Updating the code and changes to comply with the WordPress Trac

README.txt

@@ -2,9 +2,9 @@
 Tags: comment,trackback,referrer,spam,robot,antispam
 Contributors: error
 Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=error%40ioerror%2eus&item_name=Bad%20Behavior%20%28From%20WordPress%20Page%29&no_shipping=1&cn=Comments%20about%20Bad%20Behavior&tax=0&currency_code=USD&bn=PP%2dDonationsBF&charset=UTF%2d8
-Requires at least: 3.1
-Tested up to: 4.0.1
-Stable tag: 2.2.16
+Requires at least: 3.5
+Tested up to: 4.8
+Stable tag: 2.2.19
 
 Bad Behavior prevents spammers from ever delivering their junk, and in many
 cases, from ever reading your site in the first place.

bad-behavior-wordpress-admin.php

@@ -9,7 +9,9 @@ function bb2_admin_pages() {
 		add_options_page(__("Bad Behavior"), __("Bad Behavior"), 'manage_options', 'bb2_options', 'bb2_options');
 		add_options_page(__("Bad Behavior Whitelist"), __("Bad Behavior Whitelist"), 'manage_options', 'bb2_whitelist', 'bb2_whitelist');
 		add_management_page(__("Bad Behavior Log"), __("Bad Behavior Log"), 'manage_options', 'bb2_manage', 'bb2_manage');
-		@session_start();
+		if(session_id() == '') {
+			@session_start();
+		}
 	}
 }
 
@@ -243,6 +245,7 @@ function bb2_whitelist()
 	if (!$request_uri) $request_uri = $_SERVER['SCRIPT_NAME'];	# IIS
 
 	if ($_POST) {
+		check_admin_referer('bad-behavior-whitelist');
 		$_POST = array_map('stripslashes_deep', $_POST);
 		if ($_POST['ip']) {
 			$whitelists['ip'] = array_filter(preg_split("/\s+/m", $_POST['ip']));
@@ -277,18 +280,20 @@ function bb2_whitelist()
 
 	<h3><?php _e('IP Address'); ?></h3>
 	<table class="form-table">
-	<tr><td><label>IP address or CIDR format address ranges to be whitelisted (one per line)<br/><textarea cols="24" rows="6" name="ip"><?php echo implode("\n", $whitelists['ip']); ?></textarea></td></tr>
+	<tr><td><label>IP address or CIDR format address ranges to be whitelisted (one per line)<br/><textarea cols="24" rows="6" name="ip"><?php echo esc_textarea(implode("\n", $whitelists['ip'])); ?></textarea></td></tr>
 	</table>
 
 	<h3><?php _e('URL'); ?></h3>
 	<table class="form-table">
-	<tr><td><label>URL fragments beginning with the / after your web site hostname (one per line)<br/><textarea cols="48" rows="6" name="url"><?php echo implode("\n", $whitelists['url']); ?></textarea></td></tr>
+	<tr><td><label>URL fragments beginning with the / after your web site hostname (one per line)<br/><textarea cols="48" rows="6" name="url"><?php echo esc_textarea(implode("\n", $whitelists['url'])); ?></textarea></td></tr>
 	</table>
 
 	<h3><?php _e('User Agent'); ?></h3>
 	<table class="form-table">
-	<tr><td><label>User agent strings to be whitelisted (one per line)<br/><textarea cols="48" rows="6" name="useragent"><?php echo implode("\n", $whitelists['useragent']); ?></textarea></td></tr>
+	<tr><td><label>User agent strings to be whitelisted (one per line)<br/><textarea cols="48" rows="6" name="useragent"><?php echo esc_textarea(implode("\n", $whitelists['useragent'])); ?></textarea></td></tr>
 	</table>
+
+	<?php wp_nonce_field('bad-behavior-whitelist'); ?>
 
 	<p class="submit"><input class="button" type="submit" name="submit" value="<?php _e('Update &raquo;'); ?>" /></p>
 	</form>
@@ -304,6 +309,7 @@ function bb2_options()
 	if (!$request_uri) $request_uri = $_SERVER['SCRIPT_NAME'];	# IIS
 
 	if ($_POST) {
+		check_admin_referer('bad-behavior-options');
 		$_POST = array_map('stripslashes_deep', $_POST);
 		if ($_POST['display_stats']) {
 			$settings['display_stats'] = true;
@@ -438,6 +444,8 @@ function bb2_options()
 	<tr><td><label>IP address or CIDR format address ranges for your proxy servers (one per line)<br/><textarea cols="24" rows="6" name="reverse_proxy_addresses"><?php echo esc_textarea(implode("\n", $settings['reverse_proxy_addresses'])); ?></textarea></td></tr>
 	</table>
 
+<?php wp_nonce_field('bad-behavior-options'); ?>
+
 	<p class="submit"><input class="button" type="submit" name="submit" value="<?php _e('Update &raquo;'); ?>" /></p>
 	</form>
 	</div>

bad-behavior-wordpress.php

@@ -1,7 +1,7 @@
 <?php
 /*
 Plugin Name: Bad Behavior
-Version: 2.2.16
+Version: 2.2.19
 Description: Deny automated spambots access to your PHP-based Web site.
 Plugin URI: http://bad-behavior.ioerror.us/
 Author: Michael Hampton
@@ -76,7 +76,7 @@ function bb2_db_query($query) {
 	$result = $wpdb->get_results($query, ARRAY_A);
 	if ( defined('WP_DEBUG') and WP_DEBUG == true )
 		$wpdb->show_errors();
-	if (mysql_error()) {
+	if ($wpdb->last_error) {
 		return FALSE;
 	}
 	return $result;

bad-behavior/blacklist.inc.php

@@ -5,7 +5,9 @@ function bb2_blacklist($package) {
 	// Blacklisted user agents
 	// These user agent strings occur at the beginning of the line.
 	$bb2_spambots_0 = array(
+		"-",			// brute force password attempts, malicious botnet
 		"8484 Boston Project",	// video poker/porn spam
+		"ArchiveTeam",		// ignores robots.txt and hammers server
 		"adwords",		// referrer spam
 		"autoemailspider",	// spam harvester
 		"blogsearchbot-martin",	// from honeypot
@@ -35,6 +37,7 @@ function bb2_blacklist($package) {
 		"MJ12bot/v1.0.8",	// malicious botnet
 		"Morfeus",		// vulnerability scanner
 		"Movable Type",		// customised spambots
+	// msnbot is using this fake user agent string now 
 		//"Mozilla ",		// malicious software
 		"Mozilla/0",		// malicious software
 		"Mozilla/1",		// malicious software
@@ -76,7 +79,10 @@ function bb2_blacklist($package) {
 		"\r",			// A really dumb bot
 		"<sc",			// XSS exploit attempts
 		"; Widows ",		// misc comment/email spam
+	        ": ;",			// shellshock 
+ 	        ":;",			// shellshock 
 		"a href=",		// referrer spam
+		"ArchiveBot",		// ignores robots.txt and hammers server
 		"Bad Behavior Test",	// Add this to your user-agent to test BB
 		"compatible ; MSIE",	// misc comment/email spam
 		"compatible-",		// misc comment/email spam
@@ -127,11 +133,9 @@ function bb2_blacklist($package) {
 	// These are regular expression matches.
 	$bb2_spambots_regex = array(
 		"/^[A-Z]{10}$/",	// misc email spam
-// msnbot is using this fake user agent string now
-//		"/^Mozilla...[05]$/i",	// fake user agent/email spam
 		"/[bcdfghjklmnpqrstvwxz ]{8,}/",
 //		"/(;\){1,2}$/",		// misc spammers/harvesters
-//		"/MSIE.*Windows XP/",	// misc comment spam
+		"/MSIE.*Windows XP/",	// misc comment spam
 		"/MSIE [2345]/",	// too old; assumed robot
 	);
 

bad-behavior/core.inc.php

@@ -1,5 +1,5 @@
 <?php if (!defined('BB2_CWD')) die("I said no cheating!");
-define('BB2_VERSION', "2.2.16");
+define('BB2_VERSION', "2.2.19");
 
 // Bad Behavior entry point is bb2_start()
 // If you're reading this, you are probably lost.
@@ -68,6 +68,19 @@ function bb2_reverse_proxy($settings, $headers_mixed)
 	return false;
 }
 
+# FIXME: Bug #12. But this code doesn't currently work.
+function bb2_unpack_php_post_array($key, $value)
+{
+	$unpacked = array();
+	foreach ($value as $k => $v) {
+		$i = $key. '[' . $k . ']';
+		if (is_array($v))
+		$v = bb2_unpack_php_post_array($i, $v);
+		$unpacked[$i] = $v;
+	}
+	return $unpacked;
+}
+
 // Let God sort 'em out!
 function bb2_start($settings)
 {
@@ -87,6 +100,10 @@ function bb2_start($settings)
 	$request_entity = array();
 	if (!strcasecmp($_SERVER['REQUEST_METHOD'], "POST") || !strcasecmp($_SERVER['REQUEST_METHOD'], "PUT")) {
 		foreach ($_POST as $h => $v) {
+			if (is_array($v)) {
+				# Workaround, see Bug #12
+				$v = "Array";
+			}
 			$request_entity[$h] = $v;
 		}
 	}

bad-behavior/functions.inc.php

@@ -50,7 +50,7 @@ function match_cidr($addr, $cidr) {
 			}
 		}
 	} else {
-		@list($ip, $mask) = explode('/', $cidr);
+		@list($ip, $mask) = array_merge(explode('/', $cidr), array(true));
 		if (!$mask) $mask = 32;
 		$mask = pow(2,32) - pow(2, (32 - $mask));
 		$output = ((ip2long($addr) & $mask) == (ip2long($ip) & $mask));

bad-behavior/post.inc.php

@@ -58,6 +58,8 @@ function bb2_post($settings, $package)
 		$url = parse_url($package['headers_mixed']['Referer']);
 		$url['host'] = preg_replace('|^www\.|', '', $url['host']);
 		$host = preg_replace('|^www\.|', '', $package['headers_mixed']['Host']);
+		# Strip port
+		$host = preg_replace('|:\d+$|', '', $host); 
 		if (strcasecmp($host, $url['host'])) {
 			return "cd361abb";
 		}

bad-behavior/searchengine.inc.php

@@ -23,7 +23,7 @@ function bb2_google($package)
 function bb2_msnbot($package)
 {
 	if (@is_ipv6($package['ip'])) return false;	# TODO
-	if (match_cidr($package['ip'], array("207.46.0.0/16", "65.52.0.0/14", "207.68.128.0/18", "207.68.192.0/20", "64.4.0.0/18", "157.54.0.0/15", "157.60.0.0/16", "157.56.0.0/14", "131.253.21.0/24", "131.253.22.0/23", "131.253.24.0/21", "131.253.32.0/20")) === FALSE) {
+	if (match_cidr($package['ip'], array("207.46.0.0/16", "65.52.0.0/14", "207.68.128.0/18", "207.68.192.0/20", "64.4.0.0/18", "157.54.0.0/15", "157.60.0.0/16", "157.56.0.0/14", "131.253.21.0/24", "131.253.22.0/23", "131.253.24.0/21", "131.253.32.0/20", "40.76.0.0/14")) === FALSE) {
 		return false;	# Soft fail, must pass other screening
 		#return "e4de0453";	# Hard fail
 	}