diff options
author | Florian Pritz <bluewind@xssn.at> | 2011-01-18 19:12:36 +0100 |
---|---|---|
committer | Florian Pritz <bluewind@xssn.at> | 2011-01-18 19:12:36 +0100 |
commit | b6b8a6587c399bfd89e13e92ce04ee8486688e6e (patch) | |
tree | 6479b1bfff401c6f143b2c7e1ba8554adbb233b0 /system/application | |
parent | 40b842682fbb4e27031ffdb26709d20f4f9b38e9 (diff) |
disable do_paste due to bot problems
There are still bots which are able to trick the hidden email field and
they upload phishing pages which let to paste.xinu.at being listed.
Signed-off-by: Florian Pritz <bluewind@xssn.at>
Diffstat (limited to 'system/application')
-rw-r--r-- | system/application/controllers/file.php | 4 | ||||
-rw-r--r-- | system/application/views/file/client.php | 9 | ||||
-rw-r--r-- | system/application/views/file/upload_form.php | 7 |
3 files changed, 15 insertions, 5 deletions
diff --git a/system/application/controllers/file.php b/system/application/controllers/file.php index adde14927..a11255986 100644 --- a/system/application/controllers/file.php +++ b/system/application/controllers/file.php @@ -124,8 +124,12 @@ class File extends Controller { // support textareas on the upload form // XXX: This requires users of suhosin to adjust maxium post and request size // TODO: merge with do_upload() + // XXX: this is too vulnerable to bots function do_paste() { + // FIXME: disable until bot problem is really fixed + return $this->upload_form(); + $data = array(); $content = $this->input->post('content')."\n"; $extension = $this->input->post('extension'); diff --git a/system/application/views/file/client.php b/system/application/views/file/client.php index d9470a216..0ebc20791 100644 --- a/system/application/views/file/client.php +++ b/system/application/views/file/client.php @@ -1,8 +1,11 @@ <p><b>Shell:</b></p> <pre> -curl -n -F "content=<-" <?php echo base_url(); ?> < file (not binary safe) -cat file | curl -n -F "content=<-" <?php echo base_url(); ?> (not binary safe) -curl -n -F "file=@/home/user/foo" <?php echo base_url(); ?> (binary safe) +<?php if(false): ?> +>curl -n -F "content=<-" <?php echo site_url(); ?> < file (not binary safe) +cat file | curl -n -F "content=<-" <?php echo site_url(); ?> (not binary safe) +<?php endif; ?> +curl -n -F "file=@/home/user/foo" <?php echo site_url(); ?> (binary safe) +cat file | curl -n -F "file=@-;filename=stdin" <?php echo site_url(); ?> (binary safe) </pre> <p><b>Client:</b><br /> <p>Development (git): <a href="http://git.server-speed.net/users/flo/fb/">http://git.server-speed.net/users/flo/fb/</a><br /> diff --git a/system/application/views/file/upload_form.php b/system/application/views/file/upload_form.php index 0f90bab0e..4b23783dd 100644 --- a/system/application/views/file/upload_form.php +++ b/system/application/views/file/upload_form.php @@ -5,7 +5,9 @@ <input type="submit" value="Upload" name="process" /><br /> Optional password (for deletion): <input type="password" name="password" size="10" /> </p> - </form> + </form> + <p>Pasting text directly has been disabled due to extensive bot problems. Please use the file upload instead.</p> +<?php if (false): ?> <p><b>OR</b></p> <?php echo form_open_multipart('file/do_paste'); ?> <p> @@ -13,7 +15,8 @@ <div style="display: none">Email: <input type="text" name="email" size="20" /></div> Optional password (for deletion): <input type="password" name="password" size="10" /><br /> <input type="submit" value="Paste" name="process" /> - </p> + </p> +<?php endif; ?> </form> </div> <br /> |