From b6b8a6587c399bfd89e13e92ce04ee8486688e6e Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xssn.at>
Date: Tue, 18 Jan 2011 19:12:36 +0100
Subject: disable do_paste due to bot problems

There are still bots which are able to trick the hidden email field and
they upload phishing pages which let to paste.xinu.at being listed.

Signed-off-by: Florian Pritz <bluewind@xssn.at>
---
 system/application/controllers/file.php       | 4 ++++
 system/application/views/file/client.php      | 9 ++++++---
 system/application/views/file/upload_form.php | 7 +++++--
 3 files changed, 15 insertions(+), 5 deletions(-)

(limited to 'system')

diff --git a/system/application/controllers/file.php b/system/application/controllers/file.php
index adde14927..a11255986 100644
--- a/system/application/controllers/file.php
+++ b/system/application/controllers/file.php
@@ -124,8 +124,12 @@ class File extends Controller {
 	// support textareas on the upload form
 	// XXX: This requires users of suhosin to adjust maxium post and request size
 	// TODO: merge with do_upload()
+	// XXX: this is too vulnerable to bots
 	function do_paste()
 	{
+		// FIXME: disable until bot problem is really fixed
+		return $this->upload_form();
+
 		$data = array();
 		$content = $this->input->post('content')."\n";
 		$extension = $this->input->post('extension');
diff --git a/system/application/views/file/client.php b/system/application/views/file/client.php
index d9470a216..0ebc20791 100644
--- a/system/application/views/file/client.php
+++ b/system/application/views/file/client.php
@@ -1,8 +1,11 @@
 <p><b>Shell:</b></p>
 <pre>
-curl -n -F "content=&lt;-" <?php echo base_url(); ?> &lt; file      (not binary safe)
-cat file | curl -n -F "content=&lt;-" <?php echo base_url(); ?>  (not binary safe)
-curl -n -F "file=@/home/user/foo" <?php echo base_url(); ?>   (binary safe)
+<?php if(false): ?>
+>curl -n -F "content=&lt;-" <?php echo site_url(); ?> &lt; file      (not binary safe)
+cat file | curl -n -F "content=&lt;-" <?php echo site_url(); ?>  (not binary safe)
+<?php endif; ?>
+curl -n -F "file=@/home/user/foo" <?php echo site_url(); ?>   (binary safe)
+cat file | curl -n -F "file=@-;filename=stdin" <?php echo site_url(); ?>   (binary safe)
 </pre>
 <p><b>Client:</b><br />
 <p>Development (git): <a href="http://git.server-speed.net/users/flo/fb/">http://git.server-speed.net/users/flo/fb/</a><br />
diff --git a/system/application/views/file/upload_form.php b/system/application/views/file/upload_form.php
index 0f90bab0e..4b23783dd 100644
--- a/system/application/views/file/upload_form.php
+++ b/system/application/views/file/upload_form.php
@@ -5,7 +5,9 @@
       <input type="submit" value="Upload" name="process" /><br />
       Optional password (for deletion): <input type="password" name="password" size="10" />
     </p>
-  </form>
+	</form>
+	<p>Pasting text directly has been disabled due to extensive bot problems. Please use the file upload instead.</p>
+<?php if (false): ?>
   <p><b>OR</b></p>
   <?php echo form_open_multipart('file/do_paste'); ?>
     <p>
@@ -13,7 +15,8 @@
       <div style="display: none">Email: <input type="text" name="email" size="20" /></div>
       Optional password (for deletion): <input type="password" name="password" size="10" /><br />
       <input type="submit" value="Paste" name="process" />
-    </p>
+		</p>
+<?php endif; ?>
   </form>
 </div>
 <br />
-- 
cgit v1.2.3-24-g4f1b