diff --git a/README.txt b/README.txt
index 74288fa..a6b1f03 100644
--- a/README.txt
+++ b/README.txt
@@ -2,9 +2,9 @@
Tags: comment,trackback,referrer,spam,robot,antispam
Contributors: error
Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=error%40ioerror%2eus&item_name=Bad%20Behavior%20%28From%20WordPress%20Page%29&no_shipping=1&cn=Comments%20about%20Bad%20Behavior&tax=0¤cy_code=USD&bn=PP%2dDonationsBF&charset=UTF%2d8
-Requires at least: 3.1
-Tested up to: 4.0.1
-Stable tag: 2.2.16
+Requires at least: 3.5
+Tested up to: 4.8
+Stable tag: 2.2.19
Bad Behavior prevents spammers from ever delivering their junk, and in many
cases, from ever reading your site in the first place.
diff --git a/bad-behavior-wordpress-admin.php b/bad-behavior-wordpress-admin.php
index 785635e..1f98fe4 100644
--- a/bad-behavior-wordpress-admin.php
+++ b/bad-behavior-wordpress-admin.php
@@ -9,7 +9,9 @@ function bb2_admin_pages() {
add_options_page(__("Bad Behavior"), __("Bad Behavior"), 'manage_options', 'bb2_options', 'bb2_options');
add_options_page(__("Bad Behavior Whitelist"), __("Bad Behavior Whitelist"), 'manage_options', 'bb2_whitelist', 'bb2_whitelist');
add_management_page(__("Bad Behavior Log"), __("Bad Behavior Log"), 'manage_options', 'bb2_manage', 'bb2_manage');
- @session_start();
+ if(session_id() == '') {
+ @session_start();
+ }
}
}
@@ -243,6 +245,7 @@ function bb2_whitelist()
if (!$request_uri) $request_uri = $_SERVER['SCRIPT_NAME']; # IIS
if ($_POST) {
+ check_admin_referer('bad-behavior-whitelist');
$_POST = array_map('stripslashes_deep', $_POST);
if ($_POST['ip']) {
$whitelists['ip'] = array_filter(preg_split("/\s+/m", $_POST['ip']));
@@ -277,18 +280,20 @@ function bb2_whitelist()
+
+
@@ -304,6 +309,7 @@ function bb2_options()
if (!$request_uri) $request_uri = $_SERVER['SCRIPT_NAME']; # IIS
if ($_POST) {
+ check_admin_referer('bad-behavior-options');
$_POST = array_map('stripslashes_deep', $_POST);
if ($_POST['display_stats']) {
$settings['display_stats'] = true;
@@ -438,6 +444,8 @@ function bb2_options()
|
+
+
diff --git a/bad-behavior-wordpress.php b/bad-behavior-wordpress.php
index a3f1f1e..9700e40 100644
--- a/bad-behavior-wordpress.php
+++ b/bad-behavior-wordpress.php
@@ -1,7 +1,7 @@
get_results($query, ARRAY_A);
if ( defined('WP_DEBUG') and WP_DEBUG == true )
$wpdb->show_errors();
- if (mysql_error()) {
+ if ($wpdb->last_error) {
return FALSE;
}
return $result;
diff --git a/bad-behavior/blacklist.inc.php b/bad-behavior/blacklist.inc.php
index f0b358b..ddc0228 100644
--- a/bad-behavior/blacklist.inc.php
+++ b/bad-behavior/blacklist.inc.php
@@ -5,7 +5,9 @@ function bb2_blacklist($package) {
// Blacklisted user agents
// These user agent strings occur at the beginning of the line.
$bb2_spambots_0 = array(
+ "-", // brute force password attempts, malicious botnet
"8484 Boston Project", // video poker/porn spam
+ "ArchiveTeam", // ignores robots.txt and hammers server
"adwords", // referrer spam
"autoemailspider", // spam harvester
"blogsearchbot-martin", // from honeypot
@@ -35,6 +37,7 @@ function bb2_blacklist($package) {
"MJ12bot/v1.0.8", // malicious botnet
"Morfeus", // vulnerability scanner
"Movable Type", // customised spambots
+ // msnbot is using this fake user agent string now
//"Mozilla ", // malicious software
"Mozilla/0", // malicious software
"Mozilla/1", // malicious software
@@ -76,7 +79,10 @@ function bb2_blacklist($package) {
"\r", // A really dumb bot
" $v) {
+ $i = $key. '[' . $k . ']';
+ if (is_array($v))
+ $v = bb2_unpack_php_post_array($i, $v);
+ $unpacked[$i] = $v;
+ }
+ return $unpacked;
+}
+
// Let God sort 'em out!
function bb2_start($settings)
{
@@ -87,6 +100,10 @@ function bb2_start($settings)
$request_entity = array();
if (!strcasecmp($_SERVER['REQUEST_METHOD'], "POST") || !strcasecmp($_SERVER['REQUEST_METHOD'], "PUT")) {
foreach ($_POST as $h => $v) {
+ if (is_array($v)) {
+ # Workaround, see Bug #12
+ $v = "Array";
+ }
$request_entity[$h] = $v;
}
}
diff --git a/bad-behavior/functions.inc.php b/bad-behavior/functions.inc.php
index 45d3645..fb83e0f 100644
--- a/bad-behavior/functions.inc.php
+++ b/bad-behavior/functions.inc.php
@@ -50,7 +50,7 @@ function match_cidr($addr, $cidr) {
}
}
} else {
- @list($ip, $mask) = explode('/', $cidr);
+ @list($ip, $mask) = array_merge(explode('/', $cidr), array(true));
if (!$mask) $mask = 32;
$mask = pow(2,32) - pow(2, (32 - $mask));
$output = ((ip2long($addr) & $mask) == (ip2long($ip) & $mask));
diff --git a/bad-behavior/post.inc.php b/bad-behavior/post.inc.php
index 00739d0..10446de 100644
--- a/bad-behavior/post.inc.php
+++ b/bad-behavior/post.inc.php
@@ -58,6 +58,8 @@ function bb2_post($settings, $package)
$url = parse_url($package['headers_mixed']['Referer']);
$url['host'] = preg_replace('|^www\.|', '', $url['host']);
$host = preg_replace('|^www\.|', '', $package['headers_mixed']['Host']);
+ # Strip port
+ $host = preg_replace('|:\d+$|', '', $host);
if (strcasecmp($host, $url['host'])) {
return "cd361abb";
}
diff --git a/bad-behavior/searchengine.inc.php b/bad-behavior/searchengine.inc.php
index 2e49459..1f2e15b 100644
--- a/bad-behavior/searchengine.inc.php
+++ b/bad-behavior/searchengine.inc.php
@@ -23,7 +23,7 @@ function bb2_google($package)
function bb2_msnbot($package)
{
if (@is_ipv6($package['ip'])) return false; # TODO
- if (match_cidr($package['ip'], array("207.46.0.0/16", "65.52.0.0/14", "207.68.128.0/18", "207.68.192.0/20", "64.4.0.0/18", "157.54.0.0/15", "157.60.0.0/16", "157.56.0.0/14", "131.253.21.0/24", "131.253.22.0/23", "131.253.24.0/21", "131.253.32.0/20")) === FALSE) {
+ if (match_cidr($package['ip'], array("207.46.0.0/16", "65.52.0.0/14", "207.68.128.0/18", "207.68.192.0/20", "64.4.0.0/18", "157.54.0.0/15", "157.60.0.0/16", "157.56.0.0/14", "131.253.21.0/24", "131.253.22.0/23", "131.253.24.0/21", "131.253.32.0/20", "40.76.0.0/14")) === FALSE) {
return false; # Soft fail, must pass other screening
#return "e4de0453"; # Hard fail
}