| [ Index ] |
PHP Cross Reference of WordPress |
[Summary view] [Print] [Text view]
1 <?php 2 3 class Akismet { 4 const API_HOST = 'rest.akismet.com'; 5 const API_PORT = 80; 6 const MAX_DELAY_BEFORE_MODERATION_EMAIL = 86400; // One day in seconds 7 8 public static $LIMIT_NOTICES = array( 9 10501 => 'FIRST_MONTH_OVER_LIMIT', 10 10502 => 'SECOND_MONTH_OVER_LIMIT', 11 10504 => 'THIRD_MONTH_APPROACHING_LIMIT', 12 10508 => 'THIRD_MONTH_OVER_LIMIT', 13 10516 => 'FOUR_PLUS_MONTHS_OVER_LIMIT', 14 ); 15 16 private static $last_comment = ''; 17 private static $initiated = false; 18 private static $prevent_moderation_email_for_these_comments = array(); 19 private static $last_comment_result = null; 20 private static $comment_as_submitted_allowed_keys = array( 'blog' => '', 'blog_charset' => '', 'blog_lang' => '', 'blog_ua' => '', 'comment_agent' => '', 'comment_author' => '', 'comment_author_IP' => '', 'comment_author_email' => '', 'comment_author_url' => '', 'comment_content' => '', 'comment_date_gmt' => '', 'comment_tags' => '', 'comment_type' => '', 'guid' => '', 'is_test' => '', 'permalink' => '', 'reporter' => '', 'site_domain' => '', 'submit_referer' => '', 'submit_uri' => '', 'user_ID' => '', 'user_agent' => '', 'user_id' => '', 'user_ip' => '' ); 21 22 public static function init() { 23 if ( ! self::$initiated ) { 24 self::init_hooks(); 25 } 26 } 27 28 /** 29 * Initializes WordPress hooks 30 */ 31 private static function init_hooks() { 32 self::$initiated = true; 33 34 add_action( 'wp_insert_comment', array( 'Akismet', 'auto_check_update_meta' ), 10, 2 ); 35 add_filter( 'preprocess_comment', array( 'Akismet', 'auto_check_comment' ), 1 ); 36 add_filter( 'rest_pre_insert_comment', array( 'Akismet', 'rest_auto_check_comment' ), 1 ); 37 38 add_action( 'akismet_scheduled_delete', array( 'Akismet', 'delete_old_comments' ) ); 39 add_action( 'akismet_scheduled_delete', array( 'Akismet', 'delete_old_comments_meta' ) ); 40 add_action( 'akismet_scheduled_delete', array( 'Akismet', 'delete_orphaned_commentmeta' ) ); 41 add_action( 'akismet_schedule_cron_recheck', array( 'Akismet', 'cron_recheck' ) ); 42 43 add_action( 'comment_form', array( 'Akismet', 'add_comment_nonce' ), 1 ); 44 45 add_action( 'admin_head-edit-comments.php', array( 'Akismet', 'load_form_js' ) ); 46 add_action( 'comment_form', array( 'Akismet', 'load_form_js' ) ); 47 add_action( 'comment_form', array( 'Akismet', 'inject_ak_js' ) ); 48 add_filter( 'script_loader_tag', array( 'Akismet', 'set_form_js_async' ), 10, 3 ); 49 50 add_filter( 'comment_moderation_recipients', array( 'Akismet', 'disable_moderation_emails_if_unreachable' ), 1000, 2 ); 51 add_filter( 'pre_comment_approved', array( 'Akismet', 'last_comment_status' ), 10, 2 ); 52 53 add_action( 'transition_comment_status', array( 'Akismet', 'transition_comment_status' ), 10, 3 ); 54 55 // Run this early in the pingback call, before doing a remote fetch of the source uri 56 add_action( 'xmlrpc_call', array( 'Akismet', 'pre_check_pingback' ) ); 57 58 // Jetpack compatibility 59 add_filter( 'jetpack_options_whitelist', array( 'Akismet', 'add_to_jetpack_options_whitelist' ) ); 60 add_action( 'update_option_wordpress_api_key', array( 'Akismet', 'updated_option' ), 10, 2 ); 61 add_action( 'add_option_wordpress_api_key', array( 'Akismet', 'added_option' ), 10, 2 ); 62 63 add_action( 'comment_form_after', array( 'Akismet', 'display_comment_form_privacy_notice' ) ); 64 } 65 66 public static function get_api_key() { 67 return apply_filters( 'akismet_get_api_key', defined('WPCOM_API_KEY') ? constant('WPCOM_API_KEY') : get_option('wordpress_api_key') ); 68 } 69 70 public static function check_key_status( $key, $ip = null ) { 71 return self::http_post( Akismet::build_query( array( 'key' => $key, 'blog' => get_option( 'home' ) ) ), 'verify-key', $ip ); 72 } 73 74 public static function verify_key( $key, $ip = null ) { 75 // Shortcut for obviously invalid keys. 76 if ( strlen( $key ) != 12 ) { 77 return 'invalid'; 78 } 79 80 $response = self::check_key_status( $key, $ip ); 81 82 if ( $response[1] != 'valid' && $response[1] != 'invalid' ) 83 return 'failed'; 84 85 return $response[1]; 86 } 87 88 public static function deactivate_key( $key ) { 89 $response = self::http_post( Akismet::build_query( array( 'key' => $key, 'blog' => get_option( 'home' ) ) ), 'deactivate' ); 90 91 if ( $response[1] != 'deactivated' ) 92 return 'failed'; 93 94 return $response[1]; 95 } 96 97 /** 98 * Add the akismet option to the Jetpack options management whitelist. 99 * 100 * @param array $options The list of whitelisted option names. 101 * @return array The updated whitelist 102 */ 103 public static function add_to_jetpack_options_whitelist( $options ) { 104 $options[] = 'wordpress_api_key'; 105 return $options; 106 } 107 108 /** 109 * When the akismet option is updated, run the registration call. 110 * 111 * This should only be run when the option is updated from the Jetpack/WP.com 112 * API call, and only if the new key is different than the old key. 113 * 114 * @param mixed $old_value The old option value. 115 * @param mixed $value The new option value. 116 */ 117 public static function updated_option( $old_value, $value ) { 118 // Not an API call 119 if ( ! class_exists( 'WPCOM_JSON_API_Update_Option_Endpoint' ) ) { 120 return; 121 } 122 // Only run the registration if the old key is different. 123 if ( $old_value !== $value ) { 124 self::verify_key( $value ); 125 } 126 } 127 128 /** 129 * Treat the creation of an API key the same as updating the API key to a new value. 130 * 131 * @param mixed $option_name Will always be "wordpress_api_key", until something else hooks in here. 132 * @param mixed $value The option value. 133 */ 134 public static function added_option( $option_name, $value ) { 135 if ( 'wordpress_api_key' === $option_name ) { 136 return self::updated_option( '', $value ); 137 } 138 } 139 140 public static function rest_auto_check_comment( $commentdata ) { 141 return self::auto_check_comment( $commentdata, 'rest_api' ); 142 } 143 144 /** 145 * Check a comment for spam. 146 * 147 * @param array $commentdata 148 * @param string $context What kind of request triggered this comment check? Possible values are 'default', 'rest_api', and 'xml-rpc'. 149 * @return array|WP_Error Either the $commentdata array with additional entries related to its spam status 150 * or a WP_Error, if it's a REST API request and the comment should be discarded. 151 */ 152 public static function auto_check_comment( $commentdata, $context = 'default' ) { 153 // If no key is configured, then there's no point in doing any of this. 154 if ( ! self::get_api_key() ) { 155 return $commentdata; 156 } 157 158 self::$last_comment_result = null; 159 160 $comment = $commentdata; 161 162 $comment['user_ip'] = self::get_ip_address(); 163 $comment['user_agent'] = self::get_user_agent(); 164 $comment['referrer'] = self::get_referer(); 165 $comment['blog'] = get_option( 'home' ); 166 $comment['blog_lang'] = get_locale(); 167 $comment['blog_charset'] = get_option('blog_charset'); 168 $comment['permalink'] = get_permalink( $comment['comment_post_ID'] ); 169 170 if ( ! empty( $comment['user_ID'] ) ) { 171 $comment['user_role'] = Akismet::get_user_roles( $comment['user_ID'] ); 172 } 173 174 /** See filter documentation in init_hooks(). */ 175 $akismet_nonce_option = apply_filters( 'akismet_comment_nonce', get_option( 'akismet_comment_nonce' ) ); 176 $comment['akismet_comment_nonce'] = 'inactive'; 177 if ( $akismet_nonce_option == 'true' || $akismet_nonce_option == '' ) { 178 $comment['akismet_comment_nonce'] = 'failed'; 179 if ( isset( $_POST['akismet_comment_nonce'] ) && wp_verify_nonce( $_POST['akismet_comment_nonce'], 'akismet_comment_nonce_' . $comment['comment_post_ID'] ) ) 180 $comment['akismet_comment_nonce'] = 'passed'; 181 182 // comment reply in wp-admin 183 if ( isset( $_POST['_ajax_nonce-replyto-comment'] ) && check_ajax_referer( 'replyto-comment', '_ajax_nonce-replyto-comment' ) ) 184 $comment['akismet_comment_nonce'] = 'passed'; 185 186 } 187 188 if ( self::is_test_mode() ) 189 $comment['is_test'] = 'true'; 190 191 foreach( $_POST as $key => $value ) { 192 if ( is_string( $value ) ) 193 $comment["POST_{$key}"] = $value; 194 } 195 196 foreach ( $_SERVER as $key => $value ) { 197 if ( ! is_string( $value ) ) { 198 continue; 199 } 200 201 if ( preg_match( "/^HTTP_COOKIE/", $key ) ) { 202 continue; 203 } 204 205 // Send any potentially useful $_SERVER vars, but avoid sending junk we don't need. 206 if ( preg_match( "/^(HTTP_|REMOTE_ADDR|REQUEST_URI|DOCUMENT_URI)/", $key ) ) { 207 $comment[ "$key" ] = $value; 208 } 209 } 210 211 $post = get_post( $comment['comment_post_ID'] ); 212 213 if ( ! is_null( $post ) ) { 214 // $post can technically be null, although in the past, it's always been an indicator of another plugin interfering. 215 $comment[ 'comment_post_modified_gmt' ] = $post->post_modified_gmt; 216 } 217 218 $response = self::http_post( Akismet::build_query( $comment ), 'comment-check' ); 219 220 do_action( 'akismet_comment_check_response', $response ); 221 222 $commentdata['comment_as_submitted'] = array_intersect_key( $comment, self::$comment_as_submitted_allowed_keys ); 223 224 // Also include any form fields we inject into the comment form, like ak_js 225 foreach ( $_POST as $key => $value ) { 226 if ( is_string( $value ) && strpos( $key, 'ak_' ) === 0 ) { 227 $commentdata['comment_as_submitted'][ 'POST_' . $key ] = $value; 228 } 229 } 230 231 $commentdata['akismet_result'] = $response[1]; 232 233 if ( isset( $response[0]['x-akismet-pro-tip'] ) ) 234 $commentdata['akismet_pro_tip'] = $response[0]['x-akismet-pro-tip']; 235 236 if ( isset( $response[0]['x-akismet-error'] ) ) { 237 // An error occurred that we anticipated (like a suspended key) and want the user to act on. 238 // Send to moderation. 239 self::$last_comment_result = '0'; 240 } 241 else if ( 'true' == $response[1] ) { 242 // akismet_spam_count will be incremented later by comment_is_spam() 243 self::$last_comment_result = 'spam'; 244 245 $discard = ( isset( $commentdata['akismet_pro_tip'] ) && $commentdata['akismet_pro_tip'] === 'discard' && self::allow_discard() ); 246 247 do_action( 'akismet_spam_caught', $discard ); 248 249 if ( $discard ) { 250 // The spam is obvious, so we're bailing out early. 251 // akismet_result_spam() won't be called so bump the counter here 252 if ( $incr = apply_filters( 'akismet_spam_count_incr', 1 ) ) { 253 update_option( 'akismet_spam_count', get_option( 'akismet_spam_count' ) + $incr ); 254 } 255 256 if ( 'rest_api' === $context ) { 257 return new WP_Error( 'akismet_rest_comment_discarded', __( 'Comment discarded.', 'akismet' ) ); 258 } else if ( 'xml-rpc' === $context ) { 259 // If this is a pingback that we're pre-checking, the discard behavior is the same as the normal spam response behavior. 260 return $commentdata; 261 } else { 262 // Redirect back to the previous page, or failing that, the post permalink, or failing that, the homepage of the blog. 263 $redirect_to = isset( $_SERVER['HTTP_REFERER'] ) ? $_SERVER['HTTP_REFERER'] : ( $post ? get_permalink( $post ) : home_url() ); 264 wp_safe_redirect( esc_url_raw( $redirect_to ) ); 265 die(); 266 } 267 } 268 else if ( 'rest_api' === $context ) { 269 // The way the REST API structures its calls, we can set the comment_approved value right away. 270 $commentdata['comment_approved'] = 'spam'; 271 } 272 } 273 274 // if the response is neither true nor false, hold the comment for moderation and schedule a recheck 275 if ( 'true' != $response[1] && 'false' != $response[1] ) { 276 if ( !current_user_can('moderate_comments') ) { 277 // Comment status should be moderated 278 self::$last_comment_result = '0'; 279 } 280 281 if ( ! wp_next_scheduled( 'akismet_schedule_cron_recheck' ) ) { 282 wp_schedule_single_event( time() + 1200, 'akismet_schedule_cron_recheck' ); 283 do_action( 'akismet_scheduled_recheck', 'invalid-response-' . $response[1] ); 284 } 285 286 self::$prevent_moderation_email_for_these_comments[] = $commentdata; 287 } 288 289 // Delete old comments daily 290 if ( ! wp_next_scheduled( 'akismet_scheduled_delete' ) ) { 291 wp_schedule_event( time(), 'daily', 'akismet_scheduled_delete' ); 292 } 293 294 self::set_last_comment( $commentdata ); 295 self::fix_scheduled_recheck(); 296 297 return $commentdata; 298 } 299 300 public static function get_last_comment() { 301 return self::$last_comment; 302 } 303 304 public static function set_last_comment( $comment ) { 305 if ( is_null( $comment ) ) { 306 self::$last_comment = null; 307 } 308 else { 309 // We filter it here so that it matches the filtered comment data that we'll have to compare against later. 310 // wp_filter_comment expects comment_author_IP 311 self::$last_comment = wp_filter_comment( 312 array_merge( 313 array( 'comment_author_IP' => self::get_ip_address() ), 314 $comment 315 ) 316 ); 317 } 318 } 319 320 // this fires on wp_insert_comment. we can't update comment_meta when auto_check_comment() runs 321 // because we don't know the comment ID at that point. 322 public static function auto_check_update_meta( $id, $comment ) { 323 // wp_insert_comment() might be called in other contexts, so make sure this is the same comment 324 // as was checked by auto_check_comment 325 if ( is_object( $comment ) && !empty( self::$last_comment ) && is_array( self::$last_comment ) ) { 326 if ( self::matches_last_comment( $comment ) ) { 327 load_plugin_textdomain( 'akismet' ); 328 329 // normal result: true or false 330 if ( self::$last_comment['akismet_result'] == 'true' ) { 331 update_comment_meta( $comment->comment_ID, 'akismet_result', 'true' ); 332 self::update_comment_history( $comment->comment_ID, '', 'check-spam' ); 333 if ( $comment->comment_approved != 'spam' ) { 334 self::update_comment_history( 335 $comment->comment_ID, 336 '', 337 'status-changed-' . $comment->comment_approved 338 ); 339 } 340 } elseif ( self::$last_comment['akismet_result'] == 'false' ) { 341 update_comment_meta( $comment->comment_ID, 'akismet_result', 'false' ); 342 self::update_comment_history( $comment->comment_ID, '', 'check-ham' ); 343 // Status could be spam or trash, depending on the WP version and whether this change applies: 344 // https://core.trac.wordpress.org/changeset/34726 345 if ( $comment->comment_approved == 'spam' || $comment->comment_approved == 'trash' ) { 346 if ( function_exists( 'wp_check_comment_disallowed_list' ) ) { 347 if ( wp_check_comment_disallowed_list( $comment->comment_author, $comment->comment_author_email, $comment->comment_author_url, $comment->comment_content, $comment->comment_author_IP, $comment->comment_agent ) ) { 348 self::update_comment_history( $comment->comment_ID, '', 'wp-disallowed' ); 349 } else { 350 self::update_comment_history( $comment->comment_ID, '', 'status-changed-' . $comment->comment_approved ); 351 } 352 } else if ( function_exists( 'wp_blacklist_check' ) && wp_blacklist_check( $comment->comment_author, $comment->comment_author_email, $comment->comment_author_url, $comment->comment_content, $comment->comment_author_IP, $comment->comment_agent ) ) { 353 self::update_comment_history( $comment->comment_ID, '', 'wp-blacklisted' ); 354 } else { 355 self::update_comment_history( $comment->comment_ID, '', 'status-changed-' . $comment->comment_approved ); 356 } 357 } 358 } else { 359 // abnormal result: error 360 update_comment_meta( $comment->comment_ID, 'akismet_error', time() ); 361 self::update_comment_history( 362 $comment->comment_ID, 363 '', 364 'check-error', 365 array( 'response' => substr( self::$last_comment['akismet_result'], 0, 50 ) ) 366 ); 367 } 368 369 // record the complete original data as submitted for checking 370 if ( isset( self::$last_comment['comment_as_submitted'] ) ) { 371 update_comment_meta( $comment->comment_ID, 'akismet_as_submitted', self::$last_comment['comment_as_submitted'] ); 372 } 373 374 if ( isset( self::$last_comment['akismet_pro_tip'] ) ) { 375 update_comment_meta( $comment->comment_ID, 'akismet_pro_tip', self::$last_comment['akismet_pro_tip'] ); 376 } 377 } 378 } 379 } 380 381 public static function delete_old_comments() { 382 global $wpdb; 383 384 /** 385 * Determines how many comments will be deleted in each batch. 386 * 387 * @param int The default, as defined by AKISMET_DELETE_LIMIT. 388 */ 389 $delete_limit = apply_filters( 'akismet_delete_comment_limit', defined( 'AKISMET_DELETE_LIMIT' ) ? AKISMET_DELETE_LIMIT : 10000 ); 390 $delete_limit = max( 1, intval( $delete_limit ) ); 391 392 /** 393 * Determines how many days a comment will be left in the Spam queue before being deleted. 394 * 395 * @param int The default number of days. 396 */ 397 $delete_interval = apply_filters( 'akismet_delete_comment_interval', 15 ); 398 $delete_interval = max( 1, intval( $delete_interval ) ); 399 400 while ( $comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_id FROM {$wpdb->comments} WHERE DATE_SUB(NOW(), INTERVAL %d DAY) > comment_date_gmt AND comment_approved = 'spam' LIMIT %d", $delete_interval, $delete_limit ) ) ) { 401 if ( empty( $comment_ids ) ) 402 return; 403 404 $wpdb->queries = array(); 405 406 foreach ( $comment_ids as $comment_id ) { 407 do_action( 'delete_comment', $comment_id ); 408 do_action( 'akismet_batch_delete_count', __FUNCTION__ ); 409 } 410 411 // Prepared as strings since comment_id is an unsigned BIGINT, and using %d will constrain the value to the maximum signed BIGINT. 412 $format_string = implode( ", ", array_fill( 0, count( $comment_ids ), '%s' ) ); 413 414 $wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->comments} WHERE comment_id IN ( " . $format_string . " )", $comment_ids ) ); 415 $wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->commentmeta} WHERE comment_id IN ( " . $format_string . " )", $comment_ids ) ); 416 417 clean_comment_cache( $comment_ids ); 418 do_action( 'akismet_delete_comment_batch', count( $comment_ids ) ); 419 420 foreach ( $comment_ids as $comment_id ) { 421 do_action( 'deleted_comment', $comment_id ); 422 } 423 } 424 425 if ( apply_filters( 'akismet_optimize_table', ( mt_rand(1, 5000) == 11), $wpdb->comments ) ) // lucky number 426 $wpdb->query("OPTIMIZE TABLE {$wpdb->comments}"); 427 } 428 429 public static function delete_old_comments_meta() { 430 global $wpdb; 431 432 $interval = apply_filters( 'akismet_delete_commentmeta_interval', 15 ); 433 434 # enforce a minimum of 1 day 435 $interval = absint( $interval ); 436 if ( $interval < 1 ) 437 $interval = 1; 438 439 // akismet_as_submitted meta values are large, so expire them 440 // after $interval days regardless of the comment status 441 while ( $comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT m.comment_id FROM {$wpdb->commentmeta} as m INNER JOIN {$wpdb->comments} as c USING(comment_id) WHERE m.meta_key = 'akismet_as_submitted' AND DATE_SUB(NOW(), INTERVAL %d DAY) > c.comment_date_gmt LIMIT 10000", $interval ) ) ) { 442 if ( empty( $comment_ids ) ) 443 return; 444 445 $wpdb->queries = array(); 446 447 foreach ( $comment_ids as $comment_id ) { 448 delete_comment_meta( $comment_id, 'akismet_as_submitted' ); 449 do_action( 'akismet_batch_delete_count', __FUNCTION__ ); 450 } 451 452 do_action( 'akismet_delete_commentmeta_batch', count( $comment_ids ) ); 453 } 454 455 if ( apply_filters( 'akismet_optimize_table', ( mt_rand(1, 5000) == 11), $wpdb->commentmeta ) ) // lucky number 456 $wpdb->query("OPTIMIZE TABLE {$wpdb->commentmeta}"); 457 } 458 459 // Clear out comments meta that no longer have corresponding comments in the database 460 public static function delete_orphaned_commentmeta() { 461 global $wpdb; 462 463 $last_meta_id = 0; 464 $start_time = isset( $_SERVER['REQUEST_TIME_FLOAT'] ) ? $_SERVER['REQUEST_TIME_FLOAT'] : microtime( true ); 465 $max_exec_time = max( ini_get('max_execution_time') - 5, 3 ); 466 467 while ( $commentmeta_results = $wpdb->get_results( $wpdb->prepare( "SELECT m.meta_id, m.comment_id, m.meta_key FROM {$wpdb->commentmeta} as m LEFT JOIN {$wpdb->comments} as c USING(comment_id) WHERE c.comment_id IS NULL AND m.meta_id > %d ORDER BY m.meta_id LIMIT 1000", $last_meta_id ) ) ) { 468 if ( empty( $commentmeta_results ) ) 469 return; 470 471 $wpdb->queries = array(); 472 473 $commentmeta_deleted = 0; 474 475 foreach ( $commentmeta_results as $commentmeta ) { 476 if ( 'akismet_' == substr( $commentmeta->meta_key, 0, 8 ) ) { 477 delete_comment_meta( $commentmeta->comment_id, $commentmeta->meta_key ); 478 do_action( 'akismet_batch_delete_count', __FUNCTION__ ); 479 $commentmeta_deleted++; 480 } 481 482 $last_meta_id = $commentmeta->meta_id; 483 } 484 485 do_action( 'akismet_delete_commentmeta_batch', $commentmeta_deleted ); 486 487 // If we're getting close to max_execution_time, quit for this round. 488 if ( microtime(true) - $start_time > $max_exec_time ) 489 return; 490 } 491 492 if ( apply_filters( 'akismet_optimize_table', ( mt_rand(1, 5000) == 11), $wpdb->commentmeta ) ) // lucky number 493 $wpdb->query("OPTIMIZE TABLE {$wpdb->commentmeta}"); 494 } 495 496 // how many approved comments does this author have? 497 public static function get_user_comments_approved( $user_id, $comment_author_email, $comment_author, $comment_author_url ) { 498 global $wpdb; 499 500 if ( !empty( $user_id ) ) 501 return (int) $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(*) FROM {$wpdb->comments} WHERE user_id = %d AND comment_approved = 1", $user_id ) ); 502 503 if ( !empty( $comment_author_email ) ) 504 return (int) $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(*) FROM {$wpdb->comments} WHERE comment_author_email = %s AND comment_author = %s AND comment_author_url = %s AND comment_approved = 1", $comment_author_email, $comment_author, $comment_author_url ) ); 505 506 return 0; 507 } 508 509 // get the full comment history for a given comment, as an array in reverse chronological order 510 public static function get_comment_history( $comment_id ) { 511 $history = get_comment_meta( $comment_id, 'akismet_history', false ); 512 if ( empty( $history ) || empty( $history[ 0 ] ) ) { 513 return false; 514 } 515 516 /* 517 // To see all variants when testing. 518 $history[] = array( 'time' => 445856401, 'message' => 'Old versions of Akismet stored the message as a literal string in the commentmeta.', 'event' => null ); 519 $history[] = array( 'time' => 445856402, 'event' => 'recheck-spam' ); 520 $history[] = array( 'time' => 445856403, 'event' => 'check-spam' ); 521 $history[] = array( 'time' => 445856404, 'event' => 'recheck-ham' ); 522 $history[] = array( 'time' => 445856405, 'event' => 'check-ham' ); 523 $history[] = array( 'time' => 445856406, 'event' => 'wp-blacklisted' ); 524 $history[] = array( 'time' => 445856406, 'event' => 'wp-disallowed' ); 525 $history[] = array( 'time' => 445856407, 'event' => 'report-spam' ); 526 $history[] = array( 'time' => 445856408, 'event' => 'report-spam', 'user' => 'sam' ); 527 $history[] = array( 'message' => 'sam reported this comment as spam (hardcoded message).', 'time' => 445856400, 'event' => 'report-spam', 'user' => 'sam' ); 528 $history[] = array( 'time' => 445856409, 'event' => 'report-ham', 'user' => 'sam' ); 529 $history[] = array( 'message' => 'sam reported this comment as ham (hardcoded message).', 'time' => 445856400, 'event' => 'report-ham', 'user' => 'sam' ); // 530 $history[] = array( 'time' => 445856410, 'event' => 'cron-retry-spam' ); 531 $history[] = array( 'time' => 445856411, 'event' => 'cron-retry-ham' ); 532 $history[] = array( 'time' => 445856412, 'event' => 'check-error' ); // 533 $history[] = array( 'time' => 445856413, 'event' => 'check-error', 'meta' => array( 'response' => 'The server was taking a nap.' ) ); 534 $history[] = array( 'time' => 445856414, 'event' => 'recheck-error' ); // Should not generate a message. 535 $history[] = array( 'time' => 445856415, 'event' => 'recheck-error', 'meta' => array( 'response' => 'The server was taking a nap.' ) ); 536 $history[] = array( 'time' => 445856416, 'event' => 'status-changedtrash' ); 537 $history[] = array( 'time' => 445856417, 'event' => 'status-changedspam' ); 538 $history[] = array( 'time' => 445856418, 'event' => 'status-changedhold' ); 539 $history[] = array( 'time' => 445856419, 'event' => 'status-changedapprove' ); 540 $history[] = array( 'time' => 445856420, 'event' => 'status-changed-trash' ); 541 $history[] = array( 'time' => 445856421, 'event' => 'status-changed-spam' ); 542 $history[] = array( 'time' => 445856422, 'event' => 'status-changed-hold' ); 543 $history[] = array( 'time' => 445856423, 'event' => 'status-changed-approve' ); 544 $history[] = array( 'time' => 445856424, 'event' => 'status-trash', 'user' => 'sam' ); 545 $history[] = array( 'time' => 445856425, 'event' => 'status-spam', 'user' => 'sam' ); 546 $history[] = array( 'time' => 445856426, 'event' => 'status-hold', 'user' => 'sam' ); 547 $history[] = array( 'time' => 445856427, 'event' => 'status-approve', 'user' => 'sam' ); 548 */ 549 550 usort( $history, array( 'Akismet', '_cmp_time' ) ); 551 return $history; 552 } 553 554 /** 555 * Log an event for a given comment, storing it in comment_meta. 556 * 557 * @param int $comment_id The ID of the relevant comment. 558 * @param string $message The string description of the event. No longer used. 559 * @param string $event The event code. 560 * @param array $meta Metadata about the history entry. e.g., the user that reported or changed the status of a given comment. 561 */ 562 public static function update_comment_history( $comment_id, $message, $event=null, $meta=null ) { 563 global $current_user; 564 565 $user = ''; 566 567 $event = array( 568 'time' => self::_get_microtime(), 569 'event' => $event, 570 ); 571 572 if ( is_object( $current_user ) && isset( $current_user->user_login ) ) { 573 $event['user'] = $current_user->user_login; 574 } 575 576 if ( ! empty( $meta ) ) { 577 $event['meta'] = $meta; 578 } 579 580 // $unique = false so as to allow multiple values per comment 581 $r = add_comment_meta( $comment_id, 'akismet_history', $event, false ); 582 } 583 584 public static function check_db_comment( $id, $recheck_reason = 'recheck_queue' ) { 585 global $wpdb; 586 587 if ( ! self::get_api_key() ) { 588 return new WP_Error( 'akismet-not-configured', __( 'Akismet is not configured. Please enter an API key.', 'akismet' ) ); 589 } 590 591 $c = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$wpdb->comments} WHERE comment_ID = %d", $id ), ARRAY_A ); 592 593 if ( ! $c ) { 594 return new WP_Error( 'invalid-comment-id', __( 'Comment not found.', 'akismet' ) ); 595 } 596 597 $c['user_ip'] = $c['comment_author_IP']; 598 $c['user_agent'] = $c['comment_agent']; 599 $c['referrer'] = ''; 600 $c['blog'] = get_option( 'home' ); 601 $c['blog_lang'] = get_locale(); 602 $c['blog_charset'] = get_option('blog_charset'); 603 $c['permalink'] = get_permalink($c['comment_post_ID']); 604 $c['recheck_reason'] = $recheck_reason; 605 606 $c['user_role'] = ''; 607 if ( ! empty( $c['user_ID'] ) ) { 608 $c['user_role'] = Akismet::get_user_roles( $c['user_ID'] ); 609 } 610 611 if ( self::is_test_mode() ) 612 $c['is_test'] = 'true'; 613 614 $response = self::http_post( Akismet::build_query( $c ), 'comment-check' ); 615 616 if ( ! empty( $response[1] ) ) { 617 return $response[1]; 618 } 619 620 return false; 621 } 622 623 public static function recheck_comment( $id, $recheck_reason = 'recheck_queue' ) { 624 add_comment_meta( $id, 'akismet_rechecking', true ); 625 626 $api_response = self::check_db_comment( $id, $recheck_reason ); 627 628 delete_comment_meta( $id, 'akismet_rechecking' ); 629 630 if ( is_wp_error( $api_response ) ) { 631 // Invalid comment ID. 632 } 633 else if ( 'true' === $api_response ) { 634 wp_set_comment_status( $id, 'spam' ); 635 update_comment_meta( $id, 'akismet_result', 'true' ); 636 delete_comment_meta( $id, 'akismet_error' ); 637 delete_comment_meta( $id, 'akismet_delayed_moderation_email' ); 638 Akismet::update_comment_history( $id, '', 'recheck-spam' ); 639 } 640 elseif ( 'false' === $api_response ) { 641 update_comment_meta( $id, 'akismet_result', 'false' ); 642 delete_comment_meta( $id, 'akismet_error' ); 643 delete_comment_meta( $id, 'akismet_delayed_moderation_email' ); 644 Akismet::update_comment_history( $id, '', 'recheck-ham' ); 645 } 646 else { 647 // abnormal result: error 648 update_comment_meta( $id, 'akismet_result', 'error' ); 649 Akismet::update_comment_history( 650 $id, 651 '', 652 'recheck-error', 653 array( 'response' => substr( $api_response, 0, 50 ) ) 654 ); 655 } 656 657 return $api_response; 658 } 659 660 public static function transition_comment_status( $new_status, $old_status, $comment ) { 661 662 if ( $new_status == $old_status ) 663 return; 664 665 if ( 'spam' === $new_status || 'spam' === $old_status ) { 666 // Clear the cache of the "X comments in your spam queue" count on the dashboard. 667 wp_cache_delete( 'akismet_spam_count', 'widget' ); 668 } 669 670 # we don't need to record a history item for deleted comments 671 if ( $new_status == 'delete' ) 672 return; 673 674 if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) && !current_user_can( 'moderate_comments' ) ) 675 return; 676 677 if ( defined('WP_IMPORTING') && WP_IMPORTING == true ) 678 return; 679 680 // if this is present, it means the status has been changed by a re-check, not an explicit user action 681 if ( get_comment_meta( $comment->comment_ID, 'akismet_rechecking' ) ) 682 return; 683 684 // Assumption alert: 685 // We want to submit comments to Akismet only when a moderator explicitly spams or approves it - not if the status 686 // is changed automatically by another plugin. Unfortunately WordPress doesn't provide an unambiguous way to 687 // determine why the transition_comment_status action was triggered. And there are several different ways by which 688 // to spam and unspam comments: bulk actions, ajax, links in moderation emails, the dashboard, and perhaps others. 689 // We'll assume that this is an explicit user action if certain POST/GET variables exist. 690 if ( 691 // status=spam: Marking as spam via the REST API or... 692 // status=unspam: I'm not sure. Maybe this used to be used instead of status=approved? Or the UI for removing from spam but not approving has been since removed?... 693 // status=approved: Unspamming via the REST API (Calypso) or... 694 ( isset( $_POST['status'] ) && in_array( $_POST['status'], array( 'spam', 'unspam', 'approved', ) ) ) 695 // spam=1: Clicking "Spam" underneath a comment in wp-admin and allowing the AJAX request to happen. 696 || ( isset( $_POST['spam'] ) && (int) $_POST['spam'] == 1 ) 697 // unspam=1: Clicking "Not Spam" underneath a comment in wp-admin and allowing the AJAX request to happen. Or, clicking "Undo" after marking something as spam. 698 || ( isset( $_POST['unspam'] ) && (int) $_POST['unspam'] == 1 ) 699 // comment_status=spam/unspam: It's unclear where this is happening. 700 || ( isset( $_POST['comment_status'] ) && in_array( $_POST['comment_status'], array( 'spam', 'unspam' ) ) ) 701 // action=spam: Choosing "Mark as Spam" from the Bulk Actions dropdown in wp-admin (or the "Spam it" link in notification emails). 702 // action=unspam: Choosing "Not Spam" from the Bulk Actions dropdown in wp-admin. 703 // action=spamcomment: Following the "Spam" link below a comment in wp-admin (not allowing AJAX request to happen). 704 // action=unspamcomment: Following the "Not Spam" link below a comment in wp-admin (not allowing AJAX request to happen). 705 || ( isset( $_GET['action'] ) && in_array( $_GET['action'], array( 'spam', 'unspam', 'spamcomment', 'unspamcomment', ) ) ) 706 // action=editedcomment: Editing a comment via wp-admin (and possibly changing its status). 707 || ( isset( $_POST['action'] ) && in_array( $_POST['action'], array( 'editedcomment' ) ) ) 708 // for=jetpack: Moderation via the WordPress app, Calypso, anything powered by the Jetpack connection. 709 || ( isset( $_GET['for'] ) && ( 'jetpack' == $_GET['for'] ) && ( ! defined( 'IS_WPCOM' ) || ! IS_WPCOM ) ) 710 // Certain WordPress.com API requests 711 || ( defined( 'REST_API_REQUEST' ) && REST_API_REQUEST ) 712 // WordPress.org REST API requests 713 || ( defined( 'REST_REQUEST' ) && REST_REQUEST ) 714 ) { 715 if ( $new_status == 'spam' && ( $old_status == 'approved' || $old_status == 'unapproved' || !$old_status ) ) { 716 return self::submit_spam_comment( $comment->comment_ID ); 717 } elseif ( $old_status == 'spam' && ( $new_status == 'approved' || $new_status == 'unapproved' ) ) { 718 return self::submit_nonspam_comment( $comment->comment_ID ); 719 } 720 } 721 722 self::update_comment_history( $comment->comment_ID, '', 'status-' . $new_status ); 723 } 724 725 public static function submit_spam_comment( $comment_id ) { 726 global $wpdb, $current_user, $current_site; 727 728 $comment_id = (int) $comment_id; 729 730 $comment = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$wpdb->comments} WHERE comment_ID = %d", $comment_id ) ); 731 732 if ( !$comment ) // it was deleted 733 return; 734 735 if ( 'spam' != $comment->comment_approved ) 736 return; 737 738 self::update_comment_history( $comment_id, '', 'report-spam' ); 739 740 // If the user hasn't configured Akismet, there's nothing else to do at this point. 741 if ( ! self::get_api_key() ) { 742 return; 743 } 744 745 // use the original version stored in comment_meta if available 746 $as_submitted = self::sanitize_comment_as_submitted( get_comment_meta( $comment_id, 'akismet_as_submitted', true ) ); 747 748 if ( $as_submitted && is_array( $as_submitted ) && isset( $as_submitted['comment_content'] ) ) 749 $comment = (object) array_merge( (array)$comment, $as_submitted ); 750 751 $comment->blog = get_option( 'home' ); 752 $comment->blog_lang = get_locale(); 753 $comment->blog_charset = get_option('blog_charset'); 754 $comment->permalink = get_permalink($comment->comment_post_ID); 755 756 if ( is_object($current_user) ) 757 $comment->reporter = $current_user->user_login; 758 759 if ( is_object($current_site) ) 760 $comment->site_domain = $current_site->domain; 761 762 $comment->user_role = ''; 763 if ( ! empty( $comment->user_ID ) ) { 764 $comment->user_role = Akismet::get_user_roles( $comment->user_ID ); 765 } 766 767 if ( self::is_test_mode() ) 768 $comment->is_test = 'true'; 769 770 $post = get_post( $comment->comment_post_ID ); 771 772 if ( ! is_null( $post ) ) { 773 $comment->comment_post_modified_gmt = $post->post_modified_gmt; 774 } 775 776 $response = Akismet::http_post( Akismet::build_query( $comment ), 'submit-spam' ); 777 778 update_comment_meta( $comment_id, 'akismet_user_result', 'true' ); 779 780 if ( $comment->reporter ) { 781 update_comment_meta( $comment_id, 'akismet_user', $comment->reporter ); 782 } 783 784 do_action('akismet_submit_spam_comment', $comment_id, $response[1]); 785 } 786 787 public static function submit_nonspam_comment( $comment_id ) { 788 global $wpdb, $current_user, $current_site; 789 790 $comment_id = (int) $comment_id; 791 792 $comment = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$wpdb->comments} WHERE comment_ID = %d", $comment_id ) ); 793 if ( !$comment ) // it was deleted 794 return; 795 796 self::update_comment_history( $comment_id, '', 'report-ham' ); 797 798 // If the user hasn't configured Akismet, there's nothing else to do at this point. 799 if ( ! self::get_api_key() ) { 800 return; 801 } 802 803 // use the original version stored in comment_meta if available 804 $as_submitted = self::sanitize_comment_as_submitted( get_comment_meta( $comment_id, 'akismet_as_submitted', true ) ); 805 806 if ( $as_submitted && is_array($as_submitted) && isset($as_submitted['comment_content']) ) 807 $comment = (object) array_merge( (array)$comment, $as_submitted ); 808 809 $comment->blog = get_option( 'home' ); 810 $comment->blog_lang = get_locale(); 811 $comment->blog_charset = get_option('blog_charset'); 812 $comment->permalink = get_permalink( $comment->comment_post_ID ); 813 $comment->user_role = ''; 814 815 if ( is_object($current_user) ) 816 $comment->reporter = $current_user->user_login; 817 818 if ( is_object($current_site) ) 819 $comment->site_domain = $current_site->domain; 820 821 if ( ! empty( $comment->user_ID ) ) { 822 $comment->user_role = Akismet::get_user_roles( $comment->user_ID ); 823 } 824 825 if ( Akismet::is_test_mode() ) 826 $comment->is_test = 'true'; 827 828 $post = get_post( $comment->comment_post_ID ); 829 830 if ( ! is_null( $post ) ) { 831 $comment->comment_post_modified_gmt = $post->post_modified_gmt; 832 } 833 834 $response = self::http_post( Akismet::build_query( $comment ), 'submit-ham' ); 835 836 update_comment_meta( $comment_id, 'akismet_user_result', 'false' ); 837 838 if ( $comment->reporter ) { 839 update_comment_meta( $comment_id, 'akismet_user', $comment->reporter ); 840 } 841 842 do_action('akismet_submit_nonspam_comment', $comment_id, $response[1]); 843 } 844 845 public static function cron_recheck() { 846 global $wpdb; 847 848 $api_key = self::get_api_key(); 849 850 $status = self::verify_key( $api_key ); 851 if ( get_option( 'akismet_alert_code' ) || $status == 'invalid' ) { 852 // since there is currently a problem with the key, reschedule a check for 6 hours hence 853 wp_schedule_single_event( time() + 21600, 'akismet_schedule_cron_recheck' ); 854 do_action( 'akismet_scheduled_recheck', 'key-problem-' . get_option( 'akismet_alert_code' ) . '-' . $status ); 855 return false; 856 } 857 858 delete_option('akismet_available_servers'); 859 860 $comment_errors = $wpdb->get_col( "SELECT comment_id FROM {$wpdb->commentmeta} WHERE meta_key = 'akismet_error' LIMIT 100" ); 861 862 load_plugin_textdomain( 'akismet' ); 863 864 foreach ( (array) $comment_errors as $comment_id ) { 865 // if the comment no longer exists, or is too old, remove the meta entry from the queue to avoid getting stuck 866 $comment = get_comment( $comment_id ); 867 868 if ( 869 ! $comment // Comment has been deleted 870 || strtotime( $comment->comment_date_gmt ) < strtotime( "-15 days" ) // Comment is too old. 871 || $comment->comment_approved !== "0" // Comment is no longer in the Pending queue 872 ) { 873 delete_comment_meta( $comment_id, 'akismet_error' ); 874 delete_comment_meta( $comment_id, 'akismet_delayed_moderation_email' ); 875 continue; 876 } 877 878 add_comment_meta( $comment_id, 'akismet_rechecking', true ); 879 $status = self::check_db_comment( $comment_id, 'retry' ); 880 881 $event = ''; 882 if ( $status == 'true' ) { 883 $event = 'cron-retry-spam'; 884 } elseif ( $status == 'false' ) { 885 $event = 'cron-retry-ham'; 886 } 887 888 // If we got back a legit response then update the comment history 889 // other wise just bail now and try again later. No point in 890 // re-trying all the comments once we hit one failure. 891 if ( !empty( $event ) ) { 892 delete_comment_meta( $comment_id, 'akismet_error' ); 893 self::update_comment_history( $comment_id, '', $event ); 894 update_comment_meta( $comment_id, 'akismet_result', $status ); 895 // make sure the comment status is still pending. if it isn't, that means the user has already moved it elsewhere. 896 $comment = get_comment( $comment_id ); 897 if ( $comment && 'unapproved' == wp_get_comment_status( $comment_id ) ) { 898 if ( $status == 'true' ) { 899 wp_spam_comment( $comment_id ); 900 } elseif ( $status == 'false' ) { 901 // comment is good, but it's still in the pending queue. depending on the moderation settings 902 // we may need to change it to approved. 903 if ( check_comment($comment->comment_author, $comment->comment_author_email, $comment->comment_author_url, $comment->comment_content, $comment->comment_author_IP, $comment->comment_agent, $comment->comment_type) ) 904 wp_set_comment_status( $comment_id, 1 ); 905 else if ( get_comment_meta( $comment_id, 'akismet_delayed_moderation_email', true ) ) 906 wp_notify_moderator( $comment_id ); 907 } 908 } 909 910 delete_comment_meta( $comment_id, 'akismet_delayed_moderation_email' ); 911 } else { 912 // If this comment has been pending moderation for longer than MAX_DELAY_BEFORE_MODERATION_EMAIL, 913 // send a moderation email now. 914 if ( ( intval( gmdate( 'U' ) ) - strtotime( $comment->comment_date_gmt ) ) < self::MAX_DELAY_BEFORE_MODERATION_EMAIL ) { 915 delete_comment_meta( $comment_id, 'akismet_delayed_moderation_email' ); 916 wp_notify_moderator( $comment_id ); 917 } 918 919 delete_comment_meta( $comment_id, 'akismet_rechecking' ); 920 wp_schedule_single_event( time() + 1200, 'akismet_schedule_cron_recheck' ); 921 do_action( 'akismet_scheduled_recheck', 'check-db-comment-' . $status ); 922 return; 923 } 924 delete_comment_meta( $comment_id, 'akismet_rechecking' ); 925 } 926 927 $remaining = $wpdb->get_var( "SELECT COUNT(*) FROM {$wpdb->commentmeta} WHERE meta_key = 'akismet_error'" ); 928 if ( $remaining && !wp_next_scheduled('akismet_schedule_cron_recheck') ) { 929 wp_schedule_single_event( time() + 1200, 'akismet_schedule_cron_recheck' ); 930 do_action( 'akismet_scheduled_recheck', 'remaining' ); 931 } 932 } 933 934 public static function fix_scheduled_recheck() { 935 $future_check = wp_next_scheduled( 'akismet_schedule_cron_recheck' ); 936 if ( !$future_check ) { 937 return; 938 } 939 940 if ( get_option( 'akismet_alert_code' ) > 0 ) { 941 return; 942 } 943 944 $check_range = time() + 1200; 945 if ( $future_check > $check_range ) { 946 wp_clear_scheduled_hook( 'akismet_schedule_cron_recheck' ); 947 wp_schedule_single_event( time() + 300, 'akismet_schedule_cron_recheck' ); 948 do_action( 'akismet_scheduled_recheck', 'fix-scheduled-recheck' ); 949 } 950 } 951 952 public static function add_comment_nonce( $post_id ) { 953 /** 954 * To disable the Akismet comment nonce, add a filter for the 'akismet_comment_nonce' tag 955 * and return any string value that is not 'true' or '' (empty string). 956 * 957 * Don't return boolean false, because that implies that the 'akismet_comment_nonce' option 958 * has not been set and that Akismet should just choose the default behavior for that 959 * situation. 960 */ 961 962 if ( ! self::get_api_key() ) { 963 return; 964 } 965 966 $akismet_comment_nonce_option = apply_filters( 'akismet_comment_nonce', get_option( 'akismet_comment_nonce' ) ); 967 968 if ( $akismet_comment_nonce_option == 'true' || $akismet_comment_nonce_option == '' ) { 969 echo '<p style="display: none;">'; 970 wp_nonce_field( 'akismet_comment_nonce_' . $post_id, 'akismet_comment_nonce', FALSE ); 971 echo '</p>'; 972 } 973 } 974 975 public static function is_test_mode() { 976 return defined('AKISMET_TEST_MODE') && AKISMET_TEST_MODE; 977 } 978 979 public static function allow_discard() { 980 if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) 981 return false; 982 if ( is_user_logged_in() ) 983 return false; 984 985 return ( get_option( 'akismet_strictness' ) === '1' ); 986 } 987 988 public static function get_ip_address() { 989 return isset( $_SERVER['REMOTE_ADDR'] ) ? $_SERVER['REMOTE_ADDR'] : null; 990 } 991 992 /** 993 * Do these two comments, without checking the comment_ID, "match"? 994 * 995 * @param mixed $comment1 A comment object or array. 996 * @param mixed $comment2 A comment object or array. 997 * @return bool Whether the two comments should be treated as the same comment. 998 */ 999 private static function comments_match( $comment1, $comment2 ) { 1000 $comment1 = (array) $comment1; 1001 $comment2 = (array) $comment2; 1002 1003 // Set default values for these strings that we check in order to simplify 1004 // the checks and avoid PHP warnings. 1005 if ( ! isset( $comment1['comment_author'] ) ) { 1006 $comment1['comment_author'] = ''; 1007 } 1008 1009 if ( ! isset( $comment2['comment_author'] ) ) { 1010 $comment2['comment_author'] = ''; 1011 } 1012 1013 if ( ! isset( $comment1['comment_author_email'] ) ) { 1014 $comment1['comment_author_email'] = ''; 1015 } 1016 1017 if ( ! isset( $comment2['comment_author_email'] ) ) { 1018 $comment2['comment_author_email'] = ''; 1019 } 1020 1021 $comments_match = ( 1022 isset( $comment1['comment_post_ID'], $comment2['comment_post_ID'] ) 1023 && intval( $comment1['comment_post_ID'] ) == intval( $comment2['comment_post_ID'] ) 1024 && ( 1025 // The comment author length max is 255 characters, limited by the TINYTEXT column type. 1026 // If the comment author includes multibyte characters right around the 255-byte mark, they 1027 // may be stripped when the author is saved in the DB, so a 300+ char author may turn into 1028 // a 253-char author when it's saved, not 255 exactly. The longest possible character is 1029 // theoretically 6 bytes, so we'll only look at the first 248 bytes to be safe. 1030 substr( $comment1['comment_author'], 0, 248 ) == substr( $comment2['comment_author'], 0, 248 ) 1031 || substr( stripslashes( $comment1['comment_author'] ), 0, 248 ) == substr( $comment2['comment_author'], 0, 248 ) 1032 || substr( $comment1['comment_author'], 0, 248 ) == substr( stripslashes( $comment2['comment_author'] ), 0, 248 ) 1033 // Certain long comment author names will be truncated to nothing, depending on their encoding. 1034 || ( ! $comment1['comment_author'] && strlen( $comment2['comment_author'] ) > 248 ) 1035 || ( ! $comment2['comment_author'] && strlen( $comment1['comment_author'] ) > 248 ) 1036 ) 1037 && ( 1038 // The email max length is 100 characters, limited by the VARCHAR(100) column type. 1039 // Same argument as above for only looking at the first 93 characters. 1040 substr( $comment1['comment_author_email'], 0, 93 ) == substr( $comment2['comment_author_email'], 0, 93 ) 1041 || substr( stripslashes( $comment1['comment_author_email'] ), 0, 93 ) == substr( $comment2['comment_author_email'], 0, 93 ) 1042 || substr( $comment1['comment_author_email'], 0, 93 ) == substr( stripslashes( $comment2['comment_author_email'] ), 0, 93 ) 1043 // Very long emails can be truncated and then stripped if the [0:100] substring isn't a valid address. 1044 || ( ! $comment1['comment_author_email'] && strlen( $comment2['comment_author_email'] ) > 100 ) 1045 || ( ! $comment2['comment_author_email'] && strlen( $comment1['comment_author_email'] ) > 100 ) 1046 ) 1047 ); 1048 1049 return $comments_match; 1050 } 1051 1052 // Does the supplied comment match the details of the one most recently stored in self::$last_comment? 1053 public static function matches_last_comment( $comment ) { 1054 return self::comments_match( self::$last_comment, $comment ); 1055 } 1056 1057 private static function get_user_agent() { 1058 return isset( $_SERVER['HTTP_USER_AGENT'] ) ? $_SERVER['HTTP_USER_AGENT'] : null; 1059 } 1060 1061 private static function get_referer() { 1062 return isset( $_SERVER['HTTP_REFERER'] ) ? $_SERVER['HTTP_REFERER'] : null; 1063 } 1064 1065 // return a comma-separated list of role names for the given user 1066 public static function get_user_roles( $user_id ) { 1067 $roles = false; 1068 1069 if ( !class_exists('WP_User') ) 1070 return false; 1071 1072 if ( $user_id > 0 ) { 1073 $comment_user = new WP_User( $user_id ); 1074 if ( isset( $comment_user->roles ) ) 1075 $roles = join( ',', $comment_user->roles ); 1076 } 1077 1078 if ( is_multisite() && is_super_admin( $user_id ) ) { 1079 if ( empty( $roles ) ) { 1080 $roles = 'super_admin'; 1081 } else { 1082 $comment_user->roles[] = 'super_admin'; 1083 $roles = join( ',', $comment_user->roles ); 1084 } 1085 } 1086 1087 return $roles; 1088 } 1089 1090 // filter handler used to return a spam result to pre_comment_approved 1091 public static function last_comment_status( $approved, $comment ) { 1092 if ( is_null( self::$last_comment_result ) ) { 1093 // We didn't have reason to store the result of the last check. 1094 return $approved; 1095 } 1096 1097 // Only do this if it's the correct comment 1098 if ( ! self::matches_last_comment( $comment ) ) { 1099 self::log( "comment_is_spam mismatched comment, returning unaltered $approved" ); 1100 return $approved; 1101 } 1102 1103 if ( 'trash' === $approved ) { 1104 // If the last comment we checked has had its approval set to 'trash', 1105 // then it failed the comment blacklist check. Let that blacklist override 1106 // the spam check, since users have the (valid) expectation that when 1107 // they fill out their blacklists, comments that match it will always 1108 // end up in the trash. 1109 return $approved; 1110 } 1111 1112 // bump the counter here instead of when the filter is added to reduce the possibility of overcounting 1113 if ( $incr = apply_filters('akismet_spam_count_incr', 1) ) 1114 update_option( 'akismet_spam_count', get_option('akismet_spam_count') + $incr ); 1115 1116 return self::$last_comment_result; 1117 } 1118 1119 /** 1120 * If Akismet is temporarily unreachable, we don't want to "spam" the blogger with 1121 * moderation emails for comments that will be automatically cleared or spammed on 1122 * the next retry. 1123 * 1124 * For comments that will be rechecked later, empty the list of email addresses that 1125 * the moderation email would be sent to. 1126 * 1127 * @param array $emails An array of email addresses that the moderation email will be sent to. 1128 * @param int $comment_id The ID of the relevant comment. 1129 * @return array An array of email addresses that the moderation email will be sent to. 1130 */ 1131 public static function disable_moderation_emails_if_unreachable( $emails, $comment_id ) { 1132 if ( ! empty( self::$prevent_moderation_email_for_these_comments ) && ! empty( $emails ) ) { 1133 $comment = get_comment( $comment_id ); 1134 1135 foreach ( self::$prevent_moderation_email_for_these_comments as $possible_match ) { 1136 if ( self::comments_match( $possible_match, $comment ) ) { 1137 update_comment_meta( $comment_id, 'akismet_delayed_moderation_email', true ); 1138 return array(); 1139 } 1140 } 1141 } 1142 1143 return $emails; 1144 } 1145 1146 public static function _cmp_time( $a, $b ) { 1147 return $a['time'] > $b['time'] ? -1 : 1; 1148 } 1149 1150 public static function _get_microtime() { 1151 $mtime = explode( ' ', microtime() ); 1152 return $mtime[1] + $mtime[0]; 1153 } 1154 1155 /** 1156 * Make a POST request to the Akismet API. 1157 * 1158 * @param string $request The body of the request. 1159 * @param string $path The path for the request. 1160 * @param string $ip The specific IP address to hit. 1161 * @return array A two-member array consisting of the headers and the response body, both empty in the case of a failure. 1162 */ 1163 public static function http_post( $request, $path, $ip=null ) { 1164 1165 $akismet_ua = sprintf( 'WordPress/%s | Akismet/%s', $GLOBALS['wp_version'], constant( 'AKISMET_VERSION' ) ); 1166 $akismet_ua = apply_filters( 'akismet_ua', $akismet_ua ); 1167 1168 $content_length = strlen( $request ); 1169 1170 $api_key = self::get_api_key(); 1171 $host = self::API_HOST; 1172 1173 if ( !empty( $api_key ) ) 1174 $host = $api_key.'.'.$host; 1175 1176 $http_host = $host; 1177 // use a specific IP if provided 1178 // needed by Akismet_Admin::check_server_connectivity() 1179 if ( $ip && long2ip( ip2long( $ip ) ) ) { 1180 $http_host = $ip; 1181 } 1182 1183 $http_args = array( 1184 'body' => $request, 1185 'headers' => array( 1186 'Content-Type' => 'application/x-www-form-urlencoded; charset=' . get_option( 'blog_charset' ), 1187 'Host' => $host, 1188 'User-Agent' => $akismet_ua, 1189 ), 1190 'httpversion' => '1.0', 1191 'timeout' => 15 1192 ); 1193 1194 $akismet_url = $http_akismet_url = "http://{$http_host}/1.1/{$path}"; 1195 1196 /** 1197 * Try SSL first; if that fails, try without it and don't try it again for a while. 1198 */ 1199 1200 $ssl = $ssl_failed = false; 1201 1202 // Check if SSL requests were disabled fewer than X hours ago. 1203 $ssl_disabled = get_option( 'akismet_ssl_disabled' ); 1204 1205 if ( $ssl_disabled && $ssl_disabled < ( time() - 60 * 60 * 24 ) ) { // 24 hours 1206 $ssl_disabled = false; 1207 delete_option( 'akismet_ssl_disabled' ); 1208 } 1209 else if ( $ssl_disabled ) { 1210 do_action( 'akismet_ssl_disabled' ); 1211 } 1212 1213 if ( ! $ssl_disabled && ( $ssl = wp_http_supports( array( 'ssl' ) ) ) ) { 1214 $akismet_url = set_url_scheme( $akismet_url, 'https' ); 1215 1216 do_action( 'akismet_https_request_pre' ); 1217 } 1218 1219 $response = wp_remote_post( $akismet_url, $http_args ); 1220 1221 Akismet::log( compact( 'akismet_url', 'http_args', 'response' ) ); 1222 1223 if ( $ssl && is_wp_error( $response ) ) { 1224 do_action( 'akismet_https_request_failure', $response ); 1225 1226 // Intermittent connection problems may cause the first HTTPS 1227 // request to fail and subsequent HTTP requests to succeed randomly. 1228 // Retry the HTTPS request once before disabling SSL for a time. 1229 $response = wp_remote_post( $akismet_url, $http_args ); 1230 1231 Akismet::log( compact( 'akismet_url', 'http_args', 'response' ) ); 1232 1233 if ( is_wp_error( $response ) ) { 1234 $ssl_failed = true; 1235 1236 do_action( 'akismet_https_request_failure', $response ); 1237 1238 do_action( 'akismet_http_request_pre' ); 1239 1240 // Try the request again without SSL. 1241 $response = wp_remote_post( $http_akismet_url, $http_args ); 1242 1243 Akismet::log( compact( 'http_akismet_url', 'http_args', 'response' ) ); 1244 } 1245 } 1246 1247 if ( is_wp_error( $response ) ) { 1248 do_action( 'akismet_request_failure', $response ); 1249 1250 return array( '', '' ); 1251 } 1252 1253 if ( $ssl_failed ) { 1254 // The request failed when using SSL but succeeded without it. Disable SSL for future requests. 1255 update_option( 'akismet_ssl_disabled', time() ); 1256 1257 do_action( 'akismet_https_disabled' ); 1258 } 1259 1260 $simplified_response = array( $response['headers'], $response['body'] ); 1261 1262 self::update_alert( $simplified_response ); 1263 1264 return $simplified_response; 1265 } 1266 1267 // given a response from an API call like check_key_status(), update the alert code options if an alert is present. 1268 public static function update_alert( $response ) { 1269 $alert_option_prefix = 'akismet_alert_'; 1270 $alert_header_prefix = 'x-akismet-alert-'; 1271 $alert_header_names = array( 1272 'code', 1273 'msg', 1274 'api-calls', 1275 'usage-limit', 1276 'upgrade-plan', 1277 'upgrade-url', 1278 ); 1279 1280 foreach( $alert_header_names as $alert_header_name ) { 1281 $value = null; 1282 if ( isset( $response[0][$alert_header_prefix . $alert_header_name] ) ) { 1283 $value = $response[0][$alert_header_prefix . $alert_header_name]; 1284 } 1285 1286 $option_name = $alert_option_prefix . str_replace( '-', '_', $alert_header_name ); 1287 if ( $value != get_option( $option_name ) ) { 1288 if ( ! $value ) { 1289 delete_option( $option_name ); 1290 } 1291 else { 1292 update_option( $option_name, $value ); 1293 } 1294 } 1295 } 1296 } 1297 1298 public static function load_form_js() { 1299 if ( function_exists( 'is_amp_endpoint' ) && is_amp_endpoint() ) { 1300 return; 1301 } 1302 1303 if ( ! self::get_api_key() ) { 1304 return; 1305 } 1306 1307 wp_register_script( 'akismet-form', plugin_dir_url( __FILE__ ) . '_inc/form.js', array(), AKISMET_VERSION, true ); 1308 wp_enqueue_script( 'akismet-form' ); 1309 } 1310 1311 /** 1312 * Mark form.js as deferred. Because nothing depends on it, it can run at any time 1313 * after it's loaded, and the browser won't have to wait for it to load to continue 1314 * parsing the rest of the page. 1315 */ 1316 public static function set_form_js_async( $tag, $handle, $src ) { 1317 if ( 'akismet-form' !== $handle ) { 1318 return $tag; 1319 } 1320 1321 return preg_replace( '/^<script /i', '<script defer ', $tag ); 1322 } 1323 1324 public static function inject_ak_js( $post_id ) { 1325 echo '<input type="hidden" id="ak_js" name="ak_js" value="' . mt_rand( 0, 250 ) . '"/>'; 1326 echo '<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea>'; 1327 } 1328 1329 private static function bail_on_activation( $message, $deactivate = true ) { 1330 ?> 1331 <!doctype html> 1332 <html> 1333 <head> 1334 <meta charset="<?php bloginfo( 'charset' ); ?>" /> 1335 <style> 1336 * { 1337 text-align: center; 1338 margin: 0; 1339 padding: 0; 1340 font-family: "Lucida Grande",Verdana,Arial,"Bitstream Vera Sans",sans-serif; 1341 } 1342 p { 1343 margin-top: 1em; 1344 font-size: 18px; 1345 } 1346 </style> 1347 </head> 1348 <body> 1349 <p><?php echo esc_html( $message ); ?></p> 1350 </body> 1351 </html> 1352 <?php 1353 if ( $deactivate ) { 1354 $plugins = get_option( 'active_plugins' ); 1355 $akismet = plugin_basename( AKISMET__PLUGIN_DIR . 'akismet.php' ); 1356 $update = false; 1357 foreach ( $plugins as $i => $plugin ) { 1358 if ( $plugin === $akismet ) { 1359 $plugins[$i] = false; 1360 $update = true; 1361 } 1362 } 1363 1364 if ( $update ) { 1365 update_option( 'active_plugins', array_filter( $plugins ) ); 1366 } 1367 } 1368 exit; 1369 } 1370 1371 public static function view( $name, array $args = array() ) { 1372 $args = apply_filters( 'akismet_view_arguments', $args, $name ); 1373 1374 foreach ( $args AS $key => $val ) { 1375 $$key = $val; 1376 } 1377 1378 load_plugin_textdomain( 'akismet' ); 1379 1380 $file = AKISMET__PLUGIN_DIR . 'views/'. $name . '.php'; 1381 1382 include( $file ); 1383 } 1384 1385 /** 1386 * Attached to activate_{ plugin_basename( __FILES__ ) } by register_activation_hook() 1387 * @static 1388 */ 1389 public static function plugin_activation() { 1390 if ( version_compare( $GLOBALS['wp_version'], AKISMET__MINIMUM_WP_VERSION, '<' ) ) { 1391 load_plugin_textdomain( 'akismet' ); 1392 1393 $message = '<strong>'.sprintf(esc_html__( 'Akismet %s requires WordPress %s or higher.' , 'akismet'), AKISMET_VERSION, AKISMET__MINIMUM_WP_VERSION ).'</strong> '.sprintf(__('Please <a href="%1$s">upgrade WordPress</a> to a current version, or <a href="%2$s">downgrade to version 2.4 of the Akismet plugin</a>.', 'akismet'), 'https://codex.wordpress.org/Upgrading_WordPress', 'https://wordpress.org/extend/plugins/akismet/download/'); 1394 1395 Akismet::bail_on_activation( $message ); 1396 } elseif ( ! empty( $_SERVER['SCRIPT_NAME'] ) && false !== strpos( $_SERVER['SCRIPT_NAME'], '/wp-admin/plugins.php' ) ) { 1397 add_option( 'Activated_Akismet', true ); 1398 } 1399 } 1400 1401 /** 1402 * Removes all connection options 1403 * @static 1404 */ 1405 public static function plugin_deactivation( ) { 1406 self::deactivate_key( self::get_api_key() ); 1407 1408 // Remove any scheduled cron jobs. 1409 $akismet_cron_events = array( 1410 'akismet_schedule_cron_recheck', 1411 'akismet_scheduled_delete', 1412 ); 1413 1414 foreach ( $akismet_cron_events as $akismet_cron_event ) { 1415 $timestamp = wp_next_scheduled( $akismet_cron_event ); 1416 1417 if ( $timestamp ) { 1418 wp_unschedule_event( $timestamp, $akismet_cron_event ); 1419 } 1420 } 1421 } 1422 1423 /** 1424 * Essentially a copy of WP's build_query but one that doesn't expect pre-urlencoded values. 1425 * 1426 * @param array $args An array of key => value pairs 1427 * @return string A string ready for use as a URL query string. 1428 */ 1429 public static function build_query( $args ) { 1430 return _http_build_query( $args, '', '&' ); 1431 } 1432 1433 /** 1434 * Log debugging info to the error log. 1435 * 1436 * Enabled when WP_DEBUG_LOG is enabled (and WP_DEBUG, since according to 1437 * core, "WP_DEBUG_DISPLAY and WP_DEBUG_LOG perform no function unless 1438 * WP_DEBUG is true), but can be disabled via the akismet_debug_log filter. 1439 * 1440 * @param mixed $akismet_debug The data to log. 1441 */ 1442 public static function log( $akismet_debug ) { 1443 if ( apply_filters( 'akismet_debug_log', defined( 'WP_DEBUG' ) && WP_DEBUG && defined( 'WP_DEBUG_LOG' ) && WP_DEBUG_LOG && defined( 'AKISMET_DEBUG' ) && AKISMET_DEBUG ) ) { 1444 error_log( print_r( compact( 'akismet_debug' ), true ) ); 1445 } 1446 } 1447 1448 public static function pre_check_pingback( $method ) { 1449 if ( $method !== 'pingback.ping' ) 1450 return; 1451 1452 // A lot of this code is tightly coupled with the IXR class because the xmlrpc_call action doesn't pass along any information besides the method name. 1453 // This ticket should hopefully fix that: https://core.trac.wordpress.org/ticket/52524 1454 // Until that happens, when it's a system.multicall, pre_check_pingback will be called once for every internal pingback call. 1455 // Keep track of how many times this function has been called so we know which call to reference in the XML. 1456 static $call_count = 0; 1457 1458 $call_count++; 1459 1460 global $wp_xmlrpc_server; 1461 1462 if ( !is_object( $wp_xmlrpc_server ) ) 1463 return false; 1464 1465 $is_multicall = false; 1466 $multicall_count = 0; 1467 1468 if ( 'system.multicall' === $wp_xmlrpc_server->message->methodName ) { 1469 $is_multicall = true; 1470 1471 if ( 0 === $call_count ) { 1472 // Only pass along the number of entries in the multicall the first time we see it. 1473 $multicall_count = count( $wp_xmlrpc_server->message->params ); 1474 } 1475 1476 /* 1477 * $wp_xmlrpc_server->message looks like this: 1478 * 1479 ( 1480 [message] => 1481 [messageType] => methodCall 1482 [faultCode] => 1483 [faultString] => 1484 [methodName] => system.multicall 1485 [params] => Array 1486 ( 1487 [0] => Array 1488 ( 1489 [methodName] => pingback.ping 1490 [params] => Array 1491 ( 1492 [0] => http://www.example.net/?p=1 // Site that created the pingback. 1493 [1] => https://www.example.com/?p=1 // Post being pingback'd on this site. 1494 ) 1495 ) 1496 [1] => Array 1497 ( 1498 [methodName] => pingback.ping 1499 [params] => Array 1500 ( 1501 [0] => http://www.example.net/?p=1 // Site that created the pingback. 1502 [1] => https://www.example.com/?p=2 // Post being pingback'd on this site. 1503 ) 1504 ) 1505 ) 1506 ) 1507 */ 1508 1509 // Use the params from the nth pingback.ping call in the multicall. 1510 $pingback_calls_found = 0; 1511 1512 foreach ( $wp_xmlrpc_server->message->params as $xmlrpc_action ) { 1513 if ( 'pingback.ping' === $xmlrpc_action['methodName'] ) { 1514 $pingback_calls_found++; 1515 } 1516 1517 if ( $call_count === $pingback_calls_found ) { 1518 $pingback_args = $xmlrpc_action['params']; 1519 break; 1520 } 1521 } 1522 } else { 1523 /* 1524 * $wp_xmlrpc_server->message looks like this: 1525 * 1526 ( 1527 [message] => 1528 [messageType] => methodCall 1529 [faultCode] => 1530 [faultString] => 1531 [methodName] => pingback.ping 1532 [params] => Array 1533 ( 1534 [0] => http://www.example.net/?p=1 // Site that created the pingback. 1535 [1] => https://www.example.com/?p=2 // Post being pingback'd on this site. 1536 ) 1537 ) 1538 */ 1539 $pingback_args = $wp_xmlrpc_server->message->params; 1540 } 1541 1542 if ( ! empty( $pingback_args[1] ) ) { 1543 $post_id = url_to_postid( $pingback_args[1] ); 1544 1545 // If pingbacks aren't open on this post, we'll still check whether this request is part of a potential DDOS, 1546 // but indicate to the server that pingbacks are indeed closed so we don't include this request in the user's stats, 1547 // since the user has already done their part by disabling pingbacks. 1548 $pingbacks_closed = false; 1549 1550 $post = get_post( $post_id ); 1551 1552 if ( ! $post || ! pings_open( $post ) ) { 1553 $pingbacks_closed = true; 1554 } 1555 1556 // Note: If is_multicall is true and multicall_count=0, then we know this is at least the 2nd pingback we've processed in this multicall. 1557 1558 $comment = array( 1559 'comment_author_url' => $pingback_args[0], 1560 'comment_post_ID' => $post_id, 1561 'comment_author' => '', 1562 'comment_author_email' => '', 1563 'comment_content' => '', 1564 'comment_type' => 'pingback', 1565 'akismet_pre_check' => '1', 1566 'comment_pingback_target' => $pingback_args[1], 1567 'pingbacks_closed' => $pingbacks_closed ? '1' : '0', 1568 'is_multicall' => $is_multicall, 1569 'multicall_count' => $multicall_count, 1570 ); 1571 1572 $comment = self::auto_check_comment( $comment, 'xml-rpc' ); 1573 1574 if ( isset( $comment['akismet_result'] ) && 'true' == $comment['akismet_result'] ) { 1575 // Sad: tightly coupled with the IXR classes. Unfortunately the action provides no context and no way to return anything. 1576 $wp_xmlrpc_server->error( new IXR_Error( 0, 'Invalid discovery target' ) ); 1577 1578 // Also note that if this was part of a multicall, a spam result will prevent the subsequent calls from being executed. 1579 // This is probably fine, but it raises the bar for what should be acceptable as a false positive. 1580 } 1581 } 1582 } 1583 1584 /** 1585 * Ensure that we are loading expected scalar values from akismet_as_submitted commentmeta. 1586 * 1587 * @param mixed $meta_value 1588 * @return mixed 1589 */ 1590 private static function sanitize_comment_as_submitted( $meta_value ) { 1591 if ( empty( $meta_value ) ) { 1592 return $meta_value; 1593 } 1594 1595 $meta_value = (array) $meta_value; 1596 1597 foreach ( $meta_value as $key => $value ) { 1598 if ( ! is_scalar( $value ) ) { 1599 unset( $meta_value[ $key ] ); 1600 } else { 1601 // These can change, so they're not explicitly listed in comment_as_submitted_allowed_keys. 1602 if ( strpos( $key, 'POST_ak_' ) === 0 ) { 1603 continue; 1604 } 1605 1606 if ( ! isset( self::$comment_as_submitted_allowed_keys[ $key ] ) ) { 1607 unset( $meta_value[ $key ] ); 1608 } 1609 } 1610 } 1611 1612 return $meta_value; 1613 } 1614 1615 public static function predefined_api_key() { 1616 if ( defined( 'WPCOM_API_KEY' ) ) { 1617 return true; 1618 } 1619 1620 return apply_filters( 'akismet_predefined_api_key', false ); 1621 } 1622 1623 /** 1624 * Controls the display of a privacy related notice underneath the comment form using the `akismet_comment_form_privacy_notice` option and filter respectively. 1625 * Default is top not display the notice, leaving the choice to site admins, or integrators. 1626 */ 1627 public static function display_comment_form_privacy_notice() { 1628 if ( 'display' !== apply_filters( 'akismet_comment_form_privacy_notice', get_option( 'akismet_comment_form_privacy_notice', 'hide' ) ) ) { 1629 return; 1630 } 1631 echo apply_filters( 1632 'akismet_comment_form_privacy_notice_markup', 1633 '<p class="akismet_comment_form_privacy_notice">' . sprintf( 1634 __( 'This site uses Akismet to reduce spam. <a href="%s" target="_blank" rel="nofollow noopener">Learn how your comment data is processed</a>.', 'akismet' ), 1635 'https://akismet.com/privacy/' 1636 ) . '</p>' 1637 ); 1638 } 1639 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated: Thu Oct 21 01:00:03 2021 | Cross-referenced by PHPXref 0.7.1 |