| [ Index ] |
PHP Cross Reference of WordPress |
[Summary view] [Print] [Text view]
1 <?php 2 3 class Akismet { 4 const API_HOST = 'rest.akismet.com'; 5 const API_PORT = 80; 6 const MAX_DELAY_BEFORE_MODERATION_EMAIL = 86400; // One day in seconds 7 8 private static $last_comment = ''; 9 private static $initiated = false; 10 private static $prevent_moderation_email_for_these_comments = array(); 11 private static $last_comment_result = null; 12 private static $comment_as_submitted_allowed_keys = array( 'blog' => '', 'blog_charset' => '', 'blog_lang' => '', 'blog_ua' => '', 'comment_agent' => '', 'comment_author' => '', 'comment_author_IP' => '', 'comment_author_email' => '', 'comment_author_url' => '', 'comment_content' => '', 'comment_date_gmt' => '', 'comment_tags' => '', 'comment_type' => '', 'guid' => '', 'is_test' => '', 'permalink' => '', 'reporter' => '', 'site_domain' => '', 'submit_referer' => '', 'submit_uri' => '', 'user_ID' => '', 'user_agent' => '', 'user_id' => '', 'user_ip' => '' ); 13 14 public static function init() { 15 if ( ! self::$initiated ) { 16 self::init_hooks(); 17 } 18 } 19 20 /** 21 * Initializes WordPress hooks 22 */ 23 private static function init_hooks() { 24 self::$initiated = true; 25 26 add_action( 'wp_insert_comment', array( 'Akismet', 'auto_check_update_meta' ), 10, 2 ); 27 add_filter( 'preprocess_comment', array( 'Akismet', 'auto_check_comment' ), 1 ); 28 add_filter( 'rest_pre_insert_comment', array( 'Akismet', 'rest_auto_check_comment' ), 1 ); 29 30 add_action( 'akismet_scheduled_delete', array( 'Akismet', 'delete_old_comments' ) ); 31 add_action( 'akismet_scheduled_delete', array( 'Akismet', 'delete_old_comments_meta' ) ); 32 add_action( 'akismet_scheduled_delete', array( 'Akismet', 'delete_orphaned_commentmeta' ) ); 33 add_action( 'akismet_schedule_cron_recheck', array( 'Akismet', 'cron_recheck' ) ); 34 35 add_action( 'comment_form', array( 'Akismet', 'add_comment_nonce' ), 1 ); 36 37 add_action( 'admin_head-edit-comments.php', array( 'Akismet', 'load_form_js' ) ); 38 add_action( 'comment_form', array( 'Akismet', 'load_form_js' ) ); 39 add_action( 'comment_form', array( 'Akismet', 'inject_ak_js' ) ); 40 add_filter( 'script_loader_tag', array( 'Akismet', 'set_form_js_async' ), 10, 3 ); 41 42 add_filter( 'comment_moderation_recipients', array( 'Akismet', 'disable_moderation_emails_if_unreachable' ), 1000, 2 ); 43 add_filter( 'pre_comment_approved', array( 'Akismet', 'last_comment_status' ), 10, 2 ); 44 45 add_action( 'transition_comment_status', array( 'Akismet', 'transition_comment_status' ), 10, 3 ); 46 47 // Run this early in the pingback call, before doing a remote fetch of the source uri 48 add_action( 'xmlrpc_call', array( 'Akismet', 'pre_check_pingback' ) ); 49 50 // Jetpack compatibility 51 add_filter( 'jetpack_options_whitelist', array( 'Akismet', 'add_to_jetpack_options_whitelist' ) ); 52 add_action( 'update_option_wordpress_api_key', array( 'Akismet', 'updated_option' ), 10, 2 ); 53 add_action( 'add_option_wordpress_api_key', array( 'Akismet', 'added_option' ), 10, 2 ); 54 55 add_action( 'comment_form_after', array( 'Akismet', 'display_comment_form_privacy_notice' ) ); 56 } 57 58 public static function get_api_key() { 59 return apply_filters( 'akismet_get_api_key', defined('WPCOM_API_KEY') ? constant('WPCOM_API_KEY') : get_option('wordpress_api_key') ); 60 } 61 62 public static function check_key_status( $key, $ip = null ) { 63 return self::http_post( Akismet::build_query( array( 'key' => $key, 'blog' => get_option( 'home' ) ) ), 'verify-key', $ip ); 64 } 65 66 public static function verify_key( $key, $ip = null ) { 67 // Shortcut for obviously invalid keys. 68 if ( strlen( $key ) != 12 ) { 69 return 'invalid'; 70 } 71 72 $response = self::check_key_status( $key, $ip ); 73 74 if ( $response[1] != 'valid' && $response[1] != 'invalid' ) 75 return 'failed'; 76 77 return $response[1]; 78 } 79 80 public static function deactivate_key( $key ) { 81 $response = self::http_post( Akismet::build_query( array( 'key' => $key, 'blog' => get_option( 'home' ) ) ), 'deactivate' ); 82 83 if ( $response[1] != 'deactivated' ) 84 return 'failed'; 85 86 return $response[1]; 87 } 88 89 /** 90 * Add the akismet option to the Jetpack options management whitelist. 91 * 92 * @param array $options The list of whitelisted option names. 93 * @return array The updated whitelist 94 */ 95 public static function add_to_jetpack_options_whitelist( $options ) { 96 $options[] = 'wordpress_api_key'; 97 return $options; 98 } 99 100 /** 101 * When the akismet option is updated, run the registration call. 102 * 103 * This should only be run when the option is updated from the Jetpack/WP.com 104 * API call, and only if the new key is different than the old key. 105 * 106 * @param mixed $old_value The old option value. 107 * @param mixed $value The new option value. 108 */ 109 public static function updated_option( $old_value, $value ) { 110 // Not an API call 111 if ( ! class_exists( 'WPCOM_JSON_API_Update_Option_Endpoint' ) ) { 112 return; 113 } 114 // Only run the registration if the old key is different. 115 if ( $old_value !== $value ) { 116 self::verify_key( $value ); 117 } 118 } 119 120 /** 121 * Treat the creation of an API key the same as updating the API key to a new value. 122 * 123 * @param mixed $option_name Will always be "wordpress_api_key", until something else hooks in here. 124 * @param mixed $value The option value. 125 */ 126 public static function added_option( $option_name, $value ) { 127 if ( 'wordpress_api_key' === $option_name ) { 128 return self::updated_option( '', $value ); 129 } 130 } 131 132 public static function rest_auto_check_comment( $commentdata ) { 133 return self::auto_check_comment( $commentdata, 'rest_api' ); 134 } 135 136 /** 137 * Check a comment for spam. 138 * 139 * @param array $commentdata 140 * @param string $context What kind of request triggered this comment check? Possible values are 'default', 'rest_api', and 'xml-rpc'. 141 * @return array|WP_Error Either the $commentdata array with additional entries related to its spam status 142 * or a WP_Error, if it's a REST API request and the comment should be discarded. 143 */ 144 public static function auto_check_comment( $commentdata, $context = 'default' ) { 145 // If no key is configured, then there's no point in doing any of this. 146 if ( ! self::get_api_key() ) { 147 return $commentdata; 148 } 149 150 self::$last_comment_result = null; 151 152 $comment = $commentdata; 153 154 $comment['user_ip'] = self::get_ip_address(); 155 $comment['user_agent'] = self::get_user_agent(); 156 $comment['referrer'] = self::get_referer(); 157 $comment['blog'] = get_option( 'home' ); 158 $comment['blog_lang'] = get_locale(); 159 $comment['blog_charset'] = get_option('blog_charset'); 160 $comment['permalink'] = get_permalink( $comment['comment_post_ID'] ); 161 162 if ( ! empty( $comment['user_ID'] ) ) { 163 $comment['user_role'] = Akismet::get_user_roles( $comment['user_ID'] ); 164 } 165 166 /** See filter documentation in init_hooks(). */ 167 $akismet_nonce_option = apply_filters( 'akismet_comment_nonce', get_option( 'akismet_comment_nonce' ) ); 168 $comment['akismet_comment_nonce'] = 'inactive'; 169 if ( $akismet_nonce_option == 'true' || $akismet_nonce_option == '' ) { 170 $comment['akismet_comment_nonce'] = 'failed'; 171 if ( isset( $_POST['akismet_comment_nonce'] ) && wp_verify_nonce( $_POST['akismet_comment_nonce'], 'akismet_comment_nonce_' . $comment['comment_post_ID'] ) ) 172 $comment['akismet_comment_nonce'] = 'passed'; 173 174 // comment reply in wp-admin 175 if ( isset( $_POST['_ajax_nonce-replyto-comment'] ) && check_ajax_referer( 'replyto-comment', '_ajax_nonce-replyto-comment' ) ) 176 $comment['akismet_comment_nonce'] = 'passed'; 177 178 } 179 180 if ( self::is_test_mode() ) 181 $comment['is_test'] = 'true'; 182 183 foreach( $_POST as $key => $value ) { 184 if ( is_string( $value ) ) 185 $comment["POST_{$key}"] = $value; 186 } 187 188 foreach ( $_SERVER as $key => $value ) { 189 if ( ! is_string( $value ) ) { 190 continue; 191 } 192 193 if ( preg_match( "/^HTTP_COOKIE/", $key ) ) { 194 continue; 195 } 196 197 // Send any potentially useful $_SERVER vars, but avoid sending junk we don't need. 198 if ( preg_match( "/^(HTTP_|REMOTE_ADDR|REQUEST_URI|DOCUMENT_URI)/", $key ) ) { 199 $comment[ "$key" ] = $value; 200 } 201 } 202 203 $post = get_post( $comment['comment_post_ID'] ); 204 205 if ( ! is_null( $post ) ) { 206 // $post can technically be null, although in the past, it's always been an indicator of another plugin interfering. 207 $comment[ 'comment_post_modified_gmt' ] = $post->post_modified_gmt; 208 } 209 210 $response = self::http_post( Akismet::build_query( $comment ), 'comment-check' ); 211 212 do_action( 'akismet_comment_check_response', $response ); 213 214 $commentdata['comment_as_submitted'] = array_intersect_key( $comment, self::$comment_as_submitted_allowed_keys ); 215 216 // Also include any form fields we inject into the comment form, like ak_js 217 foreach ( $_POST as $key => $value ) { 218 if ( is_string( $value ) && strpos( $key, 'ak_' ) === 0 ) { 219 $commentdata['comment_as_submitted'][ 'POST_' . $key ] = $value; 220 } 221 } 222 223 $commentdata['akismet_result'] = $response[1]; 224 225 if ( isset( $response[0]['x-akismet-pro-tip'] ) ) 226 $commentdata['akismet_pro_tip'] = $response[0]['x-akismet-pro-tip']; 227 228 if ( isset( $response[0]['x-akismet-error'] ) ) { 229 // An error occurred that we anticipated (like a suspended key) and want the user to act on. 230 // Send to moderation. 231 self::$last_comment_result = '0'; 232 } 233 else if ( 'true' == $response[1] ) { 234 // akismet_spam_count will be incremented later by comment_is_spam() 235 self::$last_comment_result = 'spam'; 236 237 $discard = ( isset( $commentdata['akismet_pro_tip'] ) && $commentdata['akismet_pro_tip'] === 'discard' && self::allow_discard() ); 238 239 do_action( 'akismet_spam_caught', $discard ); 240 241 if ( $discard ) { 242 // The spam is obvious, so we're bailing out early. 243 // akismet_result_spam() won't be called so bump the counter here 244 if ( $incr = apply_filters( 'akismet_spam_count_incr', 1 ) ) { 245 update_option( 'akismet_spam_count', get_option( 'akismet_spam_count' ) + $incr ); 246 } 247 248 if ( 'rest_api' === $context ) { 249 return new WP_Error( 'akismet_rest_comment_discarded', __( 'Comment discarded.', 'akismet' ) ); 250 } else if ( 'xml-rpc' === $context ) { 251 // If this is a pingback that we're pre-checking, the discard behavior is the same as the normal spam response behavior. 252 return $commentdata; 253 } else { 254 // Redirect back to the previous page, or failing that, the post permalink, or failing that, the homepage of the blog. 255 $redirect_to = isset( $_SERVER['HTTP_REFERER'] ) ? $_SERVER['HTTP_REFERER'] : ( $post ? get_permalink( $post ) : home_url() ); 256 wp_safe_redirect( esc_url_raw( $redirect_to ) ); 257 die(); 258 } 259 } 260 else if ( 'rest_api' === $context ) { 261 // The way the REST API structures its calls, we can set the comment_approved value right away. 262 $commentdata['comment_approved'] = 'spam'; 263 } 264 } 265 266 // if the response is neither true nor false, hold the comment for moderation and schedule a recheck 267 if ( 'true' != $response[1] && 'false' != $response[1] ) { 268 if ( !current_user_can('moderate_comments') ) { 269 // Comment status should be moderated 270 self::$last_comment_result = '0'; 271 } 272 273 if ( ! wp_next_scheduled( 'akismet_schedule_cron_recheck' ) ) { 274 wp_schedule_single_event( time() + 1200, 'akismet_schedule_cron_recheck' ); 275 do_action( 'akismet_scheduled_recheck', 'invalid-response-' . $response[1] ); 276 } 277 278 self::$prevent_moderation_email_for_these_comments[] = $commentdata; 279 } 280 281 // Delete old comments daily 282 if ( ! wp_next_scheduled( 'akismet_scheduled_delete' ) ) { 283 wp_schedule_event( time(), 'daily', 'akismet_scheduled_delete' ); 284 } 285 286 self::set_last_comment( $commentdata ); 287 self::fix_scheduled_recheck(); 288 289 return $commentdata; 290 } 291 292 public static function get_last_comment() { 293 return self::$last_comment; 294 } 295 296 public static function set_last_comment( $comment ) { 297 if ( is_null( $comment ) ) { 298 self::$last_comment = null; 299 } 300 else { 301 // We filter it here so that it matches the filtered comment data that we'll have to compare against later. 302 // wp_filter_comment expects comment_author_IP 303 self::$last_comment = wp_filter_comment( 304 array_merge( 305 array( 'comment_author_IP' => self::get_ip_address() ), 306 $comment 307 ) 308 ); 309 } 310 } 311 312 // this fires on wp_insert_comment. we can't update comment_meta when auto_check_comment() runs 313 // because we don't know the comment ID at that point. 314 public static function auto_check_update_meta( $id, $comment ) { 315 // wp_insert_comment() might be called in other contexts, so make sure this is the same comment 316 // as was checked by auto_check_comment 317 if ( is_object( $comment ) && !empty( self::$last_comment ) && is_array( self::$last_comment ) ) { 318 if ( self::matches_last_comment( $comment ) ) { 319 load_plugin_textdomain( 'akismet' ); 320 321 // normal result: true or false 322 if ( self::$last_comment['akismet_result'] == 'true' ) { 323 update_comment_meta( $comment->comment_ID, 'akismet_result', 'true' ); 324 self::update_comment_history( $comment->comment_ID, '', 'check-spam' ); 325 if ( $comment->comment_approved != 'spam' ) { 326 self::update_comment_history( 327 $comment->comment_ID, 328 '', 329 'status-changed-' . $comment->comment_approved 330 ); 331 } 332 } elseif ( self::$last_comment['akismet_result'] == 'false' ) { 333 update_comment_meta( $comment->comment_ID, 'akismet_result', 'false' ); 334 self::update_comment_history( $comment->comment_ID, '', 'check-ham' ); 335 // Status could be spam or trash, depending on the WP version and whether this change applies: 336 // https://core.trac.wordpress.org/changeset/34726 337 if ( $comment->comment_approved == 'spam' || $comment->comment_approved == 'trash' ) { 338 if ( function_exists( 'wp_check_comment_disallowed_list' ) ) { 339 if ( wp_check_comment_disallowed_list( $comment->comment_author, $comment->comment_author_email, $comment->comment_author_url, $comment->comment_content, $comment->comment_author_IP, $comment->comment_agent ) ) { 340 self::update_comment_history( $comment->comment_ID, '', 'wp-disallowed' ); 341 } else { 342 self::update_comment_history( $comment->comment_ID, '', 'status-changed-' . $comment->comment_approved ); 343 } 344 } else if ( function_exists( 'wp_blacklist_check' ) && wp_blacklist_check( $comment->comment_author, $comment->comment_author_email, $comment->comment_author_url, $comment->comment_content, $comment->comment_author_IP, $comment->comment_agent ) ) { 345 self::update_comment_history( $comment->comment_ID, '', 'wp-blacklisted' ); 346 } else { 347 self::update_comment_history( $comment->comment_ID, '', 'status-changed-' . $comment->comment_approved ); 348 } 349 } 350 } else { 351 // abnormal result: error 352 update_comment_meta( $comment->comment_ID, 'akismet_error', time() ); 353 self::update_comment_history( 354 $comment->comment_ID, 355 '', 356 'check-error', 357 array( 'response' => substr( self::$last_comment['akismet_result'], 0, 50 ) ) 358 ); 359 } 360 361 // record the complete original data as submitted for checking 362 if ( isset( self::$last_comment['comment_as_submitted'] ) ) { 363 update_comment_meta( $comment->comment_ID, 'akismet_as_submitted', self::$last_comment['comment_as_submitted'] ); 364 } 365 366 if ( isset( self::$last_comment['akismet_pro_tip'] ) ) { 367 update_comment_meta( $comment->comment_ID, 'akismet_pro_tip', self::$last_comment['akismet_pro_tip'] ); 368 } 369 } 370 } 371 } 372 373 public static function delete_old_comments() { 374 global $wpdb; 375 376 /** 377 * Determines how many comments will be deleted in each batch. 378 * 379 * @param int The default, as defined by AKISMET_DELETE_LIMIT. 380 */ 381 $delete_limit = apply_filters( 'akismet_delete_comment_limit', defined( 'AKISMET_DELETE_LIMIT' ) ? AKISMET_DELETE_LIMIT : 10000 ); 382 $delete_limit = max( 1, intval( $delete_limit ) ); 383 384 /** 385 * Determines how many days a comment will be left in the Spam queue before being deleted. 386 * 387 * @param int The default number of days. 388 */ 389 $delete_interval = apply_filters( 'akismet_delete_comment_interval', 15 ); 390 $delete_interval = max( 1, intval( $delete_interval ) ); 391 392 while ( $comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_id FROM {$wpdb->comments} WHERE DATE_SUB(NOW(), INTERVAL %d DAY) > comment_date_gmt AND comment_approved = 'spam' LIMIT %d", $delete_interval, $delete_limit ) ) ) { 393 if ( empty( $comment_ids ) ) 394 return; 395 396 $wpdb->queries = array(); 397 398 foreach ( $comment_ids as $comment_id ) { 399 do_action( 'delete_comment', $comment_id ); 400 do_action( 'akismet_batch_delete_count', __FUNCTION__ ); 401 } 402 403 // Prepared as strings since comment_id is an unsigned BIGINT, and using %d will constrain the value to the maximum signed BIGINT. 404 $format_string = implode( ", ", array_fill( 0, count( $comment_ids ), '%s' ) ); 405 406 $wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->comments} WHERE comment_id IN ( " . $format_string . " )", $comment_ids ) ); 407 $wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->commentmeta} WHERE comment_id IN ( " . $format_string . " )", $comment_ids ) ); 408 409 clean_comment_cache( $comment_ids ); 410 do_action( 'akismet_delete_comment_batch', count( $comment_ids ) ); 411 } 412 413 if ( apply_filters( 'akismet_optimize_table', ( mt_rand(1, 5000) == 11), $wpdb->comments ) ) // lucky number 414 $wpdb->query("OPTIMIZE TABLE {$wpdb->comments}"); 415 } 416 417 public static function delete_old_comments_meta() { 418 global $wpdb; 419 420 $interval = apply_filters( 'akismet_delete_commentmeta_interval', 15 ); 421 422 # enforce a minimum of 1 day 423 $interval = absint( $interval ); 424 if ( $interval < 1 ) 425 $interval = 1; 426 427 // akismet_as_submitted meta values are large, so expire them 428 // after $interval days regardless of the comment status 429 while ( $comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT m.comment_id FROM {$wpdb->commentmeta} as m INNER JOIN {$wpdb->comments} as c USING(comment_id) WHERE m.meta_key = 'akismet_as_submitted' AND DATE_SUB(NOW(), INTERVAL %d DAY) > c.comment_date_gmt LIMIT 10000", $interval ) ) ) { 430 if ( empty( $comment_ids ) ) 431 return; 432 433 $wpdb->queries = array(); 434 435 foreach ( $comment_ids as $comment_id ) { 436 delete_comment_meta( $comment_id, 'akismet_as_submitted' ); 437 do_action( 'akismet_batch_delete_count', __FUNCTION__ ); 438 } 439 440 do_action( 'akismet_delete_commentmeta_batch', count( $comment_ids ) ); 441 } 442 443 if ( apply_filters( 'akismet_optimize_table', ( mt_rand(1, 5000) == 11), $wpdb->commentmeta ) ) // lucky number 444 $wpdb->query("OPTIMIZE TABLE {$wpdb->commentmeta}"); 445 } 446 447 // Clear out comments meta that no longer have corresponding comments in the database 448 public static function delete_orphaned_commentmeta() { 449 global $wpdb; 450 451 $last_meta_id = 0; 452 $start_time = isset( $_SERVER['REQUEST_TIME_FLOAT'] ) ? $_SERVER['REQUEST_TIME_FLOAT'] : microtime( true ); 453 $max_exec_time = max( ini_get('max_execution_time') - 5, 3 ); 454 455 while ( $commentmeta_results = $wpdb->get_results( $wpdb->prepare( "SELECT m.meta_id, m.comment_id, m.meta_key FROM {$wpdb->commentmeta} as m LEFT JOIN {$wpdb->comments} as c USING(comment_id) WHERE c.comment_id IS NULL AND m.meta_id > %d ORDER BY m.meta_id LIMIT 1000", $last_meta_id ) ) ) { 456 if ( empty( $commentmeta_results ) ) 457 return; 458 459 $wpdb->queries = array(); 460 461 $commentmeta_deleted = 0; 462 463 foreach ( $commentmeta_results as $commentmeta ) { 464 if ( 'akismet_' == substr( $commentmeta->meta_key, 0, 8 ) ) { 465 delete_comment_meta( $commentmeta->comment_id, $commentmeta->meta_key ); 466 do_action( 'akismet_batch_delete_count', __FUNCTION__ ); 467 $commentmeta_deleted++; 468 } 469 470 $last_meta_id = $commentmeta->meta_id; 471 } 472 473 do_action( 'akismet_delete_commentmeta_batch', $commentmeta_deleted ); 474 475 // If we're getting close to max_execution_time, quit for this round. 476 if ( microtime(true) - $start_time > $max_exec_time ) 477 return; 478 } 479 480 if ( apply_filters( 'akismet_optimize_table', ( mt_rand(1, 5000) == 11), $wpdb->commentmeta ) ) // lucky number 481 $wpdb->query("OPTIMIZE TABLE {$wpdb->commentmeta}"); 482 } 483 484 // how many approved comments does this author have? 485 public static function get_user_comments_approved( $user_id, $comment_author_email, $comment_author, $comment_author_url ) { 486 global $wpdb; 487 488 if ( !empty( $user_id ) ) 489 return (int) $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(*) FROM {$wpdb->comments} WHERE user_id = %d AND comment_approved = 1", $user_id ) ); 490 491 if ( !empty( $comment_author_email ) ) 492 return (int) $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(*) FROM {$wpdb->comments} WHERE comment_author_email = %s AND comment_author = %s AND comment_author_url = %s AND comment_approved = 1", $comment_author_email, $comment_author, $comment_author_url ) ); 493 494 return 0; 495 } 496 497 // get the full comment history for a given comment, as an array in reverse chronological order 498 public static function get_comment_history( $comment_id ) { 499 $history = get_comment_meta( $comment_id, 'akismet_history', false ); 500 if ( empty( $history ) || empty( $history[ 0 ] ) ) { 501 return false; 502 } 503 504 /* 505 // To see all variants when testing. 506 $history[] = array( 'time' => 445856401, 'message' => 'Old versions of Akismet stored the message as a literal string in the commentmeta.', 'event' => null ); 507 $history[] = array( 'time' => 445856402, 'event' => 'recheck-spam' ); 508 $history[] = array( 'time' => 445856403, 'event' => 'check-spam' ); 509 $history[] = array( 'time' => 445856404, 'event' => 'recheck-ham' ); 510 $history[] = array( 'time' => 445856405, 'event' => 'check-ham' ); 511 $history[] = array( 'time' => 445856406, 'event' => 'wp-blacklisted' ); 512 $history[] = array( 'time' => 445856406, 'event' => 'wp-disallowed' ); 513 $history[] = array( 'time' => 445856407, 'event' => 'report-spam' ); 514 $history[] = array( 'time' => 445856408, 'event' => 'report-spam', 'user' => 'sam' ); 515 $history[] = array( 'message' => 'sam reported this comment as spam (hardcoded message).', 'time' => 445856400, 'event' => 'report-spam', 'user' => 'sam' ); 516 $history[] = array( 'time' => 445856409, 'event' => 'report-ham', 'user' => 'sam' ); 517 $history[] = array( 'message' => 'sam reported this comment as ham (hardcoded message).', 'time' => 445856400, 'event' => 'report-ham', 'user' => 'sam' ); // 518 $history[] = array( 'time' => 445856410, 'event' => 'cron-retry-spam' ); 519 $history[] = array( 'time' => 445856411, 'event' => 'cron-retry-ham' ); 520 $history[] = array( 'time' => 445856412, 'event' => 'check-error' ); // 521 $history[] = array( 'time' => 445856413, 'event' => 'check-error', 'meta' => array( 'response' => 'The server was taking a nap.' ) ); 522 $history[] = array( 'time' => 445856414, 'event' => 'recheck-error' ); // Should not generate a message. 523 $history[] = array( 'time' => 445856415, 'event' => 'recheck-error', 'meta' => array( 'response' => 'The server was taking a nap.' ) ); 524 $history[] = array( 'time' => 445856416, 'event' => 'status-changedtrash' ); 525 $history[] = array( 'time' => 445856417, 'event' => 'status-changedspam' ); 526 $history[] = array( 'time' => 445856418, 'event' => 'status-changedhold' ); 527 $history[] = array( 'time' => 445856419, 'event' => 'status-changedapprove' ); 528 $history[] = array( 'time' => 445856420, 'event' => 'status-changed-trash' ); 529 $history[] = array( 'time' => 445856421, 'event' => 'status-changed-spam' ); 530 $history[] = array( 'time' => 445856422, 'event' => 'status-changed-hold' ); 531 $history[] = array( 'time' => 445856423, 'event' => 'status-changed-approve' ); 532 $history[] = array( 'time' => 445856424, 'event' => 'status-trash', 'user' => 'sam' ); 533 $history[] = array( 'time' => 445856425, 'event' => 'status-spam', 'user' => 'sam' ); 534 $history[] = array( 'time' => 445856426, 'event' => 'status-hold', 'user' => 'sam' ); 535 $history[] = array( 'time' => 445856427, 'event' => 'status-approve', 'user' => 'sam' ); 536 */ 537 538 usort( $history, array( 'Akismet', '_cmp_time' ) ); 539 return $history; 540 } 541 542 /** 543 * Log an event for a given comment, storing it in comment_meta. 544 * 545 * @param int $comment_id The ID of the relevant comment. 546 * @param string $message The string description of the event. No longer used. 547 * @param string $event The event code. 548 * @param array $meta Metadata about the history entry. e.g., the user that reported or changed the status of a given comment. 549 */ 550 public static function update_comment_history( $comment_id, $message, $event=null, $meta=null ) { 551 global $current_user; 552 553 $user = ''; 554 555 $event = array( 556 'time' => self::_get_microtime(), 557 'event' => $event, 558 ); 559 560 if ( is_object( $current_user ) && isset( $current_user->user_login ) ) { 561 $event['user'] = $current_user->user_login; 562 } 563 564 if ( ! empty( $meta ) ) { 565 $event['meta'] = $meta; 566 } 567 568 // $unique = false so as to allow multiple values per comment 569 $r = add_comment_meta( $comment_id, 'akismet_history', $event, false ); 570 } 571 572 public static function check_db_comment( $id, $recheck_reason = 'recheck_queue' ) { 573 global $wpdb; 574 575 if ( ! self::get_api_key() ) { 576 return new WP_Error( 'akismet-not-configured', __( 'Akismet is not configured. Please enter an API key.', 'akismet' ) ); 577 } 578 579 $c = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$wpdb->comments} WHERE comment_ID = %d", $id ), ARRAY_A ); 580 581 if ( ! $c ) { 582 return new WP_Error( 'invalid-comment-id', __( 'Comment not found.', 'akismet' ) ); 583 } 584 585 $c['user_ip'] = $c['comment_author_IP']; 586 $c['user_agent'] = $c['comment_agent']; 587 $c['referrer'] = ''; 588 $c['blog'] = get_option( 'home' ); 589 $c['blog_lang'] = get_locale(); 590 $c['blog_charset'] = get_option('blog_charset'); 591 $c['permalink'] = get_permalink($c['comment_post_ID']); 592 $c['recheck_reason'] = $recheck_reason; 593 594 $c['user_role'] = ''; 595 if ( ! empty( $c['user_ID'] ) ) { 596 $c['user_role'] = Akismet::get_user_roles( $c['user_ID'] ); 597 } 598 599 if ( self::is_test_mode() ) 600 $c['is_test'] = 'true'; 601 602 $response = self::http_post( Akismet::build_query( $c ), 'comment-check' ); 603 604 if ( ! empty( $response[1] ) ) { 605 return $response[1]; 606 } 607 608 return false; 609 } 610 611 public static function recheck_comment( $id, $recheck_reason = 'recheck_queue' ) { 612 add_comment_meta( $id, 'akismet_rechecking', true ); 613 614 $api_response = self::check_db_comment( $id, $recheck_reason ); 615 616 delete_comment_meta( $id, 'akismet_rechecking' ); 617 618 if ( is_wp_error( $api_response ) ) { 619 // Invalid comment ID. 620 } 621 else if ( 'true' === $api_response ) { 622 wp_set_comment_status( $id, 'spam' ); 623 update_comment_meta( $id, 'akismet_result', 'true' ); 624 delete_comment_meta( $id, 'akismet_error' ); 625 delete_comment_meta( $id, 'akismet_delayed_moderation_email' ); 626 Akismet::update_comment_history( $id, '', 'recheck-spam' ); 627 } 628 elseif ( 'false' === $api_response ) { 629 update_comment_meta( $id, 'akismet_result', 'false' ); 630 delete_comment_meta( $id, 'akismet_error' ); 631 delete_comment_meta( $id, 'akismet_delayed_moderation_email' ); 632 Akismet::update_comment_history( $id, '', 'recheck-ham' ); 633 } 634 else { 635 // abnormal result: error 636 update_comment_meta( $id, 'akismet_result', 'error' ); 637 Akismet::update_comment_history( 638 $id, 639 '', 640 'recheck-error', 641 array( 'response' => substr( $api_response, 0, 50 ) ) 642 ); 643 } 644 645 return $api_response; 646 } 647 648 public static function transition_comment_status( $new_status, $old_status, $comment ) { 649 650 if ( $new_status == $old_status ) 651 return; 652 653 if ( 'spam' === $new_status || 'spam' === $old_status ) { 654 // Clear the cache of the "X comments in your spam queue" count on the dashboard. 655 wp_cache_delete( 'akismet_spam_count', 'widget' ); 656 } 657 658 # we don't need to record a history item for deleted comments 659 if ( $new_status == 'delete' ) 660 return; 661 662 if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) && !current_user_can( 'moderate_comments' ) ) 663 return; 664 665 if ( defined('WP_IMPORTING') && WP_IMPORTING == true ) 666 return; 667 668 // if this is present, it means the status has been changed by a re-check, not an explicit user action 669 if ( get_comment_meta( $comment->comment_ID, 'akismet_rechecking' ) ) 670 return; 671 672 // Assumption alert: 673 // We want to submit comments to Akismet only when a moderator explicitly spams or approves it - not if the status 674 // is changed automatically by another plugin. Unfortunately WordPress doesn't provide an unambiguous way to 675 // determine why the transition_comment_status action was triggered. And there are several different ways by which 676 // to spam and unspam comments: bulk actions, ajax, links in moderation emails, the dashboard, and perhaps others. 677 // We'll assume that this is an explicit user action if certain POST/GET variables exist. 678 if ( 679 // status=spam: Marking as spam via the REST API or... 680 // status=unspam: I'm not sure. Maybe this used to be used instead of status=approved? Or the UI for removing from spam but not approving has been since removed?... 681 // status=approved: Unspamming via the REST API (Calypso) or... 682 ( isset( $_POST['status'] ) && in_array( $_POST['status'], array( 'spam', 'unspam', 'approved', ) ) ) 683 // spam=1: Clicking "Spam" underneath a comment in wp-admin and allowing the AJAX request to happen. 684 || ( isset( $_POST['spam'] ) && (int) $_POST['spam'] == 1 ) 685 // unspam=1: Clicking "Not Spam" underneath a comment in wp-admin and allowing the AJAX request to happen. Or, clicking "Undo" after marking something as spam. 686 || ( isset( $_POST['unspam'] ) && (int) $_POST['unspam'] == 1 ) 687 // comment_status=spam/unspam: It's unclear where this is happening. 688 || ( isset( $_POST['comment_status'] ) && in_array( $_POST['comment_status'], array( 'spam', 'unspam' ) ) ) 689 // action=spam: Choosing "Mark as Spam" from the Bulk Actions dropdown in wp-admin (or the "Spam it" link in notification emails). 690 // action=unspam: Choosing "Not Spam" from the Bulk Actions dropdown in wp-admin. 691 // action=spamcomment: Following the "Spam" link below a comment in wp-admin (not allowing AJAX request to happen). 692 // action=unspamcomment: Following the "Not Spam" link below a comment in wp-admin (not allowing AJAX request to happen). 693 || ( isset( $_GET['action'] ) && in_array( $_GET['action'], array( 'spam', 'unspam', 'spamcomment', 'unspamcomment', ) ) ) 694 // action=editedcomment: Editing a comment via wp-admin (and possibly changing its status). 695 || ( isset( $_POST['action'] ) && in_array( $_POST['action'], array( 'editedcomment' ) ) ) 696 // for=jetpack: Moderation via the WordPress app, Calypso, anything powered by the Jetpack connection. 697 || ( isset( $_GET['for'] ) && ( 'jetpack' == $_GET['for'] ) && ( ! defined( 'IS_WPCOM' ) || ! IS_WPCOM ) ) 698 // Certain WordPress.com API requests 699 || ( defined( 'REST_API_REQUEST' ) && REST_API_REQUEST ) 700 // WordPress.org REST API requests 701 || ( defined( 'REST_REQUEST' ) && REST_REQUEST ) 702 ) { 703 if ( $new_status == 'spam' && ( $old_status == 'approved' || $old_status == 'unapproved' || !$old_status ) ) { 704 return self::submit_spam_comment( $comment->comment_ID ); 705 } elseif ( $old_status == 'spam' && ( $new_status == 'approved' || $new_status == 'unapproved' ) ) { 706 return self::submit_nonspam_comment( $comment->comment_ID ); 707 } 708 } 709 710 self::update_comment_history( $comment->comment_ID, '', 'status-' . $new_status ); 711 } 712 713 public static function submit_spam_comment( $comment_id ) { 714 global $wpdb, $current_user, $current_site; 715 716 $comment_id = (int) $comment_id; 717 718 $comment = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$wpdb->comments} WHERE comment_ID = %d", $comment_id ) ); 719 720 if ( !$comment ) // it was deleted 721 return; 722 723 if ( 'spam' != $comment->comment_approved ) 724 return; 725 726 self::update_comment_history( $comment_id, '', 'report-spam' ); 727 728 // If the user hasn't configured Akismet, there's nothing else to do at this point. 729 if ( ! self::get_api_key() ) { 730 return; 731 } 732 733 // use the original version stored in comment_meta if available 734 $as_submitted = self::sanitize_comment_as_submitted( get_comment_meta( $comment_id, 'akismet_as_submitted', true ) ); 735 736 if ( $as_submitted && is_array( $as_submitted ) && isset( $as_submitted['comment_content'] ) ) 737 $comment = (object) array_merge( (array)$comment, $as_submitted ); 738 739 $comment->blog = get_option( 'home' ); 740 $comment->blog_lang = get_locale(); 741 $comment->blog_charset = get_option('blog_charset'); 742 $comment->permalink = get_permalink($comment->comment_post_ID); 743 744 if ( is_object($current_user) ) 745 $comment->reporter = $current_user->user_login; 746 747 if ( is_object($current_site) ) 748 $comment->site_domain = $current_site->domain; 749 750 $comment->user_role = ''; 751 if ( ! empty( $comment->user_ID ) ) { 752 $comment->user_role = Akismet::get_user_roles( $comment->user_ID ); 753 } 754 755 if ( self::is_test_mode() ) 756 $comment->is_test = 'true'; 757 758 $post = get_post( $comment->comment_post_ID ); 759 760 if ( ! is_null( $post ) ) { 761 $comment->comment_post_modified_gmt = $post->post_modified_gmt; 762 } 763 764 $response = Akismet::http_post( Akismet::build_query( $comment ), 'submit-spam' ); 765 766 update_comment_meta( $comment_id, 'akismet_user_result', 'true' ); 767 768 if ( $comment->reporter ) { 769 update_comment_meta( $comment_id, 'akismet_user', $comment->reporter ); 770 } 771 772 do_action('akismet_submit_spam_comment', $comment_id, $response[1]); 773 } 774 775 public static function submit_nonspam_comment( $comment_id ) { 776 global $wpdb, $current_user, $current_site; 777 778 $comment_id = (int) $comment_id; 779 780 $comment = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$wpdb->comments} WHERE comment_ID = %d", $comment_id ) ); 781 if ( !$comment ) // it was deleted 782 return; 783 784 self::update_comment_history( $comment_id, '', 'report-ham' ); 785 786 // If the user hasn't configured Akismet, there's nothing else to do at this point. 787 if ( ! self::get_api_key() ) { 788 return; 789 } 790 791 // use the original version stored in comment_meta if available 792 $as_submitted = self::sanitize_comment_as_submitted( get_comment_meta( $comment_id, 'akismet_as_submitted', true ) ); 793 794 if ( $as_submitted && is_array($as_submitted) && isset($as_submitted['comment_content']) ) 795 $comment = (object) array_merge( (array)$comment, $as_submitted ); 796 797 $comment->blog = get_option( 'home' ); 798 $comment->blog_lang = get_locale(); 799 $comment->blog_charset = get_option('blog_charset'); 800 $comment->permalink = get_permalink( $comment->comment_post_ID ); 801 $comment->user_role = ''; 802 803 if ( is_object($current_user) ) 804 $comment->reporter = $current_user->user_login; 805 806 if ( is_object($current_site) ) 807 $comment->site_domain = $current_site->domain; 808 809 if ( ! empty( $comment->user_ID ) ) { 810 $comment->user_role = Akismet::get_user_roles( $comment->user_ID ); 811 } 812 813 if ( Akismet::is_test_mode() ) 814 $comment->is_test = 'true'; 815 816 $post = get_post( $comment->comment_post_ID ); 817 818 if ( ! is_null( $post ) ) { 819 $comment->comment_post_modified_gmt = $post->post_modified_gmt; 820 } 821 822 $response = self::http_post( Akismet::build_query( $comment ), 'submit-ham' ); 823 824 update_comment_meta( $comment_id, 'akismet_user_result', 'false' ); 825 826 if ( $comment->reporter ) { 827 update_comment_meta( $comment_id, 'akismet_user', $comment->reporter ); 828 } 829 830 do_action('akismet_submit_nonspam_comment', $comment_id, $response[1]); 831 } 832 833 public static function cron_recheck() { 834 global $wpdb; 835 836 $api_key = self::get_api_key(); 837 838 $status = self::verify_key( $api_key ); 839 if ( get_option( 'akismet_alert_code' ) || $status == 'invalid' ) { 840 // since there is currently a problem with the key, reschedule a check for 6 hours hence 841 wp_schedule_single_event( time() + 21600, 'akismet_schedule_cron_recheck' ); 842 do_action( 'akismet_scheduled_recheck', 'key-problem-' . get_option( 'akismet_alert_code' ) . '-' . $status ); 843 return false; 844 } 845 846 delete_option('akismet_available_servers'); 847 848 $comment_errors = $wpdb->get_col( "SELECT comment_id FROM {$wpdb->commentmeta} WHERE meta_key = 'akismet_error' LIMIT 100" ); 849 850 load_plugin_textdomain( 'akismet' ); 851 852 foreach ( (array) $comment_errors as $comment_id ) { 853 // if the comment no longer exists, or is too old, remove the meta entry from the queue to avoid getting stuck 854 $comment = get_comment( $comment_id ); 855 856 if ( 857 ! $comment // Comment has been deleted 858 || strtotime( $comment->comment_date_gmt ) < strtotime( "-15 days" ) // Comment is too old. 859 || $comment->comment_approved !== "0" // Comment is no longer in the Pending queue 860 ) { 861 delete_comment_meta( $comment_id, 'akismet_error' ); 862 delete_comment_meta( $comment_id, 'akismet_delayed_moderation_email' ); 863 continue; 864 } 865 866 add_comment_meta( $comment_id, 'akismet_rechecking', true ); 867 $status = self::check_db_comment( $comment_id, 'retry' ); 868 869 $event = ''; 870 if ( $status == 'true' ) { 871 $event = 'cron-retry-spam'; 872 } elseif ( $status == 'false' ) { 873 $event = 'cron-retry-ham'; 874 } 875 876 // If we got back a legit response then update the comment history 877 // other wise just bail now and try again later. No point in 878 // re-trying all the comments once we hit one failure. 879 if ( !empty( $event ) ) { 880 delete_comment_meta( $comment_id, 'akismet_error' ); 881 self::update_comment_history( $comment_id, '', $event ); 882 update_comment_meta( $comment_id, 'akismet_result', $status ); 883 // make sure the comment status is still pending. if it isn't, that means the user has already moved it elsewhere. 884 $comment = get_comment( $comment_id ); 885 if ( $comment && 'unapproved' == wp_get_comment_status( $comment_id ) ) { 886 if ( $status == 'true' ) { 887 wp_spam_comment( $comment_id ); 888 } elseif ( $status == 'false' ) { 889 // comment is good, but it's still in the pending queue. depending on the moderation settings 890 // we may need to change it to approved. 891 if ( check_comment($comment->comment_author, $comment->comment_author_email, $comment->comment_author_url, $comment->comment_content, $comment->comment_author_IP, $comment->comment_agent, $comment->comment_type) ) 892 wp_set_comment_status( $comment_id, 1 ); 893 else if ( get_comment_meta( $comment_id, 'akismet_delayed_moderation_email', true ) ) 894 wp_notify_moderator( $comment_id ); 895 } 896 } 897 898 delete_comment_meta( $comment_id, 'akismet_delayed_moderation_email' ); 899 } else { 900 // If this comment has been pending moderation for longer than MAX_DELAY_BEFORE_MODERATION_EMAIL, 901 // send a moderation email now. 902 if ( ( intval( gmdate( 'U' ) ) - strtotime( $comment->comment_date_gmt ) ) < self::MAX_DELAY_BEFORE_MODERATION_EMAIL ) { 903 delete_comment_meta( $comment_id, 'akismet_delayed_moderation_email' ); 904 wp_notify_moderator( $comment_id ); 905 } 906 907 delete_comment_meta( $comment_id, 'akismet_rechecking' ); 908 wp_schedule_single_event( time() + 1200, 'akismet_schedule_cron_recheck' ); 909 do_action( 'akismet_scheduled_recheck', 'check-db-comment-' . $status ); 910 return; 911 } 912 delete_comment_meta( $comment_id, 'akismet_rechecking' ); 913 } 914 915 $remaining = $wpdb->get_var( "SELECT COUNT(*) FROM {$wpdb->commentmeta} WHERE meta_key = 'akismet_error'" ); 916 if ( $remaining && !wp_next_scheduled('akismet_schedule_cron_recheck') ) { 917 wp_schedule_single_event( time() + 1200, 'akismet_schedule_cron_recheck' ); 918 do_action( 'akismet_scheduled_recheck', 'remaining' ); 919 } 920 } 921 922 public static function fix_scheduled_recheck() { 923 $future_check = wp_next_scheduled( 'akismet_schedule_cron_recheck' ); 924 if ( !$future_check ) { 925 return; 926 } 927 928 if ( get_option( 'akismet_alert_code' ) > 0 ) { 929 return; 930 } 931 932 $check_range = time() + 1200; 933 if ( $future_check > $check_range ) { 934 wp_clear_scheduled_hook( 'akismet_schedule_cron_recheck' ); 935 wp_schedule_single_event( time() + 300, 'akismet_schedule_cron_recheck' ); 936 do_action( 'akismet_scheduled_recheck', 'fix-scheduled-recheck' ); 937 } 938 } 939 940 public static function add_comment_nonce( $post_id ) { 941 /** 942 * To disable the Akismet comment nonce, add a filter for the 'akismet_comment_nonce' tag 943 * and return any string value that is not 'true' or '' (empty string). 944 * 945 * Don't return boolean false, because that implies that the 'akismet_comment_nonce' option 946 * has not been set and that Akismet should just choose the default behavior for that 947 * situation. 948 */ 949 950 if ( ! self::get_api_key() ) { 951 return; 952 } 953 954 $akismet_comment_nonce_option = apply_filters( 'akismet_comment_nonce', get_option( 'akismet_comment_nonce' ) ); 955 956 if ( $akismet_comment_nonce_option == 'true' || $akismet_comment_nonce_option == '' ) { 957 echo '<p style="display: none;">'; 958 wp_nonce_field( 'akismet_comment_nonce_' . $post_id, 'akismet_comment_nonce', FALSE ); 959 echo '</p>'; 960 } 961 } 962 963 public static function is_test_mode() { 964 return defined('AKISMET_TEST_MODE') && AKISMET_TEST_MODE; 965 } 966 967 public static function allow_discard() { 968 if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) 969 return false; 970 if ( is_user_logged_in() ) 971 return false; 972 973 return ( get_option( 'akismet_strictness' ) === '1' ); 974 } 975 976 public static function get_ip_address() { 977 return isset( $_SERVER['REMOTE_ADDR'] ) ? $_SERVER['REMOTE_ADDR'] : null; 978 } 979 980 /** 981 * Do these two comments, without checking the comment_ID, "match"? 982 * 983 * @param mixed $comment1 A comment object or array. 984 * @param mixed $comment2 A comment object or array. 985 * @return bool Whether the two comments should be treated as the same comment. 986 */ 987 private static function comments_match( $comment1, $comment2 ) { 988 $comment1 = (array) $comment1; 989 $comment2 = (array) $comment2; 990 991 // Set default values for these strings that we check in order to simplify 992 // the checks and avoid PHP warnings. 993 if ( ! isset( $comment1['comment_author'] ) ) { 994 $comment1['comment_author'] = ''; 995 } 996 997 if ( ! isset( $comment2['comment_author'] ) ) { 998 $comment2['comment_author'] = ''; 999 } 1000 1001 if ( ! isset( $comment1['comment_author_email'] ) ) { 1002 $comment1['comment_author_email'] = ''; 1003 } 1004 1005 if ( ! isset( $comment2['comment_author_email'] ) ) { 1006 $comment2['comment_author_email'] = ''; 1007 } 1008 1009 $comments_match = ( 1010 isset( $comment1['comment_post_ID'], $comment2['comment_post_ID'] ) 1011 && intval( $comment1['comment_post_ID'] ) == intval( $comment2['comment_post_ID'] ) 1012 && ( 1013 // The comment author length max is 255 characters, limited by the TINYTEXT column type. 1014 // If the comment author includes multibyte characters right around the 255-byte mark, they 1015 // may be stripped when the author is saved in the DB, so a 300+ char author may turn into 1016 // a 253-char author when it's saved, not 255 exactly. The longest possible character is 1017 // theoretically 6 bytes, so we'll only look at the first 248 bytes to be safe. 1018 substr( $comment1['comment_author'], 0, 248 ) == substr( $comment2['comment_author'], 0, 248 ) 1019 || substr( stripslashes( $comment1['comment_author'] ), 0, 248 ) == substr( $comment2['comment_author'], 0, 248 ) 1020 || substr( $comment1['comment_author'], 0, 248 ) == substr( stripslashes( $comment2['comment_author'] ), 0, 248 ) 1021 // Certain long comment author names will be truncated to nothing, depending on their encoding. 1022 || ( ! $comment1['comment_author'] && strlen( $comment2['comment_author'] ) > 248 ) 1023 || ( ! $comment2['comment_author'] && strlen( $comment1['comment_author'] ) > 248 ) 1024 ) 1025 && ( 1026 // The email max length is 100 characters, limited by the VARCHAR(100) column type. 1027 // Same argument as above for only looking at the first 93 characters. 1028 substr( $comment1['comment_author_email'], 0, 93 ) == substr( $comment2['comment_author_email'], 0, 93 ) 1029 || substr( stripslashes( $comment1['comment_author_email'] ), 0, 93 ) == substr( $comment2['comment_author_email'], 0, 93 ) 1030 || substr( $comment1['comment_author_email'], 0, 93 ) == substr( stripslashes( $comment2['comment_author_email'] ), 0, 93 ) 1031 // Very long emails can be truncated and then stripped if the [0:100] substring isn't a valid address. 1032 || ( ! $comment1['comment_author_email'] && strlen( $comment2['comment_author_email'] ) > 100 ) 1033 || ( ! $comment2['comment_author_email'] && strlen( $comment1['comment_author_email'] ) > 100 ) 1034 ) 1035 ); 1036 1037 return $comments_match; 1038 } 1039 1040 // Does the supplied comment match the details of the one most recently stored in self::$last_comment? 1041 public static function matches_last_comment( $comment ) { 1042 return self::comments_match( self::$last_comment, $comment ); 1043 } 1044 1045 private static function get_user_agent() { 1046 return isset( $_SERVER['HTTP_USER_AGENT'] ) ? $_SERVER['HTTP_USER_AGENT'] : null; 1047 } 1048 1049 private static function get_referer() { 1050 return isset( $_SERVER['HTTP_REFERER'] ) ? $_SERVER['HTTP_REFERER'] : null; 1051 } 1052 1053 // return a comma-separated list of role names for the given user 1054 public static function get_user_roles( $user_id ) { 1055 $roles = false; 1056 1057 if ( !class_exists('WP_User') ) 1058 return false; 1059 1060 if ( $user_id > 0 ) { 1061 $comment_user = new WP_User( $user_id ); 1062 if ( isset( $comment_user->roles ) ) 1063 $roles = join( ',', $comment_user->roles ); 1064 } 1065 1066 if ( is_multisite() && is_super_admin( $user_id ) ) { 1067 if ( empty( $roles ) ) { 1068 $roles = 'super_admin'; 1069 } else { 1070 $comment_user->roles[] = 'super_admin'; 1071 $roles = join( ',', $comment_user->roles ); 1072 } 1073 } 1074 1075 return $roles; 1076 } 1077 1078 // filter handler used to return a spam result to pre_comment_approved 1079 public static function last_comment_status( $approved, $comment ) { 1080 if ( is_null( self::$last_comment_result ) ) { 1081 // We didn't have reason to store the result of the last check. 1082 return $approved; 1083 } 1084 1085 // Only do this if it's the correct comment 1086 if ( ! self::matches_last_comment( $comment ) ) { 1087 self::log( "comment_is_spam mismatched comment, returning unaltered $approved" ); 1088 return $approved; 1089 } 1090 1091 if ( 'trash' === $approved ) { 1092 // If the last comment we checked has had its approval set to 'trash', 1093 // then it failed the comment blacklist check. Let that blacklist override 1094 // the spam check, since users have the (valid) expectation that when 1095 // they fill out their blacklists, comments that match it will always 1096 // end up in the trash. 1097 return $approved; 1098 } 1099 1100 // bump the counter here instead of when the filter is added to reduce the possibility of overcounting 1101 if ( $incr = apply_filters('akismet_spam_count_incr', 1) ) 1102 update_option( 'akismet_spam_count', get_option('akismet_spam_count') + $incr ); 1103 1104 return self::$last_comment_result; 1105 } 1106 1107 /** 1108 * If Akismet is temporarily unreachable, we don't want to "spam" the blogger with 1109 * moderation emails for comments that will be automatically cleared or spammed on 1110 * the next retry. 1111 * 1112 * For comments that will be rechecked later, empty the list of email addresses that 1113 * the moderation email would be sent to. 1114 * 1115 * @param array $emails An array of email addresses that the moderation email will be sent to. 1116 * @param int $comment_id The ID of the relevant comment. 1117 * @return array An array of email addresses that the moderation email will be sent to. 1118 */ 1119 public static function disable_moderation_emails_if_unreachable( $emails, $comment_id ) { 1120 if ( ! empty( self::$prevent_moderation_email_for_these_comments ) && ! empty( $emails ) ) { 1121 $comment = get_comment( $comment_id ); 1122 1123 foreach ( self::$prevent_moderation_email_for_these_comments as $possible_match ) { 1124 if ( self::comments_match( $possible_match, $comment ) ) { 1125 update_comment_meta( $comment_id, 'akismet_delayed_moderation_email', true ); 1126 return array(); 1127 } 1128 } 1129 } 1130 1131 return $emails; 1132 } 1133 1134 public static function _cmp_time( $a, $b ) { 1135 return $a['time'] > $b['time'] ? -1 : 1; 1136 } 1137 1138 public static function _get_microtime() { 1139 $mtime = explode( ' ', microtime() ); 1140 return $mtime[1] + $mtime[0]; 1141 } 1142 1143 /** 1144 * Make a POST request to the Akismet API. 1145 * 1146 * @param string $request The body of the request. 1147 * @param string $path The path for the request. 1148 * @param string $ip The specific IP address to hit. 1149 * @return array A two-member array consisting of the headers and the response body, both empty in the case of a failure. 1150 */ 1151 public static function http_post( $request, $path, $ip=null ) { 1152 1153 $akismet_ua = sprintf( 'WordPress/%s | Akismet/%s', $GLOBALS['wp_version'], constant( 'AKISMET_VERSION' ) ); 1154 $akismet_ua = apply_filters( 'akismet_ua', $akismet_ua ); 1155 1156 $content_length = strlen( $request ); 1157 1158 $api_key = self::get_api_key(); 1159 $host = self::API_HOST; 1160 1161 if ( !empty( $api_key ) ) 1162 $host = $api_key.'.'.$host; 1163 1164 $http_host = $host; 1165 // use a specific IP if provided 1166 // needed by Akismet_Admin::check_server_connectivity() 1167 if ( $ip && long2ip( ip2long( $ip ) ) ) { 1168 $http_host = $ip; 1169 } 1170 1171 $http_args = array( 1172 'body' => $request, 1173 'headers' => array( 1174 'Content-Type' => 'application/x-www-form-urlencoded; charset=' . get_option( 'blog_charset' ), 1175 'Host' => $host, 1176 'User-Agent' => $akismet_ua, 1177 ), 1178 'httpversion' => '1.0', 1179 'timeout' => 15 1180 ); 1181 1182 $akismet_url = $http_akismet_url = "http://{$http_host}/1.1/{$path}"; 1183 1184 /** 1185 * Try SSL first; if that fails, try without it and don't try it again for a while. 1186 */ 1187 1188 $ssl = $ssl_failed = false; 1189 1190 // Check if SSL requests were disabled fewer than X hours ago. 1191 $ssl_disabled = get_option( 'akismet_ssl_disabled' ); 1192 1193 if ( $ssl_disabled && $ssl_disabled < ( time() - 60 * 60 * 24 ) ) { // 24 hours 1194 $ssl_disabled = false; 1195 delete_option( 'akismet_ssl_disabled' ); 1196 } 1197 else if ( $ssl_disabled ) { 1198 do_action( 'akismet_ssl_disabled' ); 1199 } 1200 1201 if ( ! $ssl_disabled && ( $ssl = wp_http_supports( array( 'ssl' ) ) ) ) { 1202 $akismet_url = set_url_scheme( $akismet_url, 'https' ); 1203 1204 do_action( 'akismet_https_request_pre' ); 1205 } 1206 1207 $response = wp_remote_post( $akismet_url, $http_args ); 1208 1209 Akismet::log( compact( 'akismet_url', 'http_args', 'response' ) ); 1210 1211 if ( $ssl && is_wp_error( $response ) ) { 1212 do_action( 'akismet_https_request_failure', $response ); 1213 1214 // Intermittent connection problems may cause the first HTTPS 1215 // request to fail and subsequent HTTP requests to succeed randomly. 1216 // Retry the HTTPS request once before disabling SSL for a time. 1217 $response = wp_remote_post( $akismet_url, $http_args ); 1218 1219 Akismet::log( compact( 'akismet_url', 'http_args', 'response' ) ); 1220 1221 if ( is_wp_error( $response ) ) { 1222 $ssl_failed = true; 1223 1224 do_action( 'akismet_https_request_failure', $response ); 1225 1226 do_action( 'akismet_http_request_pre' ); 1227 1228 // Try the request again without SSL. 1229 $response = wp_remote_post( $http_akismet_url, $http_args ); 1230 1231 Akismet::log( compact( 'http_akismet_url', 'http_args', 'response' ) ); 1232 } 1233 } 1234 1235 if ( is_wp_error( $response ) ) { 1236 do_action( 'akismet_request_failure', $response ); 1237 1238 return array( '', '' ); 1239 } 1240 1241 if ( $ssl_failed ) { 1242 // The request failed when using SSL but succeeded without it. Disable SSL for future requests. 1243 update_option( 'akismet_ssl_disabled', time() ); 1244 1245 do_action( 'akismet_https_disabled' ); 1246 } 1247 1248 $simplified_response = array( $response['headers'], $response['body'] ); 1249 1250 self::update_alert( $simplified_response ); 1251 1252 return $simplified_response; 1253 } 1254 1255 // given a response from an API call like check_key_status(), update the alert code options if an alert is present. 1256 public static function update_alert( $response ) { 1257 $code = $msg = null; 1258 if ( isset( $response[0]['x-akismet-alert-code'] ) ) { 1259 $code = $response[0]['x-akismet-alert-code']; 1260 $msg = $response[0]['x-akismet-alert-msg']; 1261 } 1262 1263 // only call update_option() if the value has changed 1264 if ( $code != get_option( 'akismet_alert_code' ) ) { 1265 if ( ! $code ) { 1266 delete_option( 'akismet_alert_code' ); 1267 delete_option( 'akismet_alert_msg' ); 1268 } 1269 else { 1270 update_option( 'akismet_alert_code', $code ); 1271 update_option( 'akismet_alert_msg', $msg ); 1272 } 1273 } 1274 } 1275 1276 public static function load_form_js() { 1277 if ( function_exists( 'is_amp_endpoint' ) && is_amp_endpoint() ) { 1278 return; 1279 } 1280 1281 if ( ! self::get_api_key() ) { 1282 return; 1283 } 1284 1285 wp_register_script( 'akismet-form', plugin_dir_url( __FILE__ ) . '_inc/form.js', array(), AKISMET_VERSION, true ); 1286 wp_enqueue_script( 'akismet-form' ); 1287 } 1288 1289 /** 1290 * Mark form.js as deferred. Because nothing depends on it, it can run at any time 1291 * after it's loaded, and the browser won't have to wait for it to load to continue 1292 * parsing the rest of the page. 1293 */ 1294 public static function set_form_js_async( $tag, $handle, $src ) { 1295 if ( 'akismet-form' !== $handle ) { 1296 return $tag; 1297 } 1298 1299 return preg_replace( '/^<script /i', '<script defer ', $tag ); 1300 } 1301 1302 public static function inject_ak_js( $post_id ) { 1303 echo '<input type="hidden" id="ak_js" name="ak_js" value="' . mt_rand( 0, 250 ) . '"/>'; 1304 echo '<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea>'; 1305 } 1306 1307 private static function bail_on_activation( $message, $deactivate = true ) { 1308 ?> 1309 <!doctype html> 1310 <html> 1311 <head> 1312 <meta charset="<?php bloginfo( 'charset' ); ?>" /> 1313 <style> 1314 * { 1315 text-align: center; 1316 margin: 0; 1317 padding: 0; 1318 font-family: "Lucida Grande",Verdana,Arial,"Bitstream Vera Sans",sans-serif; 1319 } 1320 p { 1321 margin-top: 1em; 1322 font-size: 18px; 1323 } 1324 </style> 1325 </head> 1326 <body> 1327 <p><?php echo esc_html( $message ); ?></p> 1328 </body> 1329 </html> 1330 <?php 1331 if ( $deactivate ) { 1332 $plugins = get_option( 'active_plugins' ); 1333 $akismet = plugin_basename( AKISMET__PLUGIN_DIR . 'akismet.php' ); 1334 $update = false; 1335 foreach ( $plugins as $i => $plugin ) { 1336 if ( $plugin === $akismet ) { 1337 $plugins[$i] = false; 1338 $update = true; 1339 } 1340 } 1341 1342 if ( $update ) { 1343 update_option( 'active_plugins', array_filter( $plugins ) ); 1344 } 1345 } 1346 exit; 1347 } 1348 1349 public static function view( $name, array $args = array() ) { 1350 $args = apply_filters( 'akismet_view_arguments', $args, $name ); 1351 1352 foreach ( $args AS $key => $val ) { 1353 $$key = $val; 1354 } 1355 1356 load_plugin_textdomain( 'akismet' ); 1357 1358 $file = AKISMET__PLUGIN_DIR . 'views/'. $name . '.php'; 1359 1360 include( $file ); 1361 } 1362 1363 /** 1364 * Attached to activate_{ plugin_basename( __FILES__ ) } by register_activation_hook() 1365 * @static 1366 */ 1367 public static function plugin_activation() { 1368 if ( version_compare( $GLOBALS['wp_version'], AKISMET__MINIMUM_WP_VERSION, '<' ) ) { 1369 load_plugin_textdomain( 'akismet' ); 1370 1371 $message = '<strong>'.sprintf(esc_html__( 'Akismet %s requires WordPress %s or higher.' , 'akismet'), AKISMET_VERSION, AKISMET__MINIMUM_WP_VERSION ).'</strong> '.sprintf(__('Please <a href="%1$s">upgrade WordPress</a> to a current version, or <a href="%2$s">downgrade to version 2.4 of the Akismet plugin</a>.', 'akismet'), 'https://codex.wordpress.org/Upgrading_WordPress', 'https://wordpress.org/extend/plugins/akismet/download/'); 1372 1373 Akismet::bail_on_activation( $message ); 1374 } elseif ( ! empty( $_SERVER['SCRIPT_NAME'] ) && false !== strpos( $_SERVER['SCRIPT_NAME'], '/wp-admin/plugins.php' ) ) { 1375 add_option( 'Activated_Akismet', true ); 1376 } 1377 } 1378 1379 /** 1380 * Removes all connection options 1381 * @static 1382 */ 1383 public static function plugin_deactivation( ) { 1384 self::deactivate_key( self::get_api_key() ); 1385 1386 // Remove any scheduled cron jobs. 1387 $akismet_cron_events = array( 1388 'akismet_schedule_cron_recheck', 1389 'akismet_scheduled_delete', 1390 ); 1391 1392 foreach ( $akismet_cron_events as $akismet_cron_event ) { 1393 $timestamp = wp_next_scheduled( $akismet_cron_event ); 1394 1395 if ( $timestamp ) { 1396 wp_unschedule_event( $timestamp, $akismet_cron_event ); 1397 } 1398 } 1399 } 1400 1401 /** 1402 * Essentially a copy of WP's build_query but one that doesn't expect pre-urlencoded values. 1403 * 1404 * @param array $args An array of key => value pairs 1405 * @return string A string ready for use as a URL query string. 1406 */ 1407 public static function build_query( $args ) { 1408 return _http_build_query( $args, '', '&' ); 1409 } 1410 1411 /** 1412 * Log debugging info to the error log. 1413 * 1414 * Enabled when WP_DEBUG_LOG is enabled (and WP_DEBUG, since according to 1415 * core, "WP_DEBUG_DISPLAY and WP_DEBUG_LOG perform no function unless 1416 * WP_DEBUG is true), but can be disabled via the akismet_debug_log filter. 1417 * 1418 * @param mixed $akismet_debug The data to log. 1419 */ 1420 public static function log( $akismet_debug ) { 1421 if ( apply_filters( 'akismet_debug_log', defined( 'WP_DEBUG' ) && WP_DEBUG && defined( 'WP_DEBUG_LOG' ) && WP_DEBUG_LOG && defined( 'AKISMET_DEBUG' ) && AKISMET_DEBUG ) ) { 1422 error_log( print_r( compact( 'akismet_debug' ), true ) ); 1423 } 1424 } 1425 1426 public static function pre_check_pingback( $method ) { 1427 if ( $method !== 'pingback.ping' ) 1428 return; 1429 1430 // A lot of this code is tightly coupled with the IXR class because the xmlrpc_call action doesn't pass along any information besides the method name. 1431 // This ticket should hopefully fix that: https://core.trac.wordpress.org/ticket/52524 1432 // Until that happens, when it's a system.multicall, pre_check_pingback will be called once for every internal pingback call. 1433 // Keep track of how many times this function has been called so we know which call to reference in the XML. 1434 static $call_count = 0; 1435 1436 $call_count++; 1437 1438 global $wp_xmlrpc_server; 1439 1440 if ( !is_object( $wp_xmlrpc_server ) ) 1441 return false; 1442 1443 $is_multicall = false; 1444 $multicall_count = 0; 1445 1446 if ( 'system.multicall' === $wp_xmlrpc_server->message->methodName ) { 1447 $is_multicall = true; 1448 1449 if ( 0 === $call_count ) { 1450 // Only pass along the number of entries in the multicall the first time we see it. 1451 $multicall_count = count( $wp_xmlrpc_server->message->params ); 1452 } 1453 1454 /* 1455 * $wp_xmlrpc_server->message looks like this: 1456 * 1457 ( 1458 [message] => 1459 [messageType] => methodCall 1460 [faultCode] => 1461 [faultString] => 1462 [methodName] => system.multicall 1463 [params] => Array 1464 ( 1465 [0] => Array 1466 ( 1467 [methodName] => pingback.ping 1468 [params] => Array 1469 ( 1470 [0] => http://www.example.net/?p=1 // Site that created the pingback. 1471 [1] => https://www.example.com/?p=1 // Post being pingback'd on this site. 1472 ) 1473 ) 1474 [1] => Array 1475 ( 1476 [methodName] => pingback.ping 1477 [params] => Array 1478 ( 1479 [0] => http://www.example.net/?p=1 // Site that created the pingback. 1480 [1] => https://www.example.com/?p=2 // Post being pingback'd on this site. 1481 ) 1482 ) 1483 ) 1484 ) 1485 */ 1486 1487 // Use the params from the nth pingback.ping call in the multicall. 1488 $pingback_calls_found = 0; 1489 1490 foreach ( $wp_xmlrpc_server->message->params as $xmlrpc_action ) { 1491 if ( 'pingback.ping' === $xmlrpc_action['methodName'] ) { 1492 $pingback_calls_found++; 1493 } 1494 1495 if ( $call_count === $pingback_calls_found ) { 1496 $pingback_args = $xmlrpc_action['params']; 1497 break; 1498 } 1499 } 1500 } else { 1501 /* 1502 * $wp_xmlrpc_server->message looks like this: 1503 * 1504 ( 1505 [message] => 1506 [messageType] => methodCall 1507 [faultCode] => 1508 [faultString] => 1509 [methodName] => pingback.ping 1510 [params] => Array 1511 ( 1512 [0] => http://www.example.net/?p=1 // Site that created the pingback. 1513 [1] => https://www.example.com/?p=2 // Post being pingback'd on this site. 1514 ) 1515 ) 1516 */ 1517 $pingback_args = $wp_xmlrpc_server->message->params; 1518 } 1519 1520 if ( ! empty( $pingback_args[1] ) ) { 1521 $post_id = url_to_postid( $pingback_args[1] ); 1522 1523 // If pingbacks aren't open on this post, we'll still check whether this request is part of a potential DDOS, 1524 // but indicate to the server that pingbacks are indeed closed so we don't include this request in the user's stats, 1525 // since the user has already done their part by disabling pingbacks. 1526 $pingbacks_closed = false; 1527 1528 $post = get_post( $post_id ); 1529 1530 if ( ! $post || ! pings_open( $post ) ) { 1531 $pingbacks_closed = true; 1532 } 1533 1534 // Note: If is_multicall is true and multicall_count=0, then we know this is at least the 2nd pingback we've processed in this multicall. 1535 1536 $comment = array( 1537 'comment_author_url' => $pingback_args[0], 1538 'comment_post_ID' => $post_id, 1539 'comment_author' => '', 1540 'comment_author_email' => '', 1541 'comment_content' => '', 1542 'comment_type' => 'pingback', 1543 'akismet_pre_check' => '1', 1544 'comment_pingback_target' => $pingback_args[1], 1545 'pingbacks_closed' => $pingbacks_closed ? '1' : '0', 1546 'is_multicall' => $is_multicall, 1547 'multicall_count' => $multicall_count, 1548 ); 1549 1550 $comment = self::auto_check_comment( $comment, 'xml-rpc' ); 1551 1552 if ( isset( $comment['akismet_result'] ) && 'true' == $comment['akismet_result'] ) { 1553 // Sad: tightly coupled with the IXR classes. Unfortunately the action provides no context and no way to return anything. 1554 $wp_xmlrpc_server->error( new IXR_Error( 0, 'Invalid discovery target' ) ); 1555 1556 // Also note that if this was part of a multicall, a spam result will prevent the subsequent calls from being executed. 1557 // This is probably fine, but it raises the bar for what should be acceptable as a false positive. 1558 } 1559 } 1560 } 1561 1562 /** 1563 * Ensure that we are loading expected scalar values from akismet_as_submitted commentmeta. 1564 * 1565 * @param mixed $meta_value 1566 * @return mixed 1567 */ 1568 private static function sanitize_comment_as_submitted( $meta_value ) { 1569 if ( empty( $meta_value ) ) { 1570 return $meta_value; 1571 } 1572 1573 $meta_value = (array) $meta_value; 1574 1575 foreach ( $meta_value as $key => $value ) { 1576 if ( ! is_scalar( $value ) ) { 1577 unset( $meta_value[ $key ] ); 1578 } else { 1579 // These can change, so they're not explicitly listed in comment_as_submitted_allowed_keys. 1580 if ( strpos( $key, 'POST_ak_' ) === 0 ) { 1581 continue; 1582 } 1583 1584 if ( ! isset( self::$comment_as_submitted_allowed_keys[ $key ] ) ) { 1585 unset( $meta_value[ $key ] ); 1586 } 1587 } 1588 } 1589 1590 return $meta_value; 1591 } 1592 1593 public static function predefined_api_key() { 1594 if ( defined( 'WPCOM_API_KEY' ) ) { 1595 return true; 1596 } 1597 1598 return apply_filters( 'akismet_predefined_api_key', false ); 1599 } 1600 1601 /** 1602 * Controls the display of a privacy related notice underneath the comment form using the `akismet_comment_form_privacy_notice` option and filter respectively. 1603 * Default is top not display the notice, leaving the choice to site admins, or integrators. 1604 */ 1605 public static function display_comment_form_privacy_notice() { 1606 if ( 'display' !== apply_filters( 'akismet_comment_form_privacy_notice', get_option( 'akismet_comment_form_privacy_notice', 'hide' ) ) ) { 1607 return; 1608 } 1609 echo apply_filters( 1610 'akismet_comment_form_privacy_notice_markup', 1611 '<p class="akismet_comment_form_privacy_notice">' . sprintf( 1612 __( 'This site uses Akismet to reduce spam. <a href="%s" target="_blank" rel="nofollow noopener">Learn how your comment data is processed</a>.', 'akismet' ), 1613 'https://akismet.com/privacy/' 1614 ) . '</p>' 1615 ); 1616 } 1617 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated: Wed Aug 4 01:00:05 2021 | Cross-referenced by PHPXref 0.7.1 |