisted ($url) { - // Mark it as not listed by default - $listed = FALSE; - - // Is black-listing enbaled? - if (!isUrlBlacklistEnabled()) { - // No, then all URLs are not in this list - return FALSE; - } elseif (!isset($GLOBALS['blacklist_data']['url'][$url])) { - // Check black-list for given URL - $result = SQL_QUERY_ESC("SELECT UNIX_TIMESTAMP(`added`) AS `added`, `pool_id` FROM `{?_MYSQL_PREFIX?}_blacklist` WHERE `data`='%s' AND `type`='URL' LIMIT 1", - array($url), __FUNCTION__, __LINE__); - - // Is there an entry? - if (SQL_NUMROWS($result) == 1) { - // Jupp, we got one listed - $GLOBALS['blacklist_data']['url'][$url] = SQL_FETCHARRAY($result); - - // Mark it as listed - $listed = TRUE; - } // END - if - - // Free result - SQL_FREERESULT($result); - } else { - // Is found in cache -> black-listed - $listed = TRUE; - } - - // Return result - return $listed; + // Call inner function + return isGenericBlacklisted('url', $email); } // ---------------------------------------------------------------------------- // Configuration wrapper functions // ---------------------------------------------------------------------------- +// Generic wrapper +function isGenericBlacklistEnabled ($type) { + // Is there cache? + if (!isset($GLOBALS[__FUNCTION__])) { + // Determine it + $GLOBALS[__FUNCTION__] = (getConfig($type . '_blacklist') == 'Y'); + } // END - if + + // Return cache + return $GLOBALS[__FUNCTION__]; +} + // Wrapper to check if url_blacklist is enabled function isUrlBlacklistEnabled () { // Is there cache? diff --git a/inc/libs/register_functions.php b/inc/libs/register_functions.php index 9818c73124..2c9c46a57a 100644 --- a/inc/libs/register_functions.php +++ b/inc/libs/register_functions.php @@ -291,7 +291,8 @@ function doUserRegistration () { // Init filter data $filterData = array( // Initialization not done by default - 'init_done' => FALSE + 'init_done' => FALSE, + 'post_data' => postRequestArray(), ); // Init extra SQL data @@ -406,9 +407,9 @@ function doUserRegistration () { addPointsThroughReferralSystem( // Subject 'register_welcome', - // New user's id + // User's id number $filterData['register_insert_id'], - // Points + // Points to add getPointsRegister(), // Referral id (or NULL if none set) convertZeroToNull(postRequestElement('refid')) @@ -416,18 +417,20 @@ function doUserRegistration () { // Write catgories if (ifPostContainsSelections('cat')) { + // Init SQL + $sql = 'INSERT INTO `{?_MYSQL_PREFIX?}_user_cats` (`userid`, `cat_id`) VALUES'; + // Write all entries foreach (postRequestElement('cat') as $categoryId => $joined) { // "Join" this group? if ($joined == 'Y') { // Insert category entry - SQL_QUERY_ESC("INSERT INTO `{?_MYSQL_PREFIX?}_user_cats` (`userid`, `cat_id`) VALUES (%s, %s)", - array( - $filterData['register_insert_id'], - bigintval($categoryId) - ), __FUNCTION__, __LINE__); + $sql .= ' (' . $filterData['register_insert_id'] . ', ' . bigintval($categoryId) . '),'; } // END - if } // END - foreach + + // Run SQL without last commata + SQL_QUERY(substr($sql, 0, -1), __FUNCTION__, __LINE__); } // END - if // Registration phase is done here, so for tester accounts we end here @@ -444,7 +447,6 @@ function doUserRegistration () { // Is ZIP code set? if (isPostRequestElementSet('zip')) { // Prepare data array for the email template - // Start with the gender... $content = array( 'hash' => $GLOBALS['register_confirm_hash'], 'userid' => $filterData['register_insert_id'], diff --git a/inc/modules/member/what-mydata.php b/inc/modules/member/what-mydata.php index 0b5fe7d183..cd8b867b06 100644 --- a/inc/modules/member/what-mydata.php +++ b/inc/modules/member/what-mydata.php @@ -237,13 +237,27 @@ LIMIT 1', // Did the user changed the password? if ($hash != $content['password']) { + // Yes $AND = ",`password`='" . $hash . "'"; $mode = 'password'; } // END - if - // Or did he changed his password? + // Or did he changed his email address? if (postRequestElement('email') != $content['email']) { - // Jupp + // Yes, but is it maybe blacklisted? + $filterData = array( + 'init_done' => TRUE + 'post_data' => postRequestArray() + ); + $filterData = runFilterChain('pre_update_user_data', $filterData); + + // Is it blacklisted? + if ($filterData['init_done'] === FALSE) { + // Blacklisted email address found + displayMessage('{--MEMBER_EMAIL_BLACKLISTED--}'); + return; + } // END - if + if ($mode == 'normal') { $mode = 'email'; } else { -- 2.39.5