Fix for https://bugs.cacert.org/view.php?id=795

"contact form does not signal whether filed request is senstive or open"
11 years ago · ac71b58807
parent aff3516579
commit ac71b58807
5 changed files with 85 additions and 82 deletions
--- a/pages/account/40.php
+++ b/pages/account/40.php
@ -29,15 +29,26 @@ if(!array_key_exists('secrethash',$_SESSION['_config'])) $_SESSION['_config']['s
 <p><?=_("You can alternatively use the form below, however joining the list is the prefered option to support your queries")?></p>
 <form method="post" action="account.php" name="form1">
  <input type="hidden" name="oldid" value="<?=$id?>">
-  <input type="hidden" name="support" value="yes">
+<!--   <input type="hidden" name="support" value="yes"> --> 
  <input type="hidden" name="secrethash2" value="">
-  <table border="0">
-    <tr><td width="90"><?=_("Your Name")?>:</td><td><input type="text" name="who"></td><td>&#160;</td></tr>
-    <tr><td><?=_("Your Email")?>:</td><td><input type="text" name="email"></td></tr>
-    <tr><td><?=_("Subject")?>:</td><td><input type="text" name="subject"></td></tr>
-    <tr><td colspan="2"><textarea name="message" cols="40" rows="10"></textarea></td></tr>
-    <tr><td colspan="3"><font color="#ff0000"><?=_("Warning: Please do not enter confidential data into this form, it is being sent to a public mailinglist. Use the form further below instead.")?></font></td></tr>
-    <tr><td colspan="2"><input type="submit" name="process" value="<?=_("Send")?>"></td></tr>
+  <p class="robotic" id="pot">
+    <label>If you're human leave this blank:</label>
+    <input name="robotest" type="text" id="robotest" class="robotest" />
+  </p>
+<table border="0">
+    <tr><td width="100"><?=_("Your Name")?>:</td><td width="100"><input type="text" name="who"></td><td width="100"></td><td width="100"></td>
+    <tr><td width="100"><?=_("Your Email")?>:</td><td colspan="3"><input type="text" name="email"></td>
+    <tr><td width="100"><?=_("Subject")?>:</td><td colspan="3"><input type="text" name="subject"></td></tr>
+    <tr><td width="100" valign="top"><?=_("Message")?>:</td><td colspan="3"><textarea name="message" cols="70" rows="10"></textarea></td></tr>
+
+    <tr>
+      <td colspan="2"><font color="#ff0000"><?=_("Warning: Please do not use \"send to mailing list\" when you entered confidential data. The request is being sent to a public mailinglist.")?></font></td>
+      <td colspan="2"><?=_("For confidential data use \"send to support\".")?></td>
+    </tr>
+    <tr>
+      <td colspan="2"><input type="submit" name="process[0]" value="<?=_("Send to mailing list")?>"></td>
+      <td colspan="2"><input type="submit" name="process[1]" value="<?=_("Send to support")?>"></td>
+    </tr>
  </table>
 </form>

@ -50,20 +61,6 @@ if(!array_key_exists('secrethash',$_SESSION['_config'])) $_SESSION['_config']['s
 <p><?=_("There are a number of other mailing lists CAcert runs, some are general discussion, others are technical (such as the development list) or platform specific help (such as the list for Apple Mac users)")?></p>
 <p><a href="http://lists.cacert.org/"><?=_("Click here to view all lists available")?></a></p>

-<p><b><?=_("Sensitive Information")?></b></p>
-<p><?=_("If you have questions, comments or otherwise and information you're sending to us contains sensitive details, you should use the contact form below. Due to the large amounts of support emails we receive, sending general questions via this contact form will generally take longer then using the support mailing list. Also sending queries in anything but english could cause delays in supporting you as we'd need to find a translator to help.")?></p>
-<form method="post" action="account.php" name="form2">
-  <input type="hidden" name="secrethash2" value="">
-  <input type="hidden" name="oldid" value="<?=$id?>">
-  <table border="0">
-    <tr><td><?=_("Your Name")?>:</td><td><input type="text" name="who"></td></tr>
-    <tr><td><?=_("Your Email")?>:</td><td><input type="text" name="email"></td></tr>
-    <tr><td><?=_("Subject")?>:</td><td><input type="text" name="subject"></td></tr>
-    <tr><td colspan="2"><textarea name="message" cols="40" rows="10"></textarea></td></tr>
-    <tr><td colspan="2"><input type="submit" name="process" value="<?=_("Send")?>"></td></tr>
-  </table>
-</form>
-
 <p><b><?=_("Security Issues")?></b></p>
 <p><?=sprintf(_("Please use any of the following ways to report security ".
 	"issues: You can use the above contact form for sensitive information. ".
--- a/pages/index/11.php
+++ b/pages/index/11.php
@ -29,15 +29,26 @@ if(!array_key_exists('secrethash',$_SESSION['_config'])) $_SESSION['_config']['s
 <p><?=_("You can alternatively use the form below, however joining the list is the prefered option to support your queries")?></p>
 <form method="post" action="index.php" name="form1">
  <input type="hidden" name="oldid" value="<?=$id?>">
-  <input type="hidden" name="support" value="yes">
+<!--   <input type="hidden" name="support" value="yes"> --> 
  <input type="hidden" name="secrethash2" value="">
+  <p class="robotic" id="pot">
+    <label>If you're human leave this blank:</label>
+    <input name="robotest" type="text" id="robotest" class="robotest" />
+  </p>
  <table border="0">
-    <tr><td width="90"><?=_("Your Name")?>:</td><td><input type="text" name="who"></td><td>&#160;</td></tr>
-    <tr><td><?=_("Your Email")?>:</td><td><input type="text" name="email"></td></tr>
-    <tr><td><?=_("Subject")?>:</td><td><input type="text" name="subject"></td></tr>
-    <tr><td colspan="2"><textarea name="message" cols="40" rows="10"></textarea></td></tr>
-    <tr><td colspan="3"><font color="#ff0000"><?=_("Warning: Please do not enter confidential data into this form, it is being sent to a public mailinglist. Use the form further below instead.")?></font></td></tr>
-    <tr><td colspan="2"><input type="submit" name="process" value="<?=_("Send")?>"></td></tr>
+    <tr><td width="100"><?=_("Your Name")?>:</td><td width="100"><input type="text" name="who"></td><td width="100"></td><td width="100"></td>
+    <tr><td width="100"><?=_("Your Email")?>:</td><td colspan="3"><input type="text" name="email"></td>
+    <tr><td width="100"><?=_("Subject")?>:</td><td colspan="3"><input type="text" name="subject"></td></tr>
+    <tr><td width="100" valign="top"><?=_("Message")?>:</td><td colspan="3"><textarea name="message" cols="70" rows="10"></textarea></td></tr>
+
+    <tr>
+      <td colspan="2"><font color="#ff0000"><?=_("Warning: Please do not use \"send to mailing list\" when you entered confidential data. The request is being sent to a public mailinglist.")?></font></td>
+      <td colspan="2"><?=_("For confidential data use \"send to support\".")?></td>
+    </tr>
+    <tr>
+      <td colspan="2"><input type="submit" name="process[0]" value="<?=_("Send to mailing list")?>"></td>
+      <td colspan="2"><input type="submit" name="process[1]" value="<?=_("Send to support")?>"></td>
+    </tr>
  </table>
 </form>

@ -50,20 +61,6 @@ if(!array_key_exists('secrethash',$_SESSION['_config'])) $_SESSION['_config']['s
 <p><?=_("There are a number of other mailing lists CAcert runs, some are general discussion, others are technical (such as the development list) or platform specific help (such as the list for Apple Mac users)")?></p>
 <p><a href="http://lists.cacert.org/"><?=_("Click here to view all lists available")?></a></p>

-<p><b><?=_("Sensitive Information")?></b></p>
-<p><?=_("If you have questions, comments or otherwise and information you're sending to us contains sensitive details, you should use the contact form below. Due to the large amounts of support emails we receive, sending general questions via this contact form will generally take longer then using the support mailing list. Also sending queries in anything but english could cause delays in supporting you as we'd need to find a translator to help.")?></p>
-<form method="post" action="index.php" name="form2">
-  <input type="hidden" name="secrethash2" value="">
-  <input type="hidden" name="oldid" value="<?=$id?>">
-  <table border="0">
-    <tr><td><?=_("Your Name")?>:</td><td><input type="text" name="who"></td></tr>
-    <tr><td><?=_("Your Email")?>:</td><td><input type="text" name="email"></td></tr>
-    <tr><td><?=_("Subject")?>:</td><td><input type="text" name="subject"></td></tr>
-    <tr><td colspan="2"><textarea name="message" cols="40" rows="10"></textarea></td></tr>
-    <tr><td colspan="2"><input type="submit" name="process" value="<?=_("Send")?>"></td></tr>
-  </table>
-</form>
-
 <p><b><?=_("Security Issues")?></b></p>
 <p><?=sprintf(_("Please use any of the following ways to report security issues: You can use the above contact form for sensitive information. You can email us to support@cacert.org. You can file a bugreport on %s and mark it as private."),"<a href='https://bugs.cacert.org/'>bugs.cacert.org</a>")?></p>

--- a/www/account.php
+++ b/www/account.php
@ -25,34 +25,35 @@
 	} else if($id == 19) {
 		include_once("../pages/account/19.php");
 		exit;
-	} else if($oldid == 40 && $_REQUEST['process'] != "" && $_POST['support'] != "yes") {
-		$who = stripslashes($_REQUEST['who']);
-		$email = stripslashes($_REQUEST['email']);
-		$subject = stripslashes($_REQUEST['subject']);
-		$message = stripslashes($_REQUEST['message']);
-
-                $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
-
-		sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, $email, "", "CAcert Website");
-                showheader(_("Welcome to CAcert.org"));
-                echo _("Your message has been sent.");
-                showfooter();
-                exit;
-	} else if($oldid == 40 && $_REQUEST['process'] != "" && $_POST['support'] == "yes") {
+	} else if($oldid == 40 && $_REQUEST['process'] != "") {
 		$who = stripslashes($_REQUEST['who']);
 		$email = stripslashes($_REQUEST['email']);
 		$subject = stripslashes($_REQUEST['subject']);
 		$message = stripslashes($_REQUEST['message']);

+		//check for spam via honeypot
+		if(!isset($_REQUEST['robotest']) || !empty($_REQUEST['robotest'])){ 
+			echo _("Form could not be sent.");
+			showfooter();
+			exit;
+		}

-                $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
+		$message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
+		if (isset($process[0])){
+			sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
+			showheader(_("Welcome to CAcert.org"));
+			echo _("Your message has been sent to the general support list.");
+			showfooter();
+			exit;
+		}
+		if (isset($process[1])){
+			sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
+			showheader(_("Welcome to CAcert.org"));
+			echo _("Your message has been sent.");
+			showfooter();
+			exit;
+		}

-                sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert Website");
-		
-                showheader(_("Welcome to CAcert.org"));
-                echo _("Your message has been sent to the general support list.");
-                showfooter();
-                exit;
 	} else if($id == 51 && $_GET['img'] == "show") {
 		$query = "select * from `tverify` where `id`='".intval($_GET['photoid'])."' and `modified`=0";
 		$res = mysql_query($query);
--- a/www/index.php
+++ b/www/index.php
@ -563,6 +563,13 @@ require_once('../includes/lib/l10n.php');
 		$subject = stripslashes($_REQUEST['subject']);
 		$message = stripslashes($_REQUEST['message']);
 		$secrethash = $_REQUEST['secrethash2'];
+		
+		//check for spam via honeypot
+		if(!isset($_REQUEST['robotest']) || !empty($_REQUEST['robotest'])){ 
+			echo _("Form could not be sent.");
+			showfooter();
+			exit;
+		}

 		if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "")
 		{
@ -603,26 +610,23 @@ require_once('../includes/lib/l10n.php');
 		}
 	}

-	if($oldid == 11 && $process != "" && $_REQUEST['support'] != "yes")
-	{
-		$message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
-
-		sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
-		showheader(_("Welcome to CAcert.org"));
-		echo _("Your message has been sent.");
-		showfooter();
-		exit;
-	}
-
-	if($oldid == 11 && $process != "" && $_REQUEST['support'] == "yes")
+	if($oldid == 11 && $process != "")
 	{
 		$message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
-
-		sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
-		showheader(_("Welcome to CAcert.org"));
-		echo _("Your message has been sent to the general support list.");
-		showfooter();
-		exit;
+		if (isset($process[0])){
+			sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
+			showheader(_("Welcome to CAcert.org"));
+			echo _("Your message has been sent to the general support list.");
+			showfooter();
+			exit;
+		}
+		if (isset($process[1])){
+			sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
+			showheader(_("Welcome to CAcert.org"));
+			echo _("Your message has been sent.");
+			showfooter();
+			exit;
+		}
 	}

 	if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
--- a/www/styles/default.css
+++ b/www/styles/default.css
@ -651,3 +651,7 @@ div.footerbar {
  padding: 10px 10px 10px 10px;
 }

+/************ Honeypot  ***********/
+
+.robotic { display: none; }
+