forked from brettp/elgg-registration-randomizer
-
Notifications
You must be signed in to change notification settings - Fork 0
/
start.php
208 lines (177 loc) · 5.45 KB
/
start.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
<?php
/**
* Rotates the address for the registration form
*/
elgg_register_event_handler('init', 'system', 'registration_randomizer_init');
/**
* Init
*/
function registration_randomizer_init() {
// Override registration page
elgg_unregister_page_handler('register');
// serve registration pages
elgg_register_page_handler('register', 'registration_randomizer_page_handler');
// check referrers
elgg_register_plugin_hook_handler('action', 'register', 'registration_randomizer_referrer_check');
// replace view vars
elgg_register_plugin_hook_handler('view', 'output/url', 'registration_randomizer_output_url');
elgg_set_config('rr_debug', false);
}
/**
* Serves registration URLs as created by the output/registration_url view
*
* /register/:ts/:token Where :token is the token and :ts is the current timestamp.
*
* @param array $page
*/
function registration_randomizer_page_handler($page) {
// tarpit if the wrong token + ts combo
$ts = elgg_extract(0, $page);
$token = elgg_extract(1, $page);
if (!registration_randomizer_is_valid_token($token, $ts)) {
registration_randomizer_log("Invalid token for registration page");
registration_randomizer_tarpit();
forward('/', 404);
} else {
include elgg_get_config('path') . 'pages/account/register.php';
return true;
}
registration_randomizer_log("No token for registration page");
registration_randomizer_tarpit();
forward('/', 404);
}
/**
* Sleep for a while to slow things down.
*
* @param int $multiplier A time multipler to tarpit repeat offending IPs
*/
function registration_randomizer_tarpit($wait = 5) {
$ip = filter_input(INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP);
$setting_name = "{$ip}_tarpit_count";
$count = (int) elgg_get_plugin_setting($setting_name, 'registration_randomizer');
if ($count > 4) {
$wait = pow(4, 4);
} else {
$wait = pow($count, 4);
}
// now limit it to something reasonable, like 90% of max execution time
$max_execution_time = ini_get('max_execution_time');
if ($max_execution_time === false) {
$max_execution_time = 30;
}
$max_execution_time = floor(0.9 * $max_execution_time);
if ($max_execution_time && $wait > $max_execution_time) {
$wait = $max_execution_time;
}
elgg_set_plugin_setting($setting_name, $count + 1, 'registration_randomizer');
registration_randomizer_log("Tarpitting $ip for $wait seconds after $count failures.", false);
if ($wait > 0) {
// close mysql connections for the time of a sleep
mysql_close(_elgg_services()->db->getLink('read'));
mysql_close(_elgg_services()->db->getLink('write'));
sleep($wait);
//restore connections
_elgg_services()->db->setupConnections();
}
}
/**
* Hashes the site secret, UA, and a ts.
*
* @return mixed A token if time or req is passed, and array of info if not
*/
function registration_randomizer_generate_token($passed_time = null, $passed_req = null) {
if ($passed_time === null) {
$ts = time();
} else {
$ts = $passed_time;
}
if ($passed_req === null) {
$req = $_SERVER;
} else {
$req = $passed_req;
}
$str = get_site_secret();
$str .= filter_input(INPUT_SERVER, 'HTTP_USER_AGENT');
$str .= filter_input(INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP);
$str .= $ts;
$token = md5($str);
if ($passed_time === null && $passed_req === null) {
return array(
'ts' => $ts,
'token' => $token,
'req' => $req
);
} else {
return $token;
}
}
/**
* Checks if the token and ts are valid
*
* @param type $token
* @param type $time
* @param type $req
* @return bool
*/
function registration_randomizer_is_valid_token($token, $time, $req = null) {
return $token === registration_randomizer_generate_token($time, $req);
}
/**
* Check the referrer to see if its token and timestamp match
*
* @param type $hook
* @param type $action
* @param type $return
* @return null
*/
function registration_randomizer_referrer_check($hook, $action, $return) {
$ref = filter_input(INPUT_SERVER, 'HTTP_REFERER');
$url = elgg_get_site_url();
list($register, $ts, $token) = explode('/', str_replace($url, '', $ref));
if ($register !== 'register') {
return $return;
}
if (!registration_randomizer_is_valid_token($token, $ts)) {
registration_randomizer_log("Invalid referrer for registration action");
register_error("Cannot complete registration at this time.");
registration_randomizer_tarpit();
forward('/', 403);
}
return $return;
}
/**
* Log to file
*
* @param type $msg
* @return type
*/
function registration_randomizer_log($msg, $all = true) {
if (elgg_get_config('rr_debug') !== true) {
return;
}
if (!$all) {
file_put_contents(elgg_get_data_path() . 'rr_log.log', $msg . "\n", FILE_APPEND);
return;
}
$data = $_REQUEST;
$data['referrer'] = filter_input(INPUT_SERVER, 'HTTP_REFERER');
$data['remote_ip'] = filter_input(INPUT_SERVER, 'REMOTE_ADDR');
$data['remote_ua'] = filter_input(INPUT_SERVER, 'HTTP_USER_AGENT');
$data['time'] = date("r");
$data['error'] = $msg;
file_put_contents(elgg_get_data_path() . 'rr_log.log', print_r($data, true), FILE_APPEND);
}
function registration_randomizer_output_url($hook, $type, $return, $params) {
$vars = $params['vars'];
$url = elgg_extract('href', $vars, null);
if (!$url and isset($vars['value'])) {
$url = trim($vars['value']);
unset($vars['value']);
}
// check if /register URL and rewrite
if (!$vars['registration_randomizer'] && parse_url($url, PHP_URL_PATH) == '/register') {
$vars['registration_randomizer'] = true;
return elgg_view('output/registration_url', $vars);
}
return $return;
}