From 483f0c8b4f7897511dafdf7310bda458baefc59f Mon Sep 17 00:00:00 2001
From: towards-a-new-leftypol <paul_cockshott@protonmail.com>
Date: Sun, 17 Dec 2023 12:29:55 +0000
Subject: [PATCH] Fix filters, disallow urls in name/subj/email using filters

---
 inc/config.php          |  2 +-
 inc/filters.php         | 41 +++++++++++++++++++----------------------
 inc/instance-config.php | 26 ++++++++++++++++++++++++++
 post.php                |  6 ++++--
 4 files changed, 50 insertions(+), 25 deletions(-)

diff --git a/inc/config.php b/inc/config.php
index 8d2e142a..db1c9904 100644
--- a/inc/config.php
+++ b/inc/config.php
@@ -359,7 +359,7 @@
             'flood-time-any' => &$config['flood_time_any']
         ),
         'noip' => true,
-        'find-time' => 60 * 60 * 1,
+        'find_time' => 60 * 60 * 1,
         'action' => 'reject',
         'message' => 'New threads are being created too quickly. Hmmm'
     );
diff --git a/inc/filters.php b/inc/filters.php
index 3364e565..cbd3e09f 100644
--- a/inc/filters.php
+++ b/inc/filters.php
@@ -6,28 +6,23 @@
 
 defined('TINYBOARD') or exit;
 
-require_once 'inc/anti-bot.php';
-
 class Filter {
     public $flood_check;
     private $condition;
+    private string $action;
+    private string $message;
+    private $expires;
+    private $reject;
+    private $all_boards;
     private $post;
-    private array $filters;
+    private bool $add_note;
+    private bool $noip;
+    private $find_time;
     
     public function __construct(array $arr) {
-
-        /*
-         *
-         * Look, this needs to either change or get
-         * into a subvalue, an associative array
-         * by the name of 'filters'
-         *
-         * And then we need to understand how that's used...
-         * however the only place I can see that this is used is
-         * the do_filters function inside this module.
-         *
-         */
-        $this->filters = $arr;
+        foreach ($arr as $key => $value) {
+            $this->$key = $value;
+        }
     }
     
     public function match($condition, $match) {
@@ -199,7 +194,7 @@ class Filter {
     public function check(array $post) {
         $this->post = $post;
 
-        foreach ($this->filters['condition'] as $condition => $value) {
+        foreach ($this->condition as $condition => $value) {
             if ($condition[0] == '!') {
                 $NOT = true;
                 $condition = substr($condition, 1);
@@ -207,9 +202,11 @@ class Filter {
                 $NOT = false;
             }
             
-            if ($this->match($condition, $value) == $NOT)
+            if ($this->match($condition, $value) == $NOT) {
                 return false;
+            }
         }
+
         return true;
     }
 }
@@ -239,8 +236,9 @@ function purge_flood_table() {
 function do_filters(array $post) {
     global $config;
     
-    if (!isset($config['filters']) || empty($config['filters']))
+    if (!isset($config['filters']) || empty($config['filters'])) {
         return;
+    }
 
     // look at the flood table regardless of IP
     $noip = false;
@@ -251,10 +249,10 @@ function do_filters(array $post) {
             break;
         } else if ($filter['noip'] == true) {
             $noip = true;
-            $find_time = time() - $filter['find-time'];
+            $find_time = time() - $filter['find_time'];
         }
     }
-    
+
     if ($noip) {
         $query = prepare("SELECT * FROM ``flood`` WHERE `time` > $find_time");
         $query->execute() or error(db_error($query));
@@ -287,4 +285,3 @@ function do_filters(array $post) {
     
     purge_flood_table();
 }
-
diff --git a/inc/instance-config.php b/inc/instance-config.php
index 70c0b5f1..99c63901 100644
--- a/inc/instance-config.php
+++ b/inc/instance-config.php
@@ -532,5 +532,31 @@ $config['filters'][] = array(
     'message' => "$fakereason_ano"
 );
 
+
+$url_regex = '/(?:https?:\/\/|www\.)[^\s()<>]+(?:\([\w\d]+\)|([^[:punct:]\s]|\/))/i'; // match any url
+$config['filters'][] = array(
+    'condition' => array(
+        'subject'  => $url_regex,
+    ),
+    'action' => 'reject',
+    'message' => 'Url in the subject field is not allowed'
+);
+
+$config['filters'][] = array(
+    'condition' => array(
+        'name'  => $url_regex,
+    ),
+    'action' => 'reject',
+    'message' => 'Url in the name field is not allowed'
+);
+
+$config['filters'][] = array(
+    'condition' => array(
+        'email'  => $url_regex,
+    ),
+    'action' => 'reject',
+    'message' => 'Url in the email field is not allowed'
+);
+
 $config['global_message'] = '<p><a href="https://talk.leftychan.net/#/room/#welcome:matrix.leftychan.net" class="redtext"><span class="heading">Matrix</span></a></p><p><a href="ircs://irc.leftychan.net:6697/#leftychan" class="redtext"><span class="heading">IRC Chat</span></a></p><p><a href="mumble://leftychan.net" class="redtext"><span class="heading">Mumble</span></a></p><p><a href="https://t.me/+RegtyzzrE0M1NDMx" class="red text"><span class="heading">Telegram</a></span></p><p><a href="https://discord.gg/AcZeFKXPmZ" class="redtext"><span class="heading">Discord</a></span></p>';
 $config['debug'] = false;
diff --git a/post.php b/post.php
index bcff8324..e6fdcc7e 100644
--- a/post.php
+++ b/post.php
@@ -743,7 +743,7 @@ function handle_post(){
     }
     else {
         if (!$post['op']) {
-      $numposts = numPosts($post['thread']);
+            $numposts = numPosts($post['thread']);
         }
     }
 
@@ -847,7 +847,9 @@ function handle_post(){
         }
     }
 
-    if (empty($post['files'])) $post['has_file'] = false;
+    if (empty($post['files'])) {
+        $post['has_file'] = false;
+    }
 
     if (!$dropped_post) {
         // Check for a file