| [ Index ] |
PHP Cross Reference of WordPress |
[Summary view] [Print] [Text view]
1 <?php 2 3 class Akismet { 4 const API_HOST = 'rest.akismet.com'; 5 const API_PORT = 80; 6 const MAX_DELAY_BEFORE_MODERATION_EMAIL = 86400; // One day in seconds 7 8 private static $last_comment = ''; 9 private static $initiated = false; 10 private static $prevent_moderation_email_for_these_comments = array(); 11 private static $last_comment_result = null; 12 private static $comment_as_submitted_allowed_keys = array( 'blog' => '', 'blog_charset' => '', 'blog_lang' => '', 'blog_ua' => '', 'comment_agent' => '', 'comment_author' => '', 'comment_author_IP' => '', 'comment_author_email' => '', 'comment_author_url' => '', 'comment_content' => '', 'comment_date_gmt' => '', 'comment_tags' => '', 'comment_type' => '', 'guid' => '', 'is_test' => '', 'permalink' => '', 'reporter' => '', 'site_domain' => '', 'submit_referer' => '', 'submit_uri' => '', 'user_ID' => '', 'user_agent' => '', 'user_id' => '', 'user_ip' => '' ); 13 14 /** 15 * Is the comment check happening in the context of an API call? Of if false, then it's during the POST that happens after filling out a comment form. 16 * 17 * @var type bool 18 */ 19 private static $is_api_call = false; 20 21 public static function init() { 22 if ( ! self::$initiated ) { 23 self::init_hooks(); 24 } 25 } 26 27 /** 28 * Initializes WordPress hooks 29 */ 30 private static function init_hooks() { 31 self::$initiated = true; 32 33 add_action( 'wp_insert_comment', array( 'Akismet', 'auto_check_update_meta' ), 10, 2 ); 34 add_filter( 'preprocess_comment', array( 'Akismet', 'auto_check_comment' ), 1 ); 35 add_filter( 'rest_pre_insert_comment', array( 'Akismet', 'rest_auto_check_comment' ), 1 ); 36 37 add_action( 'akismet_scheduled_delete', array( 'Akismet', 'delete_old_comments' ) ); 38 add_action( 'akismet_scheduled_delete', array( 'Akismet', 'delete_old_comments_meta' ) ); 39 add_action( 'akismet_scheduled_delete', array( 'Akismet', 'delete_orphaned_commentmeta' ) ); 40 add_action( 'akismet_schedule_cron_recheck', array( 'Akismet', 'cron_recheck' ) ); 41 42 add_action( 'comment_form', array( 'Akismet', 'add_comment_nonce' ), 1 ); 43 44 add_action( 'admin_head-edit-comments.php', array( 'Akismet', 'load_form_js' ) ); 45 add_action( 'comment_form', array( 'Akismet', 'load_form_js' ) ); 46 add_action( 'comment_form', array( 'Akismet', 'inject_ak_js' ) ); 47 add_filter( 'script_loader_tag', array( 'Akismet', 'set_form_js_async' ), 10, 3 ); 48 49 add_filter( 'comment_moderation_recipients', array( 'Akismet', 'disable_moderation_emails_if_unreachable' ), 1000, 2 ); 50 add_filter( 'pre_comment_approved', array( 'Akismet', 'last_comment_status' ), 10, 2 ); 51 52 add_action( 'transition_comment_status', array( 'Akismet', 'transition_comment_status' ), 10, 3 ); 53 54 // Run this early in the pingback call, before doing a remote fetch of the source uri 55 add_action( 'xmlrpc_call', array( 'Akismet', 'pre_check_pingback' ) ); 56 57 // Jetpack compatibility 58 add_filter( 'jetpack_options_whitelist', array( 'Akismet', 'add_to_jetpack_options_whitelist' ) ); 59 add_action( 'update_option_wordpress_api_key', array( 'Akismet', 'updated_option' ), 10, 2 ); 60 add_action( 'add_option_wordpress_api_key', array( 'Akismet', 'added_option' ), 10, 2 ); 61 62 add_action( 'comment_form_after', array( 'Akismet', 'display_comment_form_privacy_notice' ) ); 63 } 64 65 public static function get_api_key() { 66 return apply_filters( 'akismet_get_api_key', defined('WPCOM_API_KEY') ? constant('WPCOM_API_KEY') : get_option('wordpress_api_key') ); 67 } 68 69 public static function check_key_status( $key, $ip = null ) { 70 return self::http_post( Akismet::build_query( array( 'key' => $key, 'blog' => get_option( 'home' ) ) ), 'verify-key', $ip ); 71 } 72 73 public static function verify_key( $key, $ip = null ) { 74 // Shortcut for obviously invalid keys. 75 if ( strlen( $key ) != 12 ) { 76 return 'invalid'; 77 } 78 79 $response = self::check_key_status( $key, $ip ); 80 81 if ( $response[1] != 'valid' && $response[1] != 'invalid' ) 82 return 'failed'; 83 84 return $response[1]; 85 } 86 87 public static function deactivate_key( $key ) { 88 $response = self::http_post( Akismet::build_query( array( 'key' => $key, 'blog' => get_option( 'home' ) ) ), 'deactivate' ); 89 90 if ( $response[1] != 'deactivated' ) 91 return 'failed'; 92 93 return $response[1]; 94 } 95 96 /** 97 * Add the akismet option to the Jetpack options management whitelist. 98 * 99 * @param array $options The list of whitelisted option names. 100 * @return array The updated whitelist 101 */ 102 public static function add_to_jetpack_options_whitelist( $options ) { 103 $options[] = 'wordpress_api_key'; 104 return $options; 105 } 106 107 /** 108 * When the akismet option is updated, run the registration call. 109 * 110 * This should only be run when the option is updated from the Jetpack/WP.com 111 * API call, and only if the new key is different than the old key. 112 * 113 * @param mixed $old_value The old option value. 114 * @param mixed $value The new option value. 115 */ 116 public static function updated_option( $old_value, $value ) { 117 // Not an API call 118 if ( ! class_exists( 'WPCOM_JSON_API_Update_Option_Endpoint' ) ) { 119 return; 120 } 121 // Only run the registration if the old key is different. 122 if ( $old_value !== $value ) { 123 self::verify_key( $value ); 124 } 125 } 126 127 /** 128 * Treat the creation of an API key the same as updating the API key to a new value. 129 * 130 * @param mixed $option_name Will always be "wordpress_api_key", until something else hooks in here. 131 * @param mixed $value The option value. 132 */ 133 public static function added_option( $option_name, $value ) { 134 if ( 'wordpress_api_key' === $option_name ) { 135 return self::updated_option( '', $value ); 136 } 137 } 138 139 public static function rest_auto_check_comment( $commentdata ) { 140 self::$is_api_call = true; 141 142 return self::auto_check_comment( $commentdata ); 143 } 144 145 public static function auto_check_comment( $commentdata ) { 146 // If no key is configured, then there's no point in doing any of this. 147 if ( ! self::get_api_key() ) { 148 return $commentdata; 149 } 150 151 self::$last_comment_result = null; 152 153 $comment = $commentdata; 154 155 $comment['user_ip'] = self::get_ip_address(); 156 $comment['user_agent'] = self::get_user_agent(); 157 $comment['referrer'] = self::get_referer(); 158 $comment['blog'] = get_option( 'home' ); 159 $comment['blog_lang'] = get_locale(); 160 $comment['blog_charset'] = get_option('blog_charset'); 161 $comment['permalink'] = get_permalink( $comment['comment_post_ID'] ); 162 163 if ( ! empty( $comment['user_ID'] ) ) { 164 $comment['user_role'] = Akismet::get_user_roles( $comment['user_ID'] ); 165 } 166 167 /** See filter documentation in init_hooks(). */ 168 $akismet_nonce_option = apply_filters( 'akismet_comment_nonce', get_option( 'akismet_comment_nonce' ) ); 169 $comment['akismet_comment_nonce'] = 'inactive'; 170 if ( $akismet_nonce_option == 'true' || $akismet_nonce_option == '' ) { 171 $comment['akismet_comment_nonce'] = 'failed'; 172 if ( isset( $_POST['akismet_comment_nonce'] ) && wp_verify_nonce( $_POST['akismet_comment_nonce'], 'akismet_comment_nonce_' . $comment['comment_post_ID'] ) ) 173 $comment['akismet_comment_nonce'] = 'passed'; 174 175 // comment reply in wp-admin 176 if ( isset( $_POST['_ajax_nonce-replyto-comment'] ) && check_ajax_referer( 'replyto-comment', '_ajax_nonce-replyto-comment' ) ) 177 $comment['akismet_comment_nonce'] = 'passed'; 178 179 } 180 181 if ( self::is_test_mode() ) 182 $comment['is_test'] = 'true'; 183 184 foreach( $_POST as $key => $value ) { 185 if ( is_string( $value ) ) 186 $comment["POST_{$key}"] = $value; 187 } 188 189 foreach ( $_SERVER as $key => $value ) { 190 if ( ! is_string( $value ) ) { 191 continue; 192 } 193 194 if ( preg_match( "/^HTTP_COOKIE/", $key ) ) { 195 continue; 196 } 197 198 // Send any potentially useful $_SERVER vars, but avoid sending junk we don't need. 199 if ( preg_match( "/^(HTTP_|REMOTE_ADDR|REQUEST_URI|DOCUMENT_URI)/", $key ) ) { 200 $comment[ "$key" ] = $value; 201 } 202 } 203 204 $post = get_post( $comment['comment_post_ID'] ); 205 206 if ( ! is_null( $post ) ) { 207 // $post can technically be null, although in the past, it's always been an indicator of another plugin interfering. 208 $comment[ 'comment_post_modified_gmt' ] = $post->post_modified_gmt; 209 } 210 211 $response = self::http_post( Akismet::build_query( $comment ), 'comment-check' ); 212 213 do_action( 'akismet_comment_check_response', $response ); 214 215 $commentdata['comment_as_submitted'] = array_intersect_key( $comment, self::$comment_as_submitted_allowed_keys ); 216 217 // Also include any form fields we inject into the comment form, like ak_js 218 foreach ( $_POST as $key => $value ) { 219 if ( is_string( $value ) && strpos( $key, 'ak_' ) === 0 ) { 220 $commentdata['comment_as_submitted'][ 'POST_' . $key ] = $value; 221 } 222 } 223 224 $commentdata['akismet_result'] = $response[1]; 225 226 if ( isset( $response[0]['x-akismet-pro-tip'] ) ) 227 $commentdata['akismet_pro_tip'] = $response[0]['x-akismet-pro-tip']; 228 229 if ( isset( $response[0]['x-akismet-error'] ) ) { 230 // An error occurred that we anticipated (like a suspended key) and want the user to act on. 231 // Send to moderation. 232 self::$last_comment_result = '0'; 233 } 234 else if ( 'true' == $response[1] ) { 235 // akismet_spam_count will be incremented later by comment_is_spam() 236 self::$last_comment_result = 'spam'; 237 238 $discard = ( isset( $commentdata['akismet_pro_tip'] ) && $commentdata['akismet_pro_tip'] === 'discard' && self::allow_discard() ); 239 240 do_action( 'akismet_spam_caught', $discard ); 241 242 if ( $discard ) { 243 // The spam is obvious, so we're bailing out early. 244 // akismet_result_spam() won't be called so bump the counter here 245 if ( $incr = apply_filters( 'akismet_spam_count_incr', 1 ) ) { 246 update_option( 'akismet_spam_count', get_option( 'akismet_spam_count' ) + $incr ); 247 } 248 249 if ( self::$is_api_call ) { 250 return new WP_Error( 'akismet_rest_comment_discarded', __( 'Comment discarded.', 'akismet' ) ); 251 } 252 else { 253 // Redirect back to the previous page, or failing that, the post permalink, or failing that, the homepage of the blog. 254 $redirect_to = isset( $_SERVER['HTTP_REFERER'] ) ? $_SERVER['HTTP_REFERER'] : ( $post ? get_permalink( $post ) : home_url() ); 255 wp_safe_redirect( esc_url_raw( $redirect_to ) ); 256 die(); 257 } 258 } 259 else if ( self::$is_api_call ) { 260 // The way the REST API structures its calls, we can set the comment_approved value right away. 261 $commentdata['comment_approved'] = 'spam'; 262 } 263 } 264 265 // if the response is neither true nor false, hold the comment for moderation and schedule a recheck 266 if ( 'true' != $response[1] && 'false' != $response[1] ) { 267 if ( !current_user_can('moderate_comments') ) { 268 // Comment status should be moderated 269 self::$last_comment_result = '0'; 270 } 271 272 if ( ! wp_next_scheduled( 'akismet_schedule_cron_recheck' ) ) { 273 wp_schedule_single_event( time() + 1200, 'akismet_schedule_cron_recheck' ); 274 do_action( 'akismet_scheduled_recheck', 'invalid-response-' . $response[1] ); 275 } 276 277 self::$prevent_moderation_email_for_these_comments[] = $commentdata; 278 } 279 280 // Delete old comments daily 281 if ( ! wp_next_scheduled( 'akismet_scheduled_delete' ) ) { 282 wp_schedule_event( time(), 'daily', 'akismet_scheduled_delete' ); 283 } 284 285 self::set_last_comment( $commentdata ); 286 self::fix_scheduled_recheck(); 287 288 return $commentdata; 289 } 290 291 public static function get_last_comment() { 292 return self::$last_comment; 293 } 294 295 public static function set_last_comment( $comment ) { 296 if ( is_null( $comment ) ) { 297 self::$last_comment = null; 298 } 299 else { 300 // We filter it here so that it matches the filtered comment data that we'll have to compare against later. 301 // wp_filter_comment expects comment_author_IP 302 self::$last_comment = wp_filter_comment( 303 array_merge( 304 array( 'comment_author_IP' => self::get_ip_address() ), 305 $comment 306 ) 307 ); 308 } 309 } 310 311 // this fires on wp_insert_comment. we can't update comment_meta when auto_check_comment() runs 312 // because we don't know the comment ID at that point. 313 public static function auto_check_update_meta( $id, $comment ) { 314 // wp_insert_comment() might be called in other contexts, so make sure this is the same comment 315 // as was checked by auto_check_comment 316 if ( is_object( $comment ) && !empty( self::$last_comment ) && is_array( self::$last_comment ) ) { 317 if ( self::matches_last_comment( $comment ) ) { 318 load_plugin_textdomain( 'akismet' ); 319 320 // normal result: true or false 321 if ( self::$last_comment['akismet_result'] == 'true' ) { 322 update_comment_meta( $comment->comment_ID, 'akismet_result', 'true' ); 323 self::update_comment_history( $comment->comment_ID, '', 'check-spam' ); 324 if ( $comment->comment_approved != 'spam' ) { 325 self::update_comment_history( 326 $comment->comment_ID, 327 '', 328 'status-changed-' . $comment->comment_approved 329 ); 330 } 331 } elseif ( self::$last_comment['akismet_result'] == 'false' ) { 332 update_comment_meta( $comment->comment_ID, 'akismet_result', 'false' ); 333 self::update_comment_history( $comment->comment_ID, '', 'check-ham' ); 334 // Status could be spam or trash, depending on the WP version and whether this change applies: 335 // https://core.trac.wordpress.org/changeset/34726 336 if ( $comment->comment_approved == 'spam' || $comment->comment_approved == 'trash' ) { 337 if ( function_exists( 'wp_check_comment_disallowed_list' ) ) { 338 if ( wp_check_comment_disallowed_list( $comment->comment_author, $comment->comment_author_email, $comment->comment_author_url, $comment->comment_content, $comment->comment_author_IP, $comment->comment_agent ) ) { 339 self::update_comment_history( $comment->comment_ID, '', 'wp-disallowed' ); 340 } else { 341 self::update_comment_history( $comment->comment_ID, '', 'status-changed-' . $comment->comment_approved ); 342 } 343 } else if ( function_exists( 'wp_blacklist_check' ) && wp_blacklist_check( $comment->comment_author, $comment->comment_author_email, $comment->comment_author_url, $comment->comment_content, $comment->comment_author_IP, $comment->comment_agent ) ) { 344 self::update_comment_history( $comment->comment_ID, '', 'wp-blacklisted' ); 345 } else { 346 self::update_comment_history( $comment->comment_ID, '', 'status-changed-' . $comment->comment_approved ); 347 } 348 } 349 } else { 350 // abnormal result: error 351 update_comment_meta( $comment->comment_ID, 'akismet_error', time() ); 352 self::update_comment_history( 353 $comment->comment_ID, 354 '', 355 'check-error', 356 array( 'response' => substr( self::$last_comment['akismet_result'], 0, 50 ) ) 357 ); 358 } 359 360 // record the complete original data as submitted for checking 361 if ( isset( self::$last_comment['comment_as_submitted'] ) ) { 362 update_comment_meta( $comment->comment_ID, 'akismet_as_submitted', self::$last_comment['comment_as_submitted'] ); 363 } 364 365 if ( isset( self::$last_comment['akismet_pro_tip'] ) ) { 366 update_comment_meta( $comment->comment_ID, 'akismet_pro_tip', self::$last_comment['akismet_pro_tip'] ); 367 } 368 } 369 } 370 } 371 372 public static function delete_old_comments() { 373 global $wpdb; 374 375 /** 376 * Determines how many comments will be deleted in each batch. 377 * 378 * @param int The default, as defined by AKISMET_DELETE_LIMIT. 379 */ 380 $delete_limit = apply_filters( 'akismet_delete_comment_limit', defined( 'AKISMET_DELETE_LIMIT' ) ? AKISMET_DELETE_LIMIT : 10000 ); 381 $delete_limit = max( 1, intval( $delete_limit ) ); 382 383 /** 384 * Determines how many days a comment will be left in the Spam queue before being deleted. 385 * 386 * @param int The default number of days. 387 */ 388 $delete_interval = apply_filters( 'akismet_delete_comment_interval', 15 ); 389 $delete_interval = max( 1, intval( $delete_interval ) ); 390 391 while ( $comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_id FROM {$wpdb->comments} WHERE DATE_SUB(NOW(), INTERVAL %d DAY) > comment_date_gmt AND comment_approved = 'spam' LIMIT %d", $delete_interval, $delete_limit ) ) ) { 392 if ( empty( $comment_ids ) ) 393 return; 394 395 $wpdb->queries = array(); 396 397 foreach ( $comment_ids as $comment_id ) { 398 do_action( 'delete_comment', $comment_id ); 399 do_action( 'akismet_batch_delete_count', __FUNCTION__ ); 400 } 401 402 // Prepared as strings since comment_id is an unsigned BIGINT, and using %d will constrain the value to the maximum signed BIGINT. 403 $format_string = implode( ", ", array_fill( 0, count( $comment_ids ), '%s' ) ); 404 405 $wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->comments} WHERE comment_id IN ( " . $format_string . " )", $comment_ids ) ); 406 $wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->commentmeta} WHERE comment_id IN ( " . $format_string . " )", $comment_ids ) ); 407 408 clean_comment_cache( $comment_ids ); 409 do_action( 'akismet_delete_comment_batch', count( $comment_ids ) ); 410 } 411 412 if ( apply_filters( 'akismet_optimize_table', ( mt_rand(1, 5000) == 11), $wpdb->comments ) ) // lucky number 413 $wpdb->query("OPTIMIZE TABLE {$wpdb->comments}"); 414 } 415 416 public static function delete_old_comments_meta() { 417 global $wpdb; 418 419 $interval = apply_filters( 'akismet_delete_commentmeta_interval', 15 ); 420 421 # enforce a minimum of 1 day 422 $interval = absint( $interval ); 423 if ( $interval < 1 ) 424 $interval = 1; 425 426 // akismet_as_submitted meta values are large, so expire them 427 // after $interval days regardless of the comment status 428 while ( $comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT m.comment_id FROM {$wpdb->commentmeta} as m INNER JOIN {$wpdb->comments} as c USING(comment_id) WHERE m.meta_key = 'akismet_as_submitted' AND DATE_SUB(NOW(), INTERVAL %d DAY) > c.comment_date_gmt LIMIT 10000", $interval ) ) ) { 429 if ( empty( $comment_ids ) ) 430 return; 431 432 $wpdb->queries = array(); 433 434 foreach ( $comment_ids as $comment_id ) { 435 delete_comment_meta( $comment_id, 'akismet_as_submitted' ); 436 do_action( 'akismet_batch_delete_count', __FUNCTION__ ); 437 } 438 439 do_action( 'akismet_delete_commentmeta_batch', count( $comment_ids ) ); 440 } 441 442 if ( apply_filters( 'akismet_optimize_table', ( mt_rand(1, 5000) == 11), $wpdb->commentmeta ) ) // lucky number 443 $wpdb->query("OPTIMIZE TABLE {$wpdb->commentmeta}"); 444 } 445 446 // Clear out comments meta that no longer have corresponding comments in the database 447 public static function delete_orphaned_commentmeta() { 448 global $wpdb; 449 450 $last_meta_id = 0; 451 $start_time = isset( $_SERVER['REQUEST_TIME_FLOAT'] ) ? $_SERVER['REQUEST_TIME_FLOAT'] : microtime( true ); 452 $max_exec_time = max( ini_get('max_execution_time') - 5, 3 ); 453 454 while ( $commentmeta_results = $wpdb->get_results( $wpdb->prepare( "SELECT m.meta_id, m.comment_id, m.meta_key FROM {$wpdb->commentmeta} as m LEFT JOIN {$wpdb->comments} as c USING(comment_id) WHERE c.comment_id IS NULL AND m.meta_id > %d ORDER BY m.meta_id LIMIT 1000", $last_meta_id ) ) ) { 455 if ( empty( $commentmeta_results ) ) 456 return; 457 458 $wpdb->queries = array(); 459 460 $commentmeta_deleted = 0; 461 462 foreach ( $commentmeta_results as $commentmeta ) { 463 if ( 'akismet_' == substr( $commentmeta->meta_key, 0, 8 ) ) { 464 delete_comment_meta( $commentmeta->comment_id, $commentmeta->meta_key ); 465 do_action( 'akismet_batch_delete_count', __FUNCTION__ ); 466 $commentmeta_deleted++; 467 } 468 469 $last_meta_id = $commentmeta->meta_id; 470 } 471 472 do_action( 'akismet_delete_commentmeta_batch', $commentmeta_deleted ); 473 474 // If we're getting close to max_execution_time, quit for this round. 475 if ( microtime(true) - $start_time > $max_exec_time ) 476 return; 477 } 478 479 if ( apply_filters( 'akismet_optimize_table', ( mt_rand(1, 5000) == 11), $wpdb->commentmeta ) ) // lucky number 480 $wpdb->query("OPTIMIZE TABLE {$wpdb->commentmeta}"); 481 } 482 483 // how many approved comments does this author have? 484 public static function get_user_comments_approved( $user_id, $comment_author_email, $comment_author, $comment_author_url ) { 485 global $wpdb; 486 487 if ( !empty( $user_id ) ) 488 return (int) $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(*) FROM {$wpdb->comments} WHERE user_id = %d AND comment_approved = 1", $user_id ) ); 489 490 if ( !empty( $comment_author_email ) ) 491 return (int) $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(*) FROM {$wpdb->comments} WHERE comment_author_email = %s AND comment_author = %s AND comment_author_url = %s AND comment_approved = 1", $comment_author_email, $comment_author, $comment_author_url ) ); 492 493 return 0; 494 } 495 496 // get the full comment history for a given comment, as an array in reverse chronological order 497 public static function get_comment_history( $comment_id ) { 498 $history = get_comment_meta( $comment_id, 'akismet_history', false ); 499 if ( empty( $history ) || empty( $history[ 0 ] ) ) { 500 return false; 501 } 502 503 /* 504 // To see all variants when testing. 505 $history[] = array( 'time' => 445856401, 'message' => 'Old versions of Akismet stored the message as a literal string in the commentmeta.', 'event' => null ); 506 $history[] = array( 'time' => 445856402, 'event' => 'recheck-spam' ); 507 $history[] = array( 'time' => 445856403, 'event' => 'check-spam' ); 508 $history[] = array( 'time' => 445856404, 'event' => 'recheck-ham' ); 509 $history[] = array( 'time' => 445856405, 'event' => 'check-ham' ); 510 $history[] = array( 'time' => 445856406, 'event' => 'wp-blacklisted' ); 511 $history[] = array( 'time' => 445856406, 'event' => 'wp-disallowed' ); 512 $history[] = array( 'time' => 445856407, 'event' => 'report-spam' ); 513 $history[] = array( 'time' => 445856408, 'event' => 'report-spam', 'user' => 'sam' ); 514 $history[] = array( 'message' => 'sam reported this comment as spam (hardcoded message).', 'time' => 445856400, 'event' => 'report-spam', 'user' => 'sam' ); 515 $history[] = array( 'time' => 445856409, 'event' => 'report-ham', 'user' => 'sam' ); 516 $history[] = array( 'message' => 'sam reported this comment as ham (hardcoded message).', 'time' => 445856400, 'event' => 'report-ham', 'user' => 'sam' ); // 517 $history[] = array( 'time' => 445856410, 'event' => 'cron-retry-spam' ); 518 $history[] = array( 'time' => 445856411, 'event' => 'cron-retry-ham' ); 519 $history[] = array( 'time' => 445856412, 'event' => 'check-error' ); // 520 $history[] = array( 'time' => 445856413, 'event' => 'check-error', 'meta' => array( 'response' => 'The server was taking a nap.' ) ); 521 $history[] = array( 'time' => 445856414, 'event' => 'recheck-error' ); // Should not generate a message. 522 $history[] = array( 'time' => 445856415, 'event' => 'recheck-error', 'meta' => array( 'response' => 'The server was taking a nap.' ) ); 523 $history[] = array( 'time' => 445856416, 'event' => 'status-changedtrash' ); 524 $history[] = array( 'time' => 445856417, 'event' => 'status-changedspam' ); 525 $history[] = array( 'time' => 445856418, 'event' => 'status-changedhold' ); 526 $history[] = array( 'time' => 445856419, 'event' => 'status-changedapprove' ); 527 $history[] = array( 'time' => 445856420, 'event' => 'status-changed-trash' ); 528 $history[] = array( 'time' => 445856421, 'event' => 'status-changed-spam' ); 529 $history[] = array( 'time' => 445856422, 'event' => 'status-changed-hold' ); 530 $history[] = array( 'time' => 445856423, 'event' => 'status-changed-approve' ); 531 $history[] = array( 'time' => 445856424, 'event' => 'status-trash', 'user' => 'sam' ); 532 $history[] = array( 'time' => 445856425, 'event' => 'status-spam', 'user' => 'sam' ); 533 $history[] = array( 'time' => 445856426, 'event' => 'status-hold', 'user' => 'sam' ); 534 $history[] = array( 'time' => 445856427, 'event' => 'status-approve', 'user' => 'sam' ); 535 */ 536 537 usort( $history, array( 'Akismet', '_cmp_time' ) ); 538 return $history; 539 } 540 541 /** 542 * Log an event for a given comment, storing it in comment_meta. 543 * 544 * @param int $comment_id The ID of the relevant comment. 545 * @param string $message The string description of the event. No longer used. 546 * @param string $event The event code. 547 * @param array $meta Metadata about the history entry. e.g., the user that reported or changed the status of a given comment. 548 */ 549 public static function update_comment_history( $comment_id, $message, $event=null, $meta=null ) { 550 global $current_user; 551 552 $user = ''; 553 554 $event = array( 555 'time' => self::_get_microtime(), 556 'event' => $event, 557 ); 558 559 if ( is_object( $current_user ) && isset( $current_user->user_login ) ) { 560 $event['user'] = $current_user->user_login; 561 } 562 563 if ( ! empty( $meta ) ) { 564 $event['meta'] = $meta; 565 } 566 567 // $unique = false so as to allow multiple values per comment 568 $r = add_comment_meta( $comment_id, 'akismet_history', $event, false ); 569 } 570 571 public static function check_db_comment( $id, $recheck_reason = 'recheck_queue' ) { 572 global $wpdb; 573 574 if ( ! self::get_api_key() ) { 575 return new WP_Error( 'akismet-not-configured', __( 'Akismet is not configured. Please enter an API key.', 'akismet' ) ); 576 } 577 578 $c = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$wpdb->comments} WHERE comment_ID = %d", $id ), ARRAY_A ); 579 580 if ( ! $c ) { 581 return new WP_Error( 'invalid-comment-id', __( 'Comment not found.', 'akismet' ) ); 582 } 583 584 $c['user_ip'] = $c['comment_author_IP']; 585 $c['user_agent'] = $c['comment_agent']; 586 $c['referrer'] = ''; 587 $c['blog'] = get_option( 'home' ); 588 $c['blog_lang'] = get_locale(); 589 $c['blog_charset'] = get_option('blog_charset'); 590 $c['permalink'] = get_permalink($c['comment_post_ID']); 591 $c['recheck_reason'] = $recheck_reason; 592 593 $c['user_role'] = ''; 594 if ( ! empty( $c['user_ID'] ) ) { 595 $c['user_role'] = Akismet::get_user_roles( $c['user_ID'] ); 596 } 597 598 if ( self::is_test_mode() ) 599 $c['is_test'] = 'true'; 600 601 $response = self::http_post( Akismet::build_query( $c ), 'comment-check' ); 602 603 if ( ! empty( $response[1] ) ) { 604 return $response[1]; 605 } 606 607 return false; 608 } 609 610 public static function recheck_comment( $id, $recheck_reason = 'recheck_queue' ) { 611 add_comment_meta( $id, 'akismet_rechecking', true ); 612 613 $api_response = self::check_db_comment( $id, $recheck_reason ); 614 615 delete_comment_meta( $id, 'akismet_rechecking' ); 616 617 if ( is_wp_error( $api_response ) ) { 618 // Invalid comment ID. 619 } 620 else if ( 'true' === $api_response ) { 621 wp_set_comment_status( $id, 'spam' ); 622 update_comment_meta( $id, 'akismet_result', 'true' ); 623 delete_comment_meta( $id, 'akismet_error' ); 624 delete_comment_meta( $id, 'akismet_delayed_moderation_email' ); 625 Akismet::update_comment_history( $id, '', 'recheck-spam' ); 626 } 627 elseif ( 'false' === $api_response ) { 628 update_comment_meta( $id, 'akismet_result', 'false' ); 629 delete_comment_meta( $id, 'akismet_error' ); 630 delete_comment_meta( $id, 'akismet_delayed_moderation_email' ); 631 Akismet::update_comment_history( $id, '', 'recheck-ham' ); 632 } 633 else { 634 // abnormal result: error 635 update_comment_meta( $id, 'akismet_result', 'error' ); 636 Akismet::update_comment_history( 637 $id, 638 '', 639 'recheck-error', 640 array( 'response' => substr( $api_response, 0, 50 ) ) 641 ); 642 } 643 644 return $api_response; 645 } 646 647 public static function transition_comment_status( $new_status, $old_status, $comment ) { 648 649 if ( $new_status == $old_status ) 650 return; 651 652 if ( 'spam' === $new_status || 'spam' === $old_status ) { 653 // Clear the cache of the "X comments in your spam queue" count on the dashboard. 654 wp_cache_delete( 'akismet_spam_count', 'widget' ); 655 } 656 657 # we don't need to record a history item for deleted comments 658 if ( $new_status == 'delete' ) 659 return; 660 661 if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) && !current_user_can( 'moderate_comments' ) ) 662 return; 663 664 if ( defined('WP_IMPORTING') && WP_IMPORTING == true ) 665 return; 666 667 // if this is present, it means the status has been changed by a re-check, not an explicit user action 668 if ( get_comment_meta( $comment->comment_ID, 'akismet_rechecking' ) ) 669 return; 670 671 // Assumption alert: 672 // We want to submit comments to Akismet only when a moderator explicitly spams or approves it - not if the status 673 // is changed automatically by another plugin. Unfortunately WordPress doesn't provide an unambiguous way to 674 // determine why the transition_comment_status action was triggered. And there are several different ways by which 675 // to spam and unspam comments: bulk actions, ajax, links in moderation emails, the dashboard, and perhaps others. 676 // We'll assume that this is an explicit user action if certain POST/GET variables exist. 677 if ( 678 // status=spam: Marking as spam via the REST API or... 679 // status=unspam: I'm not sure. Maybe this used to be used instead of status=approved? Or the UI for removing from spam but not approving has been since removed?... 680 // status=approved: Unspamming via the REST API (Calypso) or... 681 ( isset( $_POST['status'] ) && in_array( $_POST['status'], array( 'spam', 'unspam', 'approved', ) ) ) 682 // spam=1: Clicking "Spam" underneath a comment in wp-admin and allowing the AJAX request to happen. 683 || ( isset( $_POST['spam'] ) && (int) $_POST['spam'] == 1 ) 684 // unspam=1: Clicking "Not Spam" underneath a comment in wp-admin and allowing the AJAX request to happen. Or, clicking "Undo" after marking something as spam. 685 || ( isset( $_POST['unspam'] ) && (int) $_POST['unspam'] == 1 ) 686 // comment_status=spam/unspam: It's unclear where this is happening. 687 || ( isset( $_POST['comment_status'] ) && in_array( $_POST['comment_status'], array( 'spam', 'unspam' ) ) ) 688 // action=spam: Choosing "Mark as Spam" from the Bulk Actions dropdown in wp-admin (or the "Spam it" link in notification emails). 689 // action=unspam: Choosing "Not Spam" from the Bulk Actions dropdown in wp-admin. 690 // action=spamcomment: Following the "Spam" link below a comment in wp-admin (not allowing AJAX request to happen). 691 // action=unspamcomment: Following the "Not Spam" link below a comment in wp-admin (not allowing AJAX request to happen). 692 || ( isset( $_GET['action'] ) && in_array( $_GET['action'], array( 'spam', 'unspam', 'spamcomment', 'unspamcomment', ) ) ) 693 // action=editedcomment: Editing a comment via wp-admin (and possibly changing its status). 694 || ( isset( $_POST['action'] ) && in_array( $_POST['action'], array( 'editedcomment' ) ) ) 695 // for=jetpack: Moderation via the WordPress app, Calypso, anything powered by the Jetpack connection. 696 || ( isset( $_GET['for'] ) && ( 'jetpack' == $_GET['for'] ) && ( ! defined( 'IS_WPCOM' ) || ! IS_WPCOM ) ) 697 // Certain WordPress.com API requests 698 || ( defined( 'REST_API_REQUEST' ) && REST_API_REQUEST ) 699 // WordPress.org REST API requests 700 || ( defined( 'REST_REQUEST' ) && REST_REQUEST ) 701 ) { 702 if ( $new_status == 'spam' && ( $old_status == 'approved' || $old_status == 'unapproved' || !$old_status ) ) { 703 return self::submit_spam_comment( $comment->comment_ID ); 704 } elseif ( $old_status == 'spam' && ( $new_status == 'approved' || $new_status == 'unapproved' ) ) { 705 return self::submit_nonspam_comment( $comment->comment_ID ); 706 } 707 } 708 709 self::update_comment_history( $comment->comment_ID, '', 'status-' . $new_status ); 710 } 711 712 public static function submit_spam_comment( $comment_id ) { 713 global $wpdb, $current_user, $current_site; 714 715 $comment_id = (int) $comment_id; 716 717 $comment = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$wpdb->comments} WHERE comment_ID = %d", $comment_id ) ); 718 719 if ( !$comment ) // it was deleted 720 return; 721 722 if ( 'spam' != $comment->comment_approved ) 723 return; 724 725 self::update_comment_history( $comment_id, '', 'report-spam' ); 726 727 // If the user hasn't configured Akismet, there's nothing else to do at this point. 728 if ( ! self::get_api_key() ) { 729 return; 730 } 731 732 // use the original version stored in comment_meta if available 733 $as_submitted = self::sanitize_comment_as_submitted( get_comment_meta( $comment_id, 'akismet_as_submitted', true ) ); 734 735 if ( $as_submitted && is_array( $as_submitted ) && isset( $as_submitted['comment_content'] ) ) 736 $comment = (object) array_merge( (array)$comment, $as_submitted ); 737 738 $comment->blog = get_option( 'home' ); 739 $comment->blog_lang = get_locale(); 740 $comment->blog_charset = get_option('blog_charset'); 741 $comment->permalink = get_permalink($comment->comment_post_ID); 742 743 if ( is_object($current_user) ) 744 $comment->reporter = $current_user->user_login; 745 746 if ( is_object($current_site) ) 747 $comment->site_domain = $current_site->domain; 748 749 $comment->user_role = ''; 750 if ( ! empty( $comment->user_ID ) ) { 751 $comment->user_role = Akismet::get_user_roles( $comment->user_ID ); 752 } 753 754 if ( self::is_test_mode() ) 755 $comment->is_test = 'true'; 756 757 $post = get_post( $comment->comment_post_ID ); 758 759 if ( ! is_null( $post ) ) { 760 $comment->comment_post_modified_gmt = $post->post_modified_gmt; 761 } 762 763 $response = Akismet::http_post( Akismet::build_query( $comment ), 'submit-spam' ); 764 765 update_comment_meta( $comment_id, 'akismet_user_result', 'true' ); 766 767 if ( $comment->reporter ) { 768 update_comment_meta( $comment_id, 'akismet_user', $comment->reporter ); 769 } 770 771 do_action('akismet_submit_spam_comment', $comment_id, $response[1]); 772 } 773 774 public static function submit_nonspam_comment( $comment_id ) { 775 global $wpdb, $current_user, $current_site; 776 777 $comment_id = (int) $comment_id; 778 779 $comment = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$wpdb->comments} WHERE comment_ID = %d", $comment_id ) ); 780 if ( !$comment ) // it was deleted 781 return; 782 783 self::update_comment_history( $comment_id, '', 'report-ham' ); 784 785 // If the user hasn't configured Akismet, there's nothing else to do at this point. 786 if ( ! self::get_api_key() ) { 787 return; 788 } 789 790 // use the original version stored in comment_meta if available 791 $as_submitted = self::sanitize_comment_as_submitted( get_comment_meta( $comment_id, 'akismet_as_submitted', true ) ); 792 793 if ( $as_submitted && is_array($as_submitted) && isset($as_submitted['comment_content']) ) 794 $comment = (object) array_merge( (array)$comment, $as_submitted ); 795 796 $comment->blog = get_option( 'home' ); 797 $comment->blog_lang = get_locale(); 798 $comment->blog_charset = get_option('blog_charset'); 799 $comment->permalink = get_permalink( $comment->comment_post_ID ); 800 $comment->user_role = ''; 801 802 if ( is_object($current_user) ) 803 $comment->reporter = $current_user->user_login; 804 805 if ( is_object($current_site) ) 806 $comment->site_domain = $current_site->domain; 807 808 if ( ! empty( $comment->user_ID ) ) { 809 $comment->user_role = Akismet::get_user_roles( $comment->user_ID ); 810 } 811 812 if ( Akismet::is_test_mode() ) 813 $comment->is_test = 'true'; 814 815 $post = get_post( $comment->comment_post_ID ); 816 817 if ( ! is_null( $post ) ) { 818 $comment->comment_post_modified_gmt = $post->post_modified_gmt; 819 } 820 821 $response = self::http_post( Akismet::build_query( $comment ), 'submit-ham' ); 822 823 update_comment_meta( $comment_id, 'akismet_user_result', 'false' ); 824 825 if ( $comment->reporter ) { 826 update_comment_meta( $comment_id, 'akismet_user', $comment->reporter ); 827 } 828 829 do_action('akismet_submit_nonspam_comment', $comment_id, $response[1]); 830 } 831 832 public static function cron_recheck() { 833 global $wpdb; 834 835 $api_key = self::get_api_key(); 836 837 $status = self::verify_key( $api_key ); 838 if ( get_option( 'akismet_alert_code' ) || $status == 'invalid' ) { 839 // since there is currently a problem with the key, reschedule a check for 6 hours hence 840 wp_schedule_single_event( time() + 21600, 'akismet_schedule_cron_recheck' ); 841 do_action( 'akismet_scheduled_recheck', 'key-problem-' . get_option( 'akismet_alert_code' ) . '-' . $status ); 842 return false; 843 } 844 845 delete_option('akismet_available_servers'); 846 847 $comment_errors = $wpdb->get_col( "SELECT comment_id FROM {$wpdb->commentmeta} WHERE meta_key = 'akismet_error' LIMIT 100" ); 848 849 load_plugin_textdomain( 'akismet' ); 850 851 foreach ( (array) $comment_errors as $comment_id ) { 852 // if the comment no longer exists, or is too old, remove the meta entry from the queue to avoid getting stuck 853 $comment = get_comment( $comment_id ); 854 855 if ( 856 ! $comment // Comment has been deleted 857 || strtotime( $comment->comment_date_gmt ) < strtotime( "-15 days" ) // Comment is too old. 858 || $comment->comment_approved !== "0" // Comment is no longer in the Pending queue 859 ) { 860 delete_comment_meta( $comment_id, 'akismet_error' ); 861 delete_comment_meta( $comment_id, 'akismet_delayed_moderation_email' ); 862 continue; 863 } 864 865 add_comment_meta( $comment_id, 'akismet_rechecking', true ); 866 $status = self::check_db_comment( $comment_id, 'retry' ); 867 868 $event = ''; 869 if ( $status == 'true' ) { 870 $event = 'cron-retry-spam'; 871 } elseif ( $status == 'false' ) { 872 $event = 'cron-retry-ham'; 873 } 874 875 // If we got back a legit response then update the comment history 876 // other wise just bail now and try again later. No point in 877 // re-trying all the comments once we hit one failure. 878 if ( !empty( $event ) ) { 879 delete_comment_meta( $comment_id, 'akismet_error' ); 880 self::update_comment_history( $comment_id, '', $event ); 881 update_comment_meta( $comment_id, 'akismet_result', $status ); 882 // make sure the comment status is still pending. if it isn't, that means the user has already moved it elsewhere. 883 $comment = get_comment( $comment_id ); 884 if ( $comment && 'unapproved' == wp_get_comment_status( $comment_id ) ) { 885 if ( $status == 'true' ) { 886 wp_spam_comment( $comment_id ); 887 } elseif ( $status == 'false' ) { 888 // comment is good, but it's still in the pending queue. depending on the moderation settings 889 // we may need to change it to approved. 890 if ( check_comment($comment->comment_author, $comment->comment_author_email, $comment->comment_author_url, $comment->comment_content, $comment->comment_author_IP, $comment->comment_agent, $comment->comment_type) ) 891 wp_set_comment_status( $comment_id, 1 ); 892 else if ( get_comment_meta( $comment_id, 'akismet_delayed_moderation_email', true ) ) 893 wp_notify_moderator( $comment_id ); 894 } 895 } 896 897 delete_comment_meta( $comment_id, 'akismet_delayed_moderation_email' ); 898 } else { 899 // If this comment has been pending moderation for longer than MAX_DELAY_BEFORE_MODERATION_EMAIL, 900 // send a moderation email now. 901 if ( ( intval( gmdate( 'U' ) ) - strtotime( $comment->comment_date_gmt ) ) < self::MAX_DELAY_BEFORE_MODERATION_EMAIL ) { 902 delete_comment_meta( $comment_id, 'akismet_delayed_moderation_email' ); 903 wp_notify_moderator( $comment_id ); 904 } 905 906 delete_comment_meta( $comment_id, 'akismet_rechecking' ); 907 wp_schedule_single_event( time() + 1200, 'akismet_schedule_cron_recheck' ); 908 do_action( 'akismet_scheduled_recheck', 'check-db-comment-' . $status ); 909 return; 910 } 911 delete_comment_meta( $comment_id, 'akismet_rechecking' ); 912 } 913 914 $remaining = $wpdb->get_var( "SELECT COUNT(*) FROM {$wpdb->commentmeta} WHERE meta_key = 'akismet_error'" ); 915 if ( $remaining && !wp_next_scheduled('akismet_schedule_cron_recheck') ) { 916 wp_schedule_single_event( time() + 1200, 'akismet_schedule_cron_recheck' ); 917 do_action( 'akismet_scheduled_recheck', 'remaining' ); 918 } 919 } 920 921 public static function fix_scheduled_recheck() { 922 $future_check = wp_next_scheduled( 'akismet_schedule_cron_recheck' ); 923 if ( !$future_check ) { 924 return; 925 } 926 927 if ( get_option( 'akismet_alert_code' ) > 0 ) { 928 return; 929 } 930 931 $check_range = time() + 1200; 932 if ( $future_check > $check_range ) { 933 wp_clear_scheduled_hook( 'akismet_schedule_cron_recheck' ); 934 wp_schedule_single_event( time() + 300, 'akismet_schedule_cron_recheck' ); 935 do_action( 'akismet_scheduled_recheck', 'fix-scheduled-recheck' ); 936 } 937 } 938 939 public static function add_comment_nonce( $post_id ) { 940 /** 941 * To disable the Akismet comment nonce, add a filter for the 'akismet_comment_nonce' tag 942 * and return any string value that is not 'true' or '' (empty string). 943 * 944 * Don't return boolean false, because that implies that the 'akismet_comment_nonce' option 945 * has not been set and that Akismet should just choose the default behavior for that 946 * situation. 947 */ 948 949 if ( ! self::get_api_key() ) { 950 return; 951 } 952 953 $akismet_comment_nonce_option = apply_filters( 'akismet_comment_nonce', get_option( 'akismet_comment_nonce' ) ); 954 955 if ( $akismet_comment_nonce_option == 'true' || $akismet_comment_nonce_option == '' ) { 956 echo '<p style="display: none;">'; 957 wp_nonce_field( 'akismet_comment_nonce_' . $post_id, 'akismet_comment_nonce', FALSE ); 958 echo '</p>'; 959 } 960 } 961 962 public static function is_test_mode() { 963 return defined('AKISMET_TEST_MODE') && AKISMET_TEST_MODE; 964 } 965 966 public static function allow_discard() { 967 if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) 968 return false; 969 if ( is_user_logged_in() ) 970 return false; 971 972 return ( get_option( 'akismet_strictness' ) === '1' ); 973 } 974 975 public static function get_ip_address() { 976 return isset( $_SERVER['REMOTE_ADDR'] ) ? $_SERVER['REMOTE_ADDR'] : null; 977 } 978 979 /** 980 * Do these two comments, without checking the comment_ID, "match"? 981 * 982 * @param mixed $comment1 A comment object or array. 983 * @param mixed $comment2 A comment object or array. 984 * @return bool Whether the two comments should be treated as the same comment. 985 */ 986 private static function comments_match( $comment1, $comment2 ) { 987 $comment1 = (array) $comment1; 988 $comment2 = (array) $comment2; 989 990 // Set default values for these strings that we check in order to simplify 991 // the checks and avoid PHP warnings. 992 if ( ! isset( $comment1['comment_author'] ) ) { 993 $comment1['comment_author'] = ''; 994 } 995 996 if ( ! isset( $comment2['comment_author'] ) ) { 997 $comment2['comment_author'] = ''; 998 } 999 1000 if ( ! isset( $comment1['comment_author_email'] ) ) { 1001 $comment1['comment_author_email'] = ''; 1002 } 1003 1004 if ( ! isset( $comment2['comment_author_email'] ) ) { 1005 $comment2['comment_author_email'] = ''; 1006 } 1007 1008 $comments_match = ( 1009 isset( $comment1['comment_post_ID'], $comment2['comment_post_ID'] ) 1010 && intval( $comment1['comment_post_ID'] ) == intval( $comment2['comment_post_ID'] ) 1011 && ( 1012 // The comment author length max is 255 characters, limited by the TINYTEXT column type. 1013 // If the comment author includes multibyte characters right around the 255-byte mark, they 1014 // may be stripped when the author is saved in the DB, so a 300+ char author may turn into 1015 // a 253-char author when it's saved, not 255 exactly. The longest possible character is 1016 // theoretically 6 bytes, so we'll only look at the first 248 bytes to be safe. 1017 substr( $comment1['comment_author'], 0, 248 ) == substr( $comment2['comment_author'], 0, 248 ) 1018 || substr( stripslashes( $comment1['comment_author'] ), 0, 248 ) == substr( $comment2['comment_author'], 0, 248 ) 1019 || substr( $comment1['comment_author'], 0, 248 ) == substr( stripslashes( $comment2['comment_author'] ), 0, 248 ) 1020 // Certain long comment author names will be truncated to nothing, depending on their encoding. 1021 || ( ! $comment1['comment_author'] && strlen( $comment2['comment_author'] ) > 248 ) 1022 || ( ! $comment2['comment_author'] && strlen( $comment1['comment_author'] ) > 248 ) 1023 ) 1024 && ( 1025 // The email max length is 100 characters, limited by the VARCHAR(100) column type. 1026 // Same argument as above for only looking at the first 93 characters. 1027 substr( $comment1['comment_author_email'], 0, 93 ) == substr( $comment2['comment_author_email'], 0, 93 ) 1028 || substr( stripslashes( $comment1['comment_author_email'] ), 0, 93 ) == substr( $comment2['comment_author_email'], 0, 93 ) 1029 || substr( $comment1['comment_author_email'], 0, 93 ) == substr( stripslashes( $comment2['comment_author_email'] ), 0, 93 ) 1030 // Very long emails can be truncated and then stripped if the [0:100] substring isn't a valid address. 1031 || ( ! $comment1['comment_author_email'] && strlen( $comment2['comment_author_email'] ) > 100 ) 1032 || ( ! $comment2['comment_author_email'] && strlen( $comment1['comment_author_email'] ) > 100 ) 1033 ) 1034 ); 1035 1036 return $comments_match; 1037 } 1038 1039 // Does the supplied comment match the details of the one most recently stored in self::$last_comment? 1040 public static function matches_last_comment( $comment ) { 1041 return self::comments_match( self::$last_comment, $comment ); 1042 } 1043 1044 private static function get_user_agent() { 1045 return isset( $_SERVER['HTTP_USER_AGENT'] ) ? $_SERVER['HTTP_USER_AGENT'] : null; 1046 } 1047 1048 private static function get_referer() { 1049 return isset( $_SERVER['HTTP_REFERER'] ) ? $_SERVER['HTTP_REFERER'] : null; 1050 } 1051 1052 // return a comma-separated list of role names for the given user 1053 public static function get_user_roles( $user_id ) { 1054 $roles = false; 1055 1056 if ( !class_exists('WP_User') ) 1057 return false; 1058 1059 if ( $user_id > 0 ) { 1060 $comment_user = new WP_User( $user_id ); 1061 if ( isset( $comment_user->roles ) ) 1062 $roles = join( ',', $comment_user->roles ); 1063 } 1064 1065 if ( is_multisite() && is_super_admin( $user_id ) ) { 1066 if ( empty( $roles ) ) { 1067 $roles = 'super_admin'; 1068 } else { 1069 $comment_user->roles[] = 'super_admin'; 1070 $roles = join( ',', $comment_user->roles ); 1071 } 1072 } 1073 1074 return $roles; 1075 } 1076 1077 // filter handler used to return a spam result to pre_comment_approved 1078 public static function last_comment_status( $approved, $comment ) { 1079 if ( is_null( self::$last_comment_result ) ) { 1080 // We didn't have reason to store the result of the last check. 1081 return $approved; 1082 } 1083 1084 // Only do this if it's the correct comment 1085 if ( ! self::matches_last_comment( $comment ) ) { 1086 self::log( "comment_is_spam mismatched comment, returning unaltered $approved" ); 1087 return $approved; 1088 } 1089 1090 if ( 'trash' === $approved ) { 1091 // If the last comment we checked has had its approval set to 'trash', 1092 // then it failed the comment blacklist check. Let that blacklist override 1093 // the spam check, since users have the (valid) expectation that when 1094 // they fill out their blacklists, comments that match it will always 1095 // end up in the trash. 1096 return $approved; 1097 } 1098 1099 // bump the counter here instead of when the filter is added to reduce the possibility of overcounting 1100 if ( $incr = apply_filters('akismet_spam_count_incr', 1) ) 1101 update_option( 'akismet_spam_count', get_option('akismet_spam_count') + $incr ); 1102 1103 return self::$last_comment_result; 1104 } 1105 1106 /** 1107 * If Akismet is temporarily unreachable, we don't want to "spam" the blogger with 1108 * moderation emails for comments that will be automatically cleared or spammed on 1109 * the next retry. 1110 * 1111 * For comments that will be rechecked later, empty the list of email addresses that 1112 * the moderation email would be sent to. 1113 * 1114 * @param array $emails An array of email addresses that the moderation email will be sent to. 1115 * @param int $comment_id The ID of the relevant comment. 1116 * @return array An array of email addresses that the moderation email will be sent to. 1117 */ 1118 public static function disable_moderation_emails_if_unreachable( $emails, $comment_id ) { 1119 if ( ! empty( self::$prevent_moderation_email_for_these_comments ) && ! empty( $emails ) ) { 1120 $comment = get_comment( $comment_id ); 1121 1122 foreach ( self::$prevent_moderation_email_for_these_comments as $possible_match ) { 1123 if ( self::comments_match( $possible_match, $comment ) ) { 1124 update_comment_meta( $comment_id, 'akismet_delayed_moderation_email', true ); 1125 return array(); 1126 } 1127 } 1128 } 1129 1130 return $emails; 1131 } 1132 1133 public static function _cmp_time( $a, $b ) { 1134 return $a['time'] > $b['time'] ? -1 : 1; 1135 } 1136 1137 public static function _get_microtime() { 1138 $mtime = explode( ' ', microtime() ); 1139 return $mtime[1] + $mtime[0]; 1140 } 1141 1142 /** 1143 * Make a POST request to the Akismet API. 1144 * 1145 * @param string $request The body of the request. 1146 * @param string $path The path for the request. 1147 * @param string $ip The specific IP address to hit. 1148 * @return array A two-member array consisting of the headers and the response body, both empty in the case of a failure. 1149 */ 1150 public static function http_post( $request, $path, $ip=null ) { 1151 1152 $akismet_ua = sprintf( 'WordPress/%s | Akismet/%s', $GLOBALS['wp_version'], constant( 'AKISMET_VERSION' ) ); 1153 $akismet_ua = apply_filters( 'akismet_ua', $akismet_ua ); 1154 1155 $content_length = strlen( $request ); 1156 1157 $api_key = self::get_api_key(); 1158 $host = self::API_HOST; 1159 1160 if ( !empty( $api_key ) ) 1161 $host = $api_key.'.'.$host; 1162 1163 $http_host = $host; 1164 // use a specific IP if provided 1165 // needed by Akismet_Admin::check_server_connectivity() 1166 if ( $ip && long2ip( ip2long( $ip ) ) ) { 1167 $http_host = $ip; 1168 } 1169 1170 $http_args = array( 1171 'body' => $request, 1172 'headers' => array( 1173 'Content-Type' => 'application/x-www-form-urlencoded; charset=' . get_option( 'blog_charset' ), 1174 'Host' => $host, 1175 'User-Agent' => $akismet_ua, 1176 ), 1177 'httpversion' => '1.0', 1178 'timeout' => 15 1179 ); 1180 1181 $akismet_url = $http_akismet_url = "http://{$http_host}/1.1/{$path}"; 1182 1183 /** 1184 * Try SSL first; if that fails, try without it and don't try it again for a while. 1185 */ 1186 1187 $ssl = $ssl_failed = false; 1188 1189 // Check if SSL requests were disabled fewer than X hours ago. 1190 $ssl_disabled = get_option( 'akismet_ssl_disabled' ); 1191 1192 if ( $ssl_disabled && $ssl_disabled < ( time() - 60 * 60 * 24 ) ) { // 24 hours 1193 $ssl_disabled = false; 1194 delete_option( 'akismet_ssl_disabled' ); 1195 } 1196 else if ( $ssl_disabled ) { 1197 do_action( 'akismet_ssl_disabled' ); 1198 } 1199 1200 if ( ! $ssl_disabled && ( $ssl = wp_http_supports( array( 'ssl' ) ) ) ) { 1201 $akismet_url = set_url_scheme( $akismet_url, 'https' ); 1202 1203 do_action( 'akismet_https_request_pre' ); 1204 } 1205 1206 $response = wp_remote_post( $akismet_url, $http_args ); 1207 1208 Akismet::log( compact( 'akismet_url', 'http_args', 'response' ) ); 1209 1210 if ( $ssl && is_wp_error( $response ) ) { 1211 do_action( 'akismet_https_request_failure', $response ); 1212 1213 // Intermittent connection problems may cause the first HTTPS 1214 // request to fail and subsequent HTTP requests to succeed randomly. 1215 // Retry the HTTPS request once before disabling SSL for a time. 1216 $response = wp_remote_post( $akismet_url, $http_args ); 1217 1218 Akismet::log( compact( 'akismet_url', 'http_args', 'response' ) ); 1219 1220 if ( is_wp_error( $response ) ) { 1221 $ssl_failed = true; 1222 1223 do_action( 'akismet_https_request_failure', $response ); 1224 1225 do_action( 'akismet_http_request_pre' ); 1226 1227 // Try the request again without SSL. 1228 $response = wp_remote_post( $http_akismet_url, $http_args ); 1229 1230 Akismet::log( compact( 'http_akismet_url', 'http_args', 'response' ) ); 1231 } 1232 } 1233 1234 if ( is_wp_error( $response ) ) { 1235 do_action( 'akismet_request_failure', $response ); 1236 1237 return array( '', '' ); 1238 } 1239 1240 if ( $ssl_failed ) { 1241 // The request failed when using SSL but succeeded without it. Disable SSL for future requests. 1242 update_option( 'akismet_ssl_disabled', time() ); 1243 1244 do_action( 'akismet_https_disabled' ); 1245 } 1246 1247 $simplified_response = array( $response['headers'], $response['body'] ); 1248 1249 self::update_alert( $simplified_response ); 1250 1251 return $simplified_response; 1252 } 1253 1254 // given a response from an API call like check_key_status(), update the alert code options if an alert is present. 1255 public static function update_alert( $response ) { 1256 $code = $msg = null; 1257 if ( isset( $response[0]['x-akismet-alert-code'] ) ) { 1258 $code = $response[0]['x-akismet-alert-code']; 1259 $msg = $response[0]['x-akismet-alert-msg']; 1260 } 1261 1262 // only call update_option() if the value has changed 1263 if ( $code != get_option( 'akismet_alert_code' ) ) { 1264 if ( ! $code ) { 1265 delete_option( 'akismet_alert_code' ); 1266 delete_option( 'akismet_alert_msg' ); 1267 } 1268 else { 1269 update_option( 'akismet_alert_code', $code ); 1270 update_option( 'akismet_alert_msg', $msg ); 1271 } 1272 } 1273 } 1274 1275 public static function load_form_js() { 1276 if ( function_exists( 'is_amp_endpoint' ) && is_amp_endpoint() ) { 1277 return; 1278 } 1279 1280 if ( ! self::get_api_key() ) { 1281 return; 1282 } 1283 1284 wp_register_script( 'akismet-form', plugin_dir_url( __FILE__ ) . '_inc/form.js', array(), AKISMET_VERSION, true ); 1285 wp_enqueue_script( 'akismet-form' ); 1286 } 1287 1288 /** 1289 * Mark form.js as async. Because nothing depends on it, it can run at any time 1290 * after it's loaded, and the browser won't have to wait for it to load to continue 1291 * parsing the rest of the page. 1292 */ 1293 public static function set_form_js_async( $tag, $handle, $src ) { 1294 if ( 'akismet-form' !== $handle ) { 1295 return $tag; 1296 } 1297 1298 return preg_replace( '/^<script /i', '<script async="async" ', $tag ); 1299 } 1300 1301 public static function inject_ak_js( $post_id ) { 1302 echo '<input type="hidden" id="ak_js" name="ak_js" value="' . mt_rand( 0, 250 ) . '"/>'; 1303 echo '<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea>'; 1304 } 1305 1306 private static function bail_on_activation( $message, $deactivate = true ) { 1307 ?> 1308 <!doctype html> 1309 <html> 1310 <head> 1311 <meta charset="<?php bloginfo( 'charset' ); ?>" /> 1312 <style> 1313 * { 1314 text-align: center; 1315 margin: 0; 1316 padding: 0; 1317 font-family: "Lucida Grande",Verdana,Arial,"Bitstream Vera Sans",sans-serif; 1318 } 1319 p { 1320 margin-top: 1em; 1321 font-size: 18px; 1322 } 1323 </style> 1324 </head> 1325 <body> 1326 <p><?php echo esc_html( $message ); ?></p> 1327 </body> 1328 </html> 1329 <?php 1330 if ( $deactivate ) { 1331 $plugins = get_option( 'active_plugins' ); 1332 $akismet = plugin_basename( AKISMET__PLUGIN_DIR . 'akismet.php' ); 1333 $update = false; 1334 foreach ( $plugins as $i => $plugin ) { 1335 if ( $plugin === $akismet ) { 1336 $plugins[$i] = false; 1337 $update = true; 1338 } 1339 } 1340 1341 if ( $update ) { 1342 update_option( 'active_plugins', array_filter( $plugins ) ); 1343 } 1344 } 1345 exit; 1346 } 1347 1348 public static function view( $name, array $args = array() ) { 1349 $args = apply_filters( 'akismet_view_arguments', $args, $name ); 1350 1351 foreach ( $args AS $key => $val ) { 1352 $$key = $val; 1353 } 1354 1355 load_plugin_textdomain( 'akismet' ); 1356 1357 $file = AKISMET__PLUGIN_DIR . 'views/'. $name . '.php'; 1358 1359 include( $file ); 1360 } 1361 1362 /** 1363 * Attached to activate_{ plugin_basename( __FILES__ ) } by register_activation_hook() 1364 * @static 1365 */ 1366 public static function plugin_activation() { 1367 if ( version_compare( $GLOBALS['wp_version'], AKISMET__MINIMUM_WP_VERSION, '<' ) ) { 1368 load_plugin_textdomain( 'akismet' ); 1369 1370 $message = '<strong>'.sprintf(esc_html__( 'Akismet %s requires WordPress %s or higher.' , 'akismet'), AKISMET_VERSION, AKISMET__MINIMUM_WP_VERSION ).'</strong> '.sprintf(__('Please <a href="%1$s">upgrade WordPress</a> to a current version, or <a href="%2$s">downgrade to version 2.4 of the Akismet plugin</a>.', 'akismet'), 'https://codex.wordpress.org/Upgrading_WordPress', 'https://wordpress.org/extend/plugins/akismet/download/'); 1371 1372 Akismet::bail_on_activation( $message ); 1373 } elseif ( ! empty( $_SERVER['SCRIPT_NAME'] ) && false !== strpos( $_SERVER['SCRIPT_NAME'], '/wp-admin/plugins.php' ) ) { 1374 add_option( 'Activated_Akismet', true ); 1375 } 1376 } 1377 1378 /** 1379 * Removes all connection options 1380 * @static 1381 */ 1382 public static function plugin_deactivation( ) { 1383 self::deactivate_key( self::get_api_key() ); 1384 1385 // Remove any scheduled cron jobs. 1386 $akismet_cron_events = array( 1387 'akismet_schedule_cron_recheck', 1388 'akismet_scheduled_delete', 1389 ); 1390 1391 foreach ( $akismet_cron_events as $akismet_cron_event ) { 1392 $timestamp = wp_next_scheduled( $akismet_cron_event ); 1393 1394 if ( $timestamp ) { 1395 wp_unschedule_event( $timestamp, $akismet_cron_event ); 1396 } 1397 } 1398 } 1399 1400 /** 1401 * Essentially a copy of WP's build_query but one that doesn't expect pre-urlencoded values. 1402 * 1403 * @param array $args An array of key => value pairs 1404 * @return string A string ready for use as a URL query string. 1405 */ 1406 public static function build_query( $args ) { 1407 return _http_build_query( $args, '', '&' ); 1408 } 1409 1410 /** 1411 * Log debugging info to the error log. 1412 * 1413 * Enabled when WP_DEBUG_LOG is enabled (and WP_DEBUG, since according to 1414 * core, "WP_DEBUG_DISPLAY and WP_DEBUG_LOG perform no function unless 1415 * WP_DEBUG is true), but can be disabled via the akismet_debug_log filter. 1416 * 1417 * @param mixed $akismet_debug The data to log. 1418 */ 1419 public static function log( $akismet_debug ) { 1420 if ( apply_filters( 'akismet_debug_log', defined( 'WP_DEBUG' ) && WP_DEBUG && defined( 'WP_DEBUG_LOG' ) && WP_DEBUG_LOG && defined( 'AKISMET_DEBUG' ) && AKISMET_DEBUG ) ) { 1421 error_log( print_r( compact( 'akismet_debug' ), true ) ); 1422 } 1423 } 1424 1425 public static function pre_check_pingback( $method ) { 1426 if ( $method !== 'pingback.ping' ) 1427 return; 1428 1429 // A lot of this code is tightly coupled with the IXR class because the xmlrpc_call action doesn't pass along any information besides the method name. 1430 // This ticket should hopefully fix that: https://core.trac.wordpress.org/ticket/52524 1431 // Until that happens, when it's a system.multicall, pre_check_pingback will be called once for every internal pingback call. 1432 // Keep track of how many times this function has been called so we know which call to reference in the XML. 1433 static $call_count = 0; 1434 1435 $call_count++; 1436 1437 global $wp_xmlrpc_server; 1438 1439 if ( !is_object( $wp_xmlrpc_server ) ) 1440 return false; 1441 1442 self::$is_api_call = true; 1443 1444 $is_multicall = false; 1445 $multicall_count = 0; 1446 1447 if ( 'system.multicall' === $wp_xmlrpc_server->message->methodName ) { 1448 $is_multicall = true; 1449 1450 if ( 0 === $call_count ) { 1451 // Only pass along the number of entries in the multicall the first time we see it. 1452 $multicall_count = count( $wp_xmlrpc_server->message->params ); 1453 } 1454 1455 /* 1456 * $wp_xmlrpc_server->message looks like this: 1457 * 1458 ( 1459 [message] => 1460 [messageType] => methodCall 1461 [faultCode] => 1462 [faultString] => 1463 [methodName] => system.multicall 1464 [params] => Array 1465 ( 1466 [0] => Array 1467 ( 1468 [methodName] => pingback.ping 1469 [params] => Array 1470 ( 1471 [0] => http://www.example.net/?p=1 // Site that created the pingback. 1472 [1] => https://www.example.com/?p=1 // Post being pingback'd on this site. 1473 ) 1474 ) 1475 [1] => Array 1476 ( 1477 [methodName] => pingback.ping 1478 [params] => Array 1479 ( 1480 [0] => http://www.example.net/?p=1 // Site that created the pingback. 1481 [1] => https://www.example.com/?p=2 // Post being pingback'd on this site. 1482 ) 1483 ) 1484 ) 1485 ) 1486 */ 1487 1488 // Use the params from the nth pingback.ping call in the multicall. 1489 $pingback_calls_found = 0; 1490 1491 foreach ( $wp_xmlrpc_server->message->params as $xmlrpc_action ) { 1492 if ( 'pingback.ping' === $xmlrpc_action['methodName'] ) { 1493 $pingback_calls_found++; 1494 } 1495 1496 if ( $call_count === $pingback_calls_found ) { 1497 $pingback_args = $xmlrpc_action['params']; 1498 break; 1499 } 1500 } 1501 } else { 1502 /* 1503 * $wp_xmlrpc_server->message looks like this: 1504 * 1505 ( 1506 [message] => 1507 [messageType] => methodCall 1508 [faultCode] => 1509 [faultString] => 1510 [methodName] => pingback.ping 1511 [params] => Array 1512 ( 1513 [0] => http://www.example.net/?p=1 // Site that created the pingback. 1514 [1] => https://www.example.com/?p=2 // Post being pingback'd on this site. 1515 ) 1516 ) 1517 */ 1518 $pingback_args = $wp_xmlrpc_server->message->params; 1519 } 1520 1521 if ( ! empty( $pingback_args[1] ) ) { 1522 $post_id = url_to_postid( $pingback_args[1] ); 1523 1524 // If pingbacks aren't open on this post, we'll still check whether this request is part of a potential DDOS, 1525 // but indicate to the server that pingbacks are indeed closed so we don't include this request in the user's stats, 1526 // since the user has already done their part by disabling pingbacks. 1527 $pingbacks_closed = false; 1528 1529 $post = get_post( $post_id ); 1530 1531 if ( ! $post || ! pings_open( $post ) ) { 1532 $pingbacks_closed = true; 1533 } 1534 1535 // Note: If is_multicall is true and multicall_count=0, then we know this is at least the 2nd pingback we've processed in this multicall. 1536 1537 $comment = array( 1538 'comment_author_url' => $pingback_args[0], 1539 'comment_post_ID' => $post_id, 1540 'comment_author' => '', 1541 'comment_author_email' => '', 1542 'comment_content' => '', 1543 'comment_type' => 'pingback', 1544 'akismet_pre_check' => '1', 1545 'comment_pingback_target' => $pingback_args[1], 1546 'pingbacks_closed' => $pingbacks_closed ? '1' : '0', 1547 'is_multicall' => $is_multicall, 1548 'multicall_count' => $multicall_count, 1549 ); 1550 1551 $comment = Akismet::auto_check_comment( $comment ); 1552 1553 if ( 1554 is_wp_error( $comment ) // This triggered a 'discard' directive. 1555 || ( isset( $comment['akismet_result'] ) && 'true' == $comment['akismet_result'] ) // It was just a normal spam response. 1556 ) { 1557 // Sad: tightly coupled with the IXR classes. Unfortunately the action provides no context and no way to return anything. 1558 $wp_xmlrpc_server->error( new IXR_Error( 0, 'Invalid discovery target' ) ); 1559 1560 // Also note that if this was part of a multicall, a spam result will prevent the subsequent calls from being executed. 1561 // This is probably fine, but it raises the bar for what should be acceptable as a false positive. 1562 } 1563 } 1564 } 1565 1566 /** 1567 * Ensure that we are loading expected scalar values from akismet_as_submitted commentmeta. 1568 * 1569 * @param mixed $meta_value 1570 * @return mixed 1571 */ 1572 private static function sanitize_comment_as_submitted( $meta_value ) { 1573 if ( empty( $meta_value ) ) { 1574 return $meta_value; 1575 } 1576 1577 $meta_value = (array) $meta_value; 1578 1579 foreach ( $meta_value as $key => $value ) { 1580 if ( ! is_scalar( $value ) ) { 1581 unset( $meta_value[ $key ] ); 1582 } else { 1583 // These can change, so they're not explicitly listed in comment_as_submitted_allowed_keys. 1584 if ( strpos( $key, 'POST_ak_' ) === 0 ) { 1585 continue; 1586 } 1587 1588 if ( ! isset( self::$comment_as_submitted_allowed_keys[ $key ] ) ) { 1589 unset( $meta_value[ $key ] ); 1590 } 1591 } 1592 } 1593 1594 return $meta_value; 1595 } 1596 1597 public static function predefined_api_key() { 1598 if ( defined( 'WPCOM_API_KEY' ) ) { 1599 return true; 1600 } 1601 1602 return apply_filters( 'akismet_predefined_api_key', false ); 1603 } 1604 1605 /** 1606 * Controls the display of a privacy related notice underneath the comment form using the `akismet_comment_form_privacy_notice` option and filter respectively. 1607 * Default is top not display the notice, leaving the choice to site admins, or integrators. 1608 */ 1609 public static function display_comment_form_privacy_notice() { 1610 if ( 'display' !== apply_filters( 'akismet_comment_form_privacy_notice', get_option( 'akismet_comment_form_privacy_notice', 'hide' ) ) ) { 1611 return; 1612 } 1613 echo apply_filters( 1614 'akismet_comment_form_privacy_notice_markup', 1615 '<p class="akismet_comment_form_privacy_notice">' . sprintf( 1616 __( 'This site uses Akismet to reduce spam. <a href="%s" target="_blank" rel="nofollow noopener">Learn how your comment data is processed</a>.', 'akismet' ), 1617 'https://akismet.com/privacy/' 1618 ) . '</p>' 1619 ); 1620 } 1621 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated: Mon Apr 19 01:00:04 2021 | Cross-referenced by PHPXref 0.7.1 |