Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secure the contact_form from spammers #8168

Merged
merged 1 commit into from Aug 29, 2017
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
10 changes: 9 additions & 1 deletion controllers/front/ContactController.php
Expand Up @@ -36,9 +36,11 @@ class ContactControllerCore extends FrontController
public function postProcess()
{
if (Tools::isSubmit('submitMessage')) {
$saveContactKey = $this->context->cookie->contactFormKey;
$extension = array('.txt', '.rtf', '.doc', '.docx', '.pdf', '.zip', '.png', '.jpeg', '.gif', '.jpg');
$file_attachment = Tools::fileAttachment('fileUpload');
$message = Tools::getValue('message'); // Html entities is not usefull, iscleanHtml check there is no bad html tags.
$url = Tools::getValue('url');
if (!($from = trim(Tools::getValue('from'))) || !Validate::isEmail($from)) {
$this->errors[] = Tools::displayError('Invalid email address.');
} elseif (!$message) {
Expand All @@ -51,6 +53,8 @@ public function postProcess()
$this->errors[] = Tools::displayError('An error occurred during the file-upload process.');
} elseif (!empty($file_attachment['name']) && !in_array(Tools::strtolower(substr($file_attachment['name'], -4)), $extension) && !in_array(Tools::strtolower(substr($file_attachment['name'], -5)), $extension)) {
$this->errors[] = Tools::displayError('Bad file extension');
} elseif ($url === false || !empty($url) || $saveContactKey != (Tools::getValue('contactKey'))) {
$this->errors[] = Tools::displayError('An error occurred while sending the message.');
} else {
$customer = $this->context->customer;
if (!$customer->id) {
Expand Down Expand Up @@ -247,9 +251,13 @@ public function initContent()
$this->context->smarty->assign('customerThread', $customer_thread);
}

$contactKey = md5(uniqid(microtime(), true));
$this->context->cookie->__set('contactFormKey', $contactKey);

$this->context->smarty->assign(array(
'contacts' => Contact::getContacts($this->context->language->id),
'message' => html_entity_decode(Tools::getValue('message'))
'message' => html_entity_decode(Tools::getValue('message')),
'contactKey' => $contactKey,
));

$this->setTemplate(_PS_THEME_DIR_.'contact-form.tpl');
Expand Down
2 changes: 2 additions & 0 deletions themes/default-bootstrap/contact-form.tpl
Expand Up @@ -146,6 +146,8 @@
</div>
</div>
<div class="submit">
<input type="text" name="url" value="" class="hidden" />
<input type="hidden" name="contactKey" value="{$contactKey}" />
<button type="submit" name="submitMessage" id="submitMessage" class="button btn btn-default button-medium"><span>{l s='Send'}<i class="icon-chevron-right right"></i></span></button>
</div>
</fieldset>
Expand Down