Bad Behavior - Version 2.2.2

Version Description

Download this release

Release Info

Developer error
Plugin Icon wp plugin Bad Behavior
Version 2.2.2
Comparing to
See all releases

Code changes from version 2.2.1 to 2.2.2

Files changed (7) hide show
  1. README.txt +1 -1
  2. bad-behavior-generic.php +1 -1
  3. bad-behavior-mediawiki.php +2 -2
  4. bad-behavior-wordpress-admin.php +1 -3
  5. bad-behavior-wordpress.php +4 -5
  6. bad-behavior/core.inc.php +22 -15
  7. bad-behavior/functions.inc.php +4 -0
README.txt CHANGED
@@ -4,7 +4,7 @@ Contributors: error, markjaquith, skeltoac
4
  Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=error%40ioerror%2eus&item_name=Bad%20Behavior%20%28From%20WordPress%20Page%29&no_shipping=1&cn=Comments%20about%20Bad%20Behavior&tax=0&currency_code=USD&bn=PP%2dDonationsBF&charset=UTF%2d8
5
  Requires at least: 2.7
6
  Tested up to: 3.3.1
7
- Stable tag: 2.2.1
8
 
9
  Bad Behavior prevents spammers from ever delivering their junk, and in many
10
  cases, from ever reading your site in the first place.
4
  Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=error%40ioerror%2eus&item_name=Bad%20Behavior%20%28From%20WordPress%20Page%29&no_shipping=1&cn=Comments%20about%20Bad%20Behavior&tax=0&currency_code=USD&bn=PP%2dDonationsBF&charset=UTF%2d8
5
  Requires at least: 2.7
6
  Tested up to: 3.3.1
7
+ Stable tag: 2.2.2
8
 
9
  Bad Behavior prevents spammers from ever delivering their junk, and in many
10
  cases, from ever reading your site in the first place.
bad-behavior-generic.php CHANGED
@@ -1,7 +1,7 @@
1
  <?php
2
  /*
3
  Bad Behavior - detects and blocks unwanted Web accesses
4
- Copyright (C) 2005,2006,2007,2008,2009,2010,2011 Michael Hampton
5
 
6
  Bad Behavior is free software; you can redistribute it and/or modify it under
7
  the terms of the GNU Lesser General Public License as published by the Free
1
  <?php
2
  /*
3
  Bad Behavior - detects and blocks unwanted Web accesses
4
+ Copyright (C) 2005,2006,2007,2008,2009,2010,2011,2012 Michael Hampton
5
 
6
  Bad Behavior is free software; you can redistribute it and/or modify it under
7
  the terms of the GNU Lesser General Public License as published by the Free
bad-behavior-mediawiki.php CHANGED
@@ -1,7 +1,7 @@
1
  <?php
2
  /*
3
  Bad Behavior - detects and blocks unwanted Web accesses
4
- Copyright (C) 2005,2006,2007,2008,2009,2010,2011 Michael Hampton
5
 
6
  Bad Behavior is free software; you can redistribute it and/or modify it under
7
  the terms of the GNU Lesser General Public License as published by the Free
@@ -26,7 +26,7 @@ http://www.bad-behavior.ioerror.us/
26
 
27
  if (!defined('MEDIAWIKI')) die();
28
 
29
- $wgBadBehaviorTimer = true;
30
 
31
  // Settings you can adjust for Bad Behavior.
32
  // DO NOT EDIT HERE; instead make changes in settings.ini.
1
  <?php
2
  /*
3
  Bad Behavior - detects and blocks unwanted Web accesses
4
+ Copyright (C) 2005,2006,2007,2008,2009,2010,2011,2012 Michael Hampton
5
 
6
  Bad Behavior is free software; you can redistribute it and/or modify it under
7
  the terms of the GNU Lesser General Public License as published by the Free
26
 
27
  if (!defined('MEDIAWIKI')) die();
28
 
29
+ $wgBadBehaviorTimer = false;
30
 
31
  // Settings you can adjust for Bad Behavior.
32
  // DO NOT EDIT HERE; instead make changes in settings.ini.
bad-behavior-wordpress-admin.php CHANGED
@@ -100,12 +100,10 @@ function bb2_donate_button($thispage) {
100
  <form action="https://www.paypal.com/cgi-bin/webscr" method="post">
101
  <p>Bad Behavior is an important tool in the fight against web spam. Show your support by donating<br/>
102
  <select name="amount">
103
- <option value="1.99">$1.99 USD</option>
104
  <option value="2.99">$2.99 USD</option>
105
- <option value="3.99">$3.99 USD</option>
106
  <option value="4.99">$4.99 USD</option>
107
- <option value="6.99">$6.99 USD</option>
108
  <option value="9.99">$9.99 USD</option>
 
109
  <option value="">Other...</option>
110
  </select><br/>
111
  <input type="hidden" name="cmd" value="_donations">
100
  <form action="https://www.paypal.com/cgi-bin/webscr" method="post">
101
  <p>Bad Behavior is an important tool in the fight against web spam. Show your support by donating<br/>
102
  <select name="amount">
 
103
  <option value="2.99">$2.99 USD</option>
 
104
  <option value="4.99">$4.99 USD</option>
 
105
  <option value="9.99">$9.99 USD</option>
106
+ <option value="19.99">$19.99 USD</option>
107
  <option value="">Other...</option>
108
  </select><br/>
109
  <input type="hidden" name="cmd" value="_donations">
bad-behavior-wordpress.php CHANGED
@@ -1,15 +1,15 @@
1
  <?php
2
  /*
3
  Plugin Name: Bad Behavior
4
- Version: 2.2.1
5
  Description: Deny automated spambots access to your PHP-based Web site.
6
- Plugin URI: http://www.bad-behavior.ioerror.us/
7
  Author: Michael Hampton
8
- Author URI: http://www.bad-behavior.ioerror.us/
9
  License: LGPLv3
10
 
11
  Bad Behavior - detects and blocks unwanted Web accesses
12
- Copyright (C) 2005,2006,2007,2008,2009,2010,2011 Michael Hampton
13
 
14
  Bad Behavior is free software; you can redistribute it and/or modify it under
15
  the terms of the GNU Lesser General Public License as published by the Free
@@ -147,7 +147,6 @@ function bb2_capture_spam($id, $comment) {
147
  if (array_key_exists("request_entity", $bb2_package) && array_key_exists("author", $bb2_package['request_entity']) && $bb2_package['request_entity']['author'] == $comment->comment_author) {
148
  bb2_db_query(bb2_insert(bb2_read_settings(), $bb2_package, "00000000"));
149
  }
150
- trigger_error("Bad Behavior spam capture", E_USER_WARNING);
151
  }
152
 
153
  // Display stats?
1
  <?php
2
  /*
3
  Plugin Name: Bad Behavior
4
+ Version: 2.2.2
5
  Description: Deny automated spambots access to your PHP-based Web site.
6
+ Plugin URI: http://bad-behavior.ioerror.us/
7
  Author: Michael Hampton
8
+ Author URI: http://bad-behavior.ioerror.us/
9
  License: LGPLv3
10
 
11
  Bad Behavior - detects and blocks unwanted Web accesses
12
+ Copyright (C) 2005,2006,2007,2008,2009,2010,2011,2012 Michael Hampton
13
 
14
  Bad Behavior is free software; you can redistribute it and/or modify it under
15
  the terms of the GNU Lesser General Public License as published by the Free
147
  if (array_key_exists("request_entity", $bb2_package) && array_key_exists("author", $bb2_package['request_entity']) && $bb2_package['request_entity']['author'] == $comment->comment_author) {
148
  bb2_db_query(bb2_insert(bb2_read_settings(), $bb2_package, "00000000"));
149
  }
 
150
  }
151
 
152
  // Display stats?
bad-behavior/core.inc.php CHANGED
@@ -1,5 +1,5 @@
1
  <?php if (!defined('BB2_CWD')) die("I said no cheating!");
2
- define('BB2_VERSION', "2.2.1");
3
 
4
  // Bad Behavior entry point is bb2_start()
5
  // If you're reading this, you are probably lost.
@@ -40,20 +40,32 @@ function bb2_approved($settings, $package)
40
  }
41
  }
42
 
43
- // If this is reverse-proxied or load balanced, obtain the actual client IP
44
  function bb2_reverse_proxy($settings, $headers_mixed)
45
  {
46
- $addrs = @array_reverse(preg_split("/[\s,]+/", $headers_mixed[$settings['reverse_proxy_header']]));
47
- if (empty($addrs)) {
48
- return $_SERVER['REMOTE_ADDR'];
49
- } else if (!empty($settings['reverse_proxy_addresses'])) {
 
 
 
 
 
50
  foreach ($addrs as $addr) {
51
- if (!match_cidr($addr, $settings['reverse_proxy_addresses'])) {
 
 
 
 
 
 
52
  return $addr;
53
  }
54
  }
55
  }
56
- return $addrs[0];
 
57
  }
58
 
59
  // Let God sort 'em out!
@@ -82,10 +94,9 @@ function bb2_start($settings)
82
  $request_uri = $_SERVER["REQUEST_URI"];
83
  if (!$request_uri) $request_uri = $_SERVER['SCRIPT_NAME']; # IIS
84
 
85
- if ($settings['reverse_proxy']) {
86
  $headers['X-Bad-Behavior-Remote-Address'] = $_SERVER['REMOTE_ADDR'];
87
  $headers_mixed['X-Bad-Behavior-Remote-Address'] = $_SERVER['REMOTE_ADDR'];
88
- $ip = bb2_reverse_proxy($settings, $headers_mixed);
89
  } else {
90
  $ip = $_SERVER['REMOTE_ADDR'];
91
  }
@@ -102,16 +113,12 @@ function bb2_screen($settings, $package)
102
  // Please proceed to the security checkpoint, have your identification
103
  // and boarding pass ready, and prepare to be nakedized or fondled.
104
 
105
- // Check for CloudFlare CDN since IP to be screened may be different
106
  // Thanks to butchs at Simple Machines
107
  if (array_key_exists('Cf-Connecting-Ip', $package['headers_mixed'])) {
108
  require_once(BB2_CORE . "/cloudflare.inc.php");
109
  $r = bb2_cloudflare($package);
110
  if ($r !== false && $r != $package['ip']) return $r;
111
- # FIXME: For Cloudflare we are bypassing all checks for now
112
- # See cloudflare.inc.php for more detail
113
- bb2_approved($settings, $package);
114
- return false;
115
  }
116
 
117
  // First check the whitelist
1
  <?php if (!defined('BB2_CWD')) die("I said no cheating!");
2
+ define('BB2_VERSION', "2.2.2");
3
 
4
  // Bad Behavior entry point is bb2_start()
5
  // If you're reading this, you are probably lost.
40
  }
41
  }
42
 
43
+ # If this is reverse-proxied or load balanced, obtain the actual client IP
44
  function bb2_reverse_proxy($settings, $headers_mixed)
45
  {
46
+ # Detect if option is on when it should be off
47
+ $header = uc_all($settings['reverse_proxy_header']);
48
+ if (!array_key_exists($header, $headers_mixed)) {
49
+ return false;
50
+ }
51
+
52
+ $addrs = @array_reverse(preg_split("/[\s,]+/", $headers_mixed[$header]));
53
+ # Skip our known reverse proxies and private addresses
54
+ if (!empty($settings['reverse_proxy_addresses'])) {
55
  foreach ($addrs as $addr) {
56
+ if (!match_cidr($addr, $settings['reverse_proxy_addresses']) && !is_rfc1918($addr)) {
57
+ return $addr;
58
+ }
59
+ }
60
+ } else {
61
+ foreach ($addrs as $addr) {
62
+ if (!is_rfc1918($addr)) {
63
  return $addr;
64
  }
65
  }
66
  }
67
+ # If we got here, someone is playing a trick on us.
68
+ return false;
69
  }
70
 
71
  // Let God sort 'em out!
94
  $request_uri = $_SERVER["REQUEST_URI"];
95
  if (!$request_uri) $request_uri = $_SERVER['SCRIPT_NAME']; # IIS
96
 
97
+ if ($settings['reverse_proxy'] && $ip = bb2_reverse_proxy($settings, $headers_mixed)) {
98
  $headers['X-Bad-Behavior-Remote-Address'] = $_SERVER['REMOTE_ADDR'];
99
  $headers_mixed['X-Bad-Behavior-Remote-Address'] = $_SERVER['REMOTE_ADDR'];
 
100
  } else {
101
  $ip = $_SERVER['REMOTE_ADDR'];
102
  }
113
  // Please proceed to the security checkpoint, have your identification
114
  // and boarding pass ready, and prepare to be nakedized or fondled.
115
 
116
+ // CloudFlare-specific checks not handled by reverse proxy code
117
  // Thanks to butchs at Simple Machines
118
  if (array_key_exists('Cf-Connecting-Ip', $package['headers_mixed'])) {
119
  require_once(BB2_CORE . "/cloudflare.inc.php");
120
  $r = bb2_cloudflare($package);
121
  if ($r !== false && $r != $package['ip']) return $r;
 
 
 
 
122
  }
123
 
124
  // First check the whitelist
bad-behavior/functions.inc.php CHANGED
@@ -58,6 +58,10 @@ function match_cidr($addr, $cidr) {
58
  return $output;
59
  }
60
 
 
 
 
 
61
  // Obtain all the HTTP headers.
62
  // NB: on PHP-CGI we have to fake it out a bit, since we can't get the REAL
63
  // headers. Run PHP as Apache 2.0 module if possible for best results.
58
  return $output;
59
  }
60
 
61
+ // Determine if an IP address is reserved by RFC 1918.
62
+ function is_rfc1918($addr) {
63
+ return match_cidr($addr, array("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"));
64
+ }
65
  // Obtain all the HTTP headers.
66
  // NB: on PHP-CGI we have to fake it out a bit, since we can't get the REAL
67
  // headers. Run PHP as Apache 2.0 module if possible for best results.