Changed COM_checkSpeedLimit to take into account the number of previo…

…us speeding (feature #1030)

public_html/admin/auth.inc.php

@@ -41,6 +41,9 @@
 // MAIN
 COM_clearSpeedlimit($_CONF['login_speedlimit'], 'login');
 if (COM_checkSpeedlimit('login', $_CONF['login_attempts']) > 0) {
+    COM_clearSpeedlimit(SPEED_LIMIT_WINDOW_ERROR_403, 'error-403');
+    COM_checkSpeedlimit('error-403', SPEED_LIMIT_MAX_ERROR_403);
+
     COM_displayMessageAndAbort(82, '', 403, 'Access denied');
 }
 

public_html/lib-common.php

@@ -6398,16 +6398,19 @@ function COM_makeList($listOfItems, $className = '')
 /**
  * Check if speed limit applies
  *
- * @param    string $type     type of speed limit, e.g. 'submit', 'comment'
- * @param    int    $max      max number of allowed tries within speed limit
- * @param    string $property IP address or other identifiable property
- * @return   int              0: does not apply, else: seconds since last post
+ * @param    string $type        type of speed limit, e.g. 'submit', 'comment'
+ * @param    int    $max         max number of allowed tries within speed limit
+ * @param    string $property    IP address or other identifiable property
+ * @param    bool   $isSpeeding  this variable is set to true if the number of speeding exceeds $max
+ * @return   int                 0: does not apply, else: seconds since last post
+ * @note     $isSpeeding was introduced since Geeklog 2.2.2
  */
-function COM_checkSpeedlimit($type = 'submit', $max = 1, $property = '')
+function COM_checkSpeedlimit($type = 'submit', $max = 1, $property = '', &$isSpeeding = false)
 {
     global $_TABLES;
 
     $last = 0;
+    $isSpeeding = false;
 
     // Allow some admins to bypass speed check
     if (SEC_inGroup('Root')) {
@@ -6447,6 +6450,12 @@ function COM_checkSpeedlimit($type = 'submit', $max = 1, $property = '')
         }
     }
 
+    // Since Geeklog 2.2.2
+    // Set the $isSpeeding variable and call PLG_onSpeeding() to let the plugins and custom function (CUSTOM_onSpeeding)
+    // know that the user is speeding
+    $isSpeeding = true;
+    PLG_onSpeeding($type, $property, $last);
+
     return $last;
 }
 
@@ -8295,6 +8304,9 @@ function COM_handle404($alternate_url = '')
 {
     global $_CONF, $_USER, $LANG_404;
 
+    COM_clearSpeedlimit(SPEED_LIMIT_WINDOW_ERROR_404, 'error-404');
+    COM_checkSpeedlimit('error-404', SPEED_LIMIT_MAX_ERROR_404);
+
     if (function_exists('CUSTOM_handle404')) {
         CUSTOM_handle404($alternate_url);
         exit;

public_html/likes.php

@@ -180,7 +180,7 @@
     }
 
     COM_clearSpeedlimit($_CONF['likes_speedlimit'],'likes');
-    $last = COM_checkSpeedlimit('likes');
+    $last = COM_checkSpeedlimit('likes', SPEED_LIMIT_MAX_LIKES);
     if ( $last > 0 ) {
         $speedlimiterror = 1;
         $status = 2;

public_html/pingback.php

@@ -84,7 +84,7 @@ function PNB_handlePingback($id, $type, $url, $oururl)
 
     COM_clearSpeedlimit($_CONF['commentspeedlimit'], 'pingback');
     if (!$skip_speedlimit) {
-        $last = COM_checkSpeedlimit('pingback');
+        $last = COM_checkSpeedlimit('pingback', SPEED_LIMIT_MAX_PINGBACK);
         if ($last > 0) {
             return new XML_RPC_Response(0, 49,
                 sprintf($PNB_ERROR['speedlimit'], $last,

public_html/profiles.php

@@ -73,7 +73,7 @@ function contactemail($uid, $cc, $author, $authorEmail, $subject, $message)
 
     // check mail speedlimit
     COM_clearSpeedlimit($_CONF['speedlimit'], 'mail');
-    $last = COM_checkSpeedlimit('mail');
+    $last = COM_checkSpeedlimit('mail', SPEED_LIMIT_MAX_MAIL);
     if ($last > 0) {
         $retval = COM_showMessageText($LANG08[39] . $last . $LANG08[40], $LANG12[26]);
         $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG04[81]));
@@ -363,7 +363,7 @@ function mailstory($sid, $to, $toEmail, $from, $fromEmail, $shortMessage)
 
     // check mail speedlimit
     COM_clearSpeedlimit($_CONF['speedlimit'], 'mail');
-    $speedLimit = COM_checkSpeedlimit('mail');
+    $speedLimit = COM_checkSpeedlimit('mail', SPEED_LIMIT_MAX_MAIL);
     if ($speedLimit > 0) {
         $redirect .= '&speedlimit=' . $speedLimit;
         COM_redirect($redirect);

public_html/submit.php

@@ -59,7 +59,7 @@ function submissionform($type = 'story', $mode = '')
     $retval = '';
 
     COM_clearSpeedlimit($_CONF['speedlimit'], 'submit');
-    $last = COM_checkSpeedlimit('submit');
+    $last = COM_checkSpeedlimit('submit', SPEED_LIMIT_MAX_SUBMIT);
 
     if ($last > 0) {
         $retval .= COM_showMessageText($LANG12[30] . $last . $LANG12[31], $LANG12[26]);
@@ -384,7 +384,7 @@ function savesubmission($type, $A)
     global $_CONF, $LANG12;
 
     COM_clearSpeedlimit($_CONF['speedlimit'], 'submit');
-    $last = COM_checkSpeedlimit('submit');
+    $last = COM_checkSpeedlimit('submit', SPEED_LIMIT_MAX_SUBMIT);
 
     if ($last > 0) {
         $retval = COM_showMessageText($LANG12[30] . $last . $LANG12[31], $LANG12[26]);

public_html/users.php

@@ -944,7 +944,7 @@ function USER_tryTwoFactorAuth()
             $_CONF['passwordspeedlimit'] = 300; // 5 minutes
         }
         COM_clearSpeedlimit($_CONF['passwordspeedlimit'], 'password');
-        $last = COM_checkSpeedlimit('password');
+        $last = COM_checkSpeedlimit('password', SPEED_LIMIT_MAX_PASSWORD);
         if ($last > 0) {
             $display .= COM_showMessageText(
                 sprintf($LANG04[93], $last, $_CONF['passwordspeedlimit']),
@@ -1085,7 +1085,7 @@ function USER_tryTwoFactorAuth()
             $_CONF['passwordspeedlimit'] = 300; // 5 minutes
         }
         COM_clearSpeedlimit($_CONF['passwordspeedlimit'], 'password');
-        $last = COM_checkSpeedlimit('password');
+        $last = COM_checkSpeedlimit('password', SPEED_LIMIT_MAX_PASSWORD);
         if ($last > 0) {
             $display .= COM_showMessageText(
                 sprintf($LANG04[93], $last, $_CONF['passwordspeedlimit']),

system/lib-comment.php

@@ -1005,7 +1005,7 @@ function CMT_commentForm($title, $comment, $sid, $pid, $type, $mode, $postMode,
             && $mode != $LANG03[28] && $mode != $LANG03[34]
         ) {
             // not edit mode or preview changes
-            $last = COM_checkSpeedlimit('comment');
+            $last = COM_checkSpeedlimit('comment', SPEED_LIMIT_MAX_COMMENT);
         }
 
         if ($last > 0) {
@@ -1430,7 +1430,7 @@ function CMT_saveComment($title, $comment, $sid, $pid, $type, $postmode)
 
     // Check for people breaking the speed limit
     COM_clearSpeedlimit($_CONF['commentspeedlimit'], 'comment');
-    $last = COM_checkSpeedlimit('comment');
+    $last = COM_checkSpeedlimit('comment', SPEED_LIMIT_MAX_COMMENT);
     if ($last > 0) {
         if ($_COMMENT_DEBUG) {
             COM_errorLog("CMT_saveComment: $uid from " . \Geeklog\IP::getIPAddress() . " tried to submit a comment before the speed limit expired.");
@@ -1945,7 +1945,7 @@ function CMT_reportAbusiveComment($cid)
     $retval = '';
 
     COM_clearSpeedlimit($_CONF['speedlimit'], 'mail');
-    $last = COM_checkSpeedlimit('mail');
+    $last = COM_checkSpeedlimit('mail', SPEED_LIMIT_MAX_MAIL);
     if ($last > 0) {
         $retval .= COM_showMessageText($LANG12[30] . $last . $LANG12[31], $LANG12[26]);
 
@@ -1999,7 +1999,7 @@ function CMT_sendReport($cid)
     global $_CONF, $_TABLES, $_USER, $LANG03, $LANG08, $LANG09, $LANG12, $MESSAGE;
 
     COM_clearSpeedlimit($_CONF['speedlimit'], 'mail');
-    $last = COM_checkSpeedlimit('mail');
+    $last = COM_checkSpeedlimit('mail', SPEED_LIMIT_MAX_MAIL);
     if ($last > 0) {
         $content = COM_showMessageText($LANG08[39] . $last . $LANG08[40], $LANG12[26]);
         $display = COM_createHTMLDocument($content);

system/lib-plugins.php

@@ -8,7 +8,7 @@
 // |                                                                           |
 // | This file implements plugin support in Geeklog.                           |
 // +---------------------------------------------------------------------------+
-// | Copyright (C) 2000-2019 by the following authors:                         |
+// | Copyright (C) 2000-2022 by the following authors:                         |
 // |                                                                           |
 // | Authors: Tony Bibbs       - tony AT tonybibbs DOT com                     |
 // |          Blaine Lang      - blaine AT portalparts DOT com                 |
@@ -74,6 +74,23 @@
 define('RECAPTCHA_SUPPORT_V3', 4);
 define('RECAPTCHA_DEFAULT_SCORE_THRESHOLD', 0.5);
 
+// Constants for the max number of allowed tries within speed limit (since Geeklog 2.2.2)
+const SPEED_LIMIT_MAX_COMMENT = 1;
+const SPEED_LIMIT_MAX_ERROR_403 = 1;    // Illegal access to admin screen
+const SPEED_LIMIT_MAX_ERROR_404 = 5;
+const SPEED_LIMIT_MAX_ERROR_SPAM = 1;
+const SPEED_LIMIT_MAX_LIKES = 1;
+const SPEED_LIMIT_MAX_MAIL = 1;
+const SPEED_LIMIT_MAX_PASSWORD = 1;
+const SPEED_LIMIT_MAX_PINGBACK = 1;
+const SPEED_LIMIT_MAX_SUBMIT = 1;
+const SPEED_LIMIT_MAX_TRACKBACK = 1;
+
+// Constants for the window used in COM_clearSpeedlimit
+const SPEED_LIMIT_WINDOW_ERROR_403 = 60;
+const SPEED_LIMIT_WINDOW_ERROR_404 = 60;
+const SPEED_LIMIT_WINDOW_ERROR_SPAM = 60;
+
 // buffer for function names for the center block API
 $PLG_bufferCenterAPI = [];
 $PLG_buffered = false;
@@ -2425,9 +2442,10 @@ function PLG_checkForSpam($comment, $action = -1, $permanentLink = null,
             );
 
             if ($result > PLG_SPAM_NOT_FOUND) { // Plugin found a match for spam
-                $result = PLG_spamAction($comment, $action);
+                COM_clearSpeedlimit(SPEED_LIMIT_WINDOW_ERROR_SPAM);
+                COM_checkSpeedlimit('error-spam', SPEED_LIMIT_MAX_ERROR_SPAM);
 
-                return $result;
+                return PLG_spamAction($comment, $action);
             }
         }
     }
@@ -2437,9 +2455,10 @@ function PLG_checkForSpam($comment, $action = -1, $permanentLink = null,
         $result = $function($comment, $action);
 
         if ($result > PLG_SPAM_NOT_FOUND) { // Plugin found a match for spam
-            $result = PLG_spamAction($comment, $action);
+            COM_clearSpeedlimit(SPEED_LIMIT_WINDOW_ERROR_SPAM);
+            COM_checkSpeedlimit('error-spam', SPEED_LIMIT_MAX_ERROR_SPAM);
 
-            return $result;
+            return PLG_spamAction($comment, $action);
         }
     }
 
@@ -4209,3 +4228,33 @@ function PLG_idToURL($type, $sub_type, $item_id)
 
     return PLG_callFunctionForOnePlugin($function, $args);
 }
+
+/**
+ * Gives plugins a chance to handle the user's speeding
+ *
+ * @param  string  $type      speeding type e.g.  'login', 'submit', 'error-404', 'error-spam'
+ * @param  string  $property  in most cases, the real IP address (not anonymized) of the user
+ * @param  int     $last      seconds since last speeding.  -1 means  previous speeding for the type is unknown
+ * @return void
+ * @since  Geeklog 2.2.2
+ */
+function PLG_onSpeeding($type, $property = '', $last = -1)
+{
+    global $_PLUGINS;
+
+    if (empty($property)) {
+        $property = \Geeklog\IP::getIPAddress();
+    }
+
+    foreach ($_PLUGINS as $pi_name) {
+        $function = 'plugin_onSpeeding' . $pi_name;
+        if (function_exists($function)) {
+            $function($type, $property, $last);
+        }
+    }
+
+    $function = 'CUSTOM_onSpeeding';
+    if (function_exists($function)) {
+        $function($type, $property, $last);
+    }
+}

system/lib-trackback.php

@@ -553,7 +553,7 @@ function TRB_handleTrackbackPing($sid, $type = 'article')
         $speedlimit = $_CONF['commentspeedlimit'];
     }
     COM_clearSpeedlimit($speedlimit, 'trackback');
-    $last = COM_checkSpeedlimit('trackback');
+    $last = COM_checkSpeedlimit('trackback', SPEED_LIMIT_MAX_TRACKBACK);
     if ($last > 0) {
         TRB_sendTrackbackResponse(1, sprintf($TRB_ERROR['speedlimit'],
             $last, $speedlimit), 403, 'Forbidden');