prohibit third-party form sites that are almost exclusively used for phishing

This commit is contained in:
Kyle Drake 2015-02-27 09:44:43 -08:00
parent c2978f03f0
commit e1ef255f84
3 changed files with 58 additions and 21 deletions

View file

@ -68,6 +68,7 @@ class Site < Sequel::Model
/PHP\.Hide/
]
PHISHING_FORM_REGEX = /www.formbuddy.com\/cgi-bin\/form.pl/i
SPAM_MATCH_REGEX = ENV['RACK_ENV'] == 'test' ? /pillz/ : /#{$config['spam_smart_filter'].join('|')}/i
EMAIL_SANITY_REGEX = /.+@.+\..+/i
EDITABLE_FILE_EXT = /html|htm|txt|js|css|md|manifest/i
@ -481,9 +482,20 @@ class Site < Sequel::Model
def okay_to_upload?(uploaded_file)
return true if [:supporter].include?(plan_type.to_sym)
return false if self.class.possible_phishing?(uploaded_file)
self.class.valid_file_type?(uploaded_file)
end
def self.possible_phishing?(uploaded_file)
if File.extname(uploaded_file[:filename]).match EDITABLE_FILE_EXT
open(uploaded_file[:tempfile].path, 'r:binary') {|f|
matches = f.grep PHISHING_FORM_REGEX
return true unless matches.empty?
}
end
false
end
def self.valid_file_type?(uploaded_file)
mime_type = Magic.guess_file_mime_type uploaded_file[:tempfile].path
extname = File.extname uploaded_file[:filename]
@ -540,27 +552,6 @@ class Site < Sequel::Model
return false
end
if pathname.extname.match EDITABLE_FILE_EXT
open(uploaded.path, 'r:binary') {|f|
matches = f.grep SPAM_MATCH_REGEX
if !matches.empty?
=begin
EmailWorker.perform_async({
from: 'web@neocities.org',
reply_to: email,
to: 'spam@neocities.org',
subject: "[Neocities SPAM]: #{username}",
body: %{
#{username}
https://#{self.host}/#{relative_path}
}
})
=end
end
}
end
if relative_path == 'index.html' && opts[:new_install] != true
begin
new_title = Nokogiri::HTML(File.read(uploaded.path)).css('title').first.text