From ac71b5880727a274e1d9ee7abc4080678e04df43 Mon Sep 17 00:00:00 2001
From: Wytze van der Raay <wytze@cacert.org>
Date: Thu, 17 Jan 2013 15:08:07 +0000
Subject: [PATCH] Fix for https://bugs.cacert.org/view.php?id=795 "contact form
 does not signal whether filed request is senstive or open"

---
 pages/account/40.php   | 41 +++++++++++++++++++---------------------
 pages/index/11.php     | 39 ++++++++++++++++++--------------------
 www/account.php        | 43 +++++++++++++++++++++---------------------
 www/index.php          | 40 +++++++++++++++++++++------------------
 www/styles/default.css |  4 ++++
 5 files changed, 85 insertions(+), 82 deletions(-)

diff --git a/pages/account/40.php b/pages/account/40.php
index 4877d79..a809595 100644
--- a/pages/account/40.php
+++ b/pages/account/40.php
@@ -29,15 +29,26 @@ if(!array_key_exists('secrethash',$_SESSION['_config'])) $_SESSION['_config']['s
 <p><?=_("You can alternatively use the form below, however joining the list is the prefered option to support your queries")?></p>
 <form method="post" action="account.php" name="form1">
   <input type="hidden" name="oldid" value="<?=$id?>">
-  <input type="hidden" name="support" value="yes">
+<!--   <input type="hidden" name="support" value="yes"> --> 
   <input type="hidden" name="secrethash2" value="">
-  <table border="0">
-    <tr><td width="90"><?=_("Your Name")?>:</td><td><input type="text" name="who"></td><td>&#160;</td></tr>
-    <tr><td><?=_("Your Email")?>:</td><td><input type="text" name="email"></td></tr>
-    <tr><td><?=_("Subject")?>:</td><td><input type="text" name="subject"></td></tr>
-    <tr><td colspan="2"><textarea name="message" cols="40" rows="10"></textarea></td></tr>
-    <tr><td colspan="3"><font color="#ff0000"><?=_("Warning: Please do not enter confidential data into this form, it is being sent to a public mailinglist. Use the form further below instead.")?></font></td></tr>
-    <tr><td colspan="2"><input type="submit" name="process" value="<?=_("Send")?>"></td></tr>
+  <p class="robotic" id="pot">
+    <label>If you're human leave this blank:</label>
+    <input name="robotest" type="text" id="robotest" class="robotest" />
+  </p>
+<table border="0">
+    <tr><td width="100"><?=_("Your Name")?>:</td><td width="100"><input type="text" name="who"></td><td width="100"></td><td width="100"></td>
+    <tr><td width="100"><?=_("Your Email")?>:</td><td colspan="3"><input type="text" name="email"></td>
+    <tr><td width="100"><?=_("Subject")?>:</td><td colspan="3"><input type="text" name="subject"></td></tr>
+    <tr><td width="100" valign="top"><?=_("Message")?>:</td><td colspan="3"><textarea name="message" cols="70" rows="10"></textarea></td></tr>
+
+    <tr>
+      <td colspan="2"><font color="#ff0000"><?=_("Warning: Please do not use \"send to mailing list\" when you entered confidential data. The request is being sent to a public mailinglist.")?></font></td>
+      <td colspan="2"><?=_("For confidential data use \"send to support\".")?></td>
+    </tr>
+    <tr>
+      <td colspan="2"><input type="submit" name="process[0]" value="<?=_("Send to mailing list")?>"></td>
+      <td colspan="2"><input type="submit" name="process[1]" value="<?=_("Send to support")?>"></td>
+    </tr>
   </table>
 </form>
 
@@ -50,20 +61,6 @@ if(!array_key_exists('secrethash',$_SESSION['_config'])) $_SESSION['_config']['s
 <p><?=_("There are a number of other mailing lists CAcert runs, some are general discussion, others are technical (such as the development list) or platform specific help (such as the list for Apple Mac users)")?></p>
 <p><a href="http://lists.cacert.org/"><?=_("Click here to view all lists available")?></a></p>
 
-<p><b><?=_("Sensitive Information")?></b></p>
-<p><?=_("If you have questions, comments or otherwise and information you're sending to us contains sensitive details, you should use the contact form below. Due to the large amounts of support emails we receive, sending general questions via this contact form will generally take longer then using the support mailing list. Also sending queries in anything but english could cause delays in supporting you as we'd need to find a translator to help.")?></p>
-<form method="post" action="account.php" name="form2">
-  <input type="hidden" name="secrethash2" value="">
-  <input type="hidden" name="oldid" value="<?=$id?>">
-  <table border="0">
-    <tr><td><?=_("Your Name")?>:</td><td><input type="text" name="who"></td></tr>
-    <tr><td><?=_("Your Email")?>:</td><td><input type="text" name="email"></td></tr>
-    <tr><td><?=_("Subject")?>:</td><td><input type="text" name="subject"></td></tr>
-    <tr><td colspan="2"><textarea name="message" cols="40" rows="10"></textarea></td></tr>
-    <tr><td colspan="2"><input type="submit" name="process" value="<?=_("Send")?>"></td></tr>
-  </table>
-</form>
-
 <p><b><?=_("Security Issues")?></b></p>
 <p><?=sprintf(_("Please use any of the following ways to report security ".
 	"issues: You can use the above contact form for sensitive information. ".
diff --git a/pages/index/11.php b/pages/index/11.php
index 01eca3a..d1ef4df 100644
--- a/pages/index/11.php
+++ b/pages/index/11.php
@@ -29,15 +29,26 @@ if(!array_key_exists('secrethash',$_SESSION['_config'])) $_SESSION['_config']['s
 <p><?=_("You can alternatively use the form below, however joining the list is the prefered option to support your queries")?></p>
 <form method="post" action="index.php" name="form1">
   <input type="hidden" name="oldid" value="<?=$id?>">
-  <input type="hidden" name="support" value="yes">
+<!--   <input type="hidden" name="support" value="yes"> --> 
   <input type="hidden" name="secrethash2" value="">
+  <p class="robotic" id="pot">
+    <label>If you're human leave this blank:</label>
+    <input name="robotest" type="text" id="robotest" class="robotest" />
+  </p>
   <table border="0">
-    <tr><td width="90"><?=_("Your Name")?>:</td><td><input type="text" name="who"></td><td>&#160;</td></tr>
-    <tr><td><?=_("Your Email")?>:</td><td><input type="text" name="email"></td></tr>
-    <tr><td><?=_("Subject")?>:</td><td><input type="text" name="subject"></td></tr>
-    <tr><td colspan="2"><textarea name="message" cols="40" rows="10"></textarea></td></tr>
-    <tr><td colspan="3"><font color="#ff0000"><?=_("Warning: Please do not enter confidential data into this form, it is being sent to a public mailinglist. Use the form further below instead.")?></font></td></tr>
-    <tr><td colspan="2"><input type="submit" name="process" value="<?=_("Send")?>"></td></tr>
+    <tr><td width="100"><?=_("Your Name")?>:</td><td width="100"><input type="text" name="who"></td><td width="100"></td><td width="100"></td>
+    <tr><td width="100"><?=_("Your Email")?>:</td><td colspan="3"><input type="text" name="email"></td>
+    <tr><td width="100"><?=_("Subject")?>:</td><td colspan="3"><input type="text" name="subject"></td></tr>
+    <tr><td width="100" valign="top"><?=_("Message")?>:</td><td colspan="3"><textarea name="message" cols="70" rows="10"></textarea></td></tr>
+
+    <tr>
+      <td colspan="2"><font color="#ff0000"><?=_("Warning: Please do not use \"send to mailing list\" when you entered confidential data. The request is being sent to a public mailinglist.")?></font></td>
+      <td colspan="2"><?=_("For confidential data use \"send to support\".")?></td>
+    </tr>
+    <tr>
+      <td colspan="2"><input type="submit" name="process[0]" value="<?=_("Send to mailing list")?>"></td>
+      <td colspan="2"><input type="submit" name="process[1]" value="<?=_("Send to support")?>"></td>
+    </tr>
   </table>
 </form>
 
@@ -50,20 +61,6 @@ if(!array_key_exists('secrethash',$_SESSION['_config'])) $_SESSION['_config']['s
 <p><?=_("There are a number of other mailing lists CAcert runs, some are general discussion, others are technical (such as the development list) or platform specific help (such as the list for Apple Mac users)")?></p>
 <p><a href="http://lists.cacert.org/"><?=_("Click here to view all lists available")?></a></p>
 
-<p><b><?=_("Sensitive Information")?></b></p>
-<p><?=_("If you have questions, comments or otherwise and information you're sending to us contains sensitive details, you should use the contact form below. Due to the large amounts of support emails we receive, sending general questions via this contact form will generally take longer then using the support mailing list. Also sending queries in anything but english could cause delays in supporting you as we'd need to find a translator to help.")?></p>
-<form method="post" action="index.php" name="form2">
-  <input type="hidden" name="secrethash2" value="">
-  <input type="hidden" name="oldid" value="<?=$id?>">
-  <table border="0">
-    <tr><td><?=_("Your Name")?>:</td><td><input type="text" name="who"></td></tr>
-    <tr><td><?=_("Your Email")?>:</td><td><input type="text" name="email"></td></tr>
-    <tr><td><?=_("Subject")?>:</td><td><input type="text" name="subject"></td></tr>
-    <tr><td colspan="2"><textarea name="message" cols="40" rows="10"></textarea></td></tr>
-    <tr><td colspan="2"><input type="submit" name="process" value="<?=_("Send")?>"></td></tr>
-  </table>
-</form>
-
 <p><b><?=_("Security Issues")?></b></p>
 <p><?=sprintf(_("Please use any of the following ways to report security issues: You can use the above contact form for sensitive information. You can email us to support@cacert.org. You can file a bugreport on %s and mark it as private."),"<a href='https://bugs.cacert.org/'>bugs.cacert.org</a>")?></p>
 
diff --git a/www/account.php b/www/account.php
index 0b32c2c..c7f34a3 100644
--- a/www/account.php
+++ b/www/account.php
@@ -25,34 +25,35 @@
 	} else if($id == 19) {
 		include_once("../pages/account/19.php");
 		exit;
-	} else if($oldid == 40 && $_REQUEST['process'] != "" && $_POST['support'] != "yes") {
-		$who = stripslashes($_REQUEST['who']);
-		$email = stripslashes($_REQUEST['email']);
-		$subject = stripslashes($_REQUEST['subject']);
-		$message = stripslashes($_REQUEST['message']);
-
-                $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
-
-		sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, $email, "", "CAcert Website");
-                showheader(_("Welcome to CAcert.org"));
-                echo _("Your message has been sent.");
-                showfooter();
-                exit;
-	} else if($oldid == 40 && $_REQUEST['process'] != "" && $_POST['support'] == "yes") {
+	} else if($oldid == 40 && $_REQUEST['process'] != "") {
 		$who = stripslashes($_REQUEST['who']);
 		$email = stripslashes($_REQUEST['email']);
 		$subject = stripslashes($_REQUEST['subject']);
 		$message = stripslashes($_REQUEST['message']);
 
+		//check for spam via honeypot
+		if(!isset($_REQUEST['robotest']) || !empty($_REQUEST['robotest'])){ 
+			echo _("Form could not be sent.");
+			showfooter();
+			exit;
+		}
 
-                $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
+		$message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
+		if (isset($process[0])){
+			sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
+			showheader(_("Welcome to CAcert.org"));
+			echo _("Your message has been sent to the general support list.");
+			showfooter();
+			exit;
+		}
+		if (isset($process[1])){
+			sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
+			showheader(_("Welcome to CAcert.org"));
+			echo _("Your message has been sent.");
+			showfooter();
+			exit;
+		}
 
-                sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert Website");
-		
-                showheader(_("Welcome to CAcert.org"));
-                echo _("Your message has been sent to the general support list.");
-                showfooter();
-                exit;
 	} else if($id == 51 && $_GET['img'] == "show") {
 		$query = "select * from `tverify` where `id`='".intval($_GET['photoid'])."' and `modified`=0";
 		$res = mysql_query($query);
diff --git a/www/index.php b/www/index.php
index 41b6d7a..35d22d7 100644
--- a/www/index.php
+++ b/www/index.php
@@ -563,6 +563,13 @@ require_once('../includes/lib/l10n.php');
 		$subject = stripslashes($_REQUEST['subject']);
 		$message = stripslashes($_REQUEST['message']);
 		$secrethash = $_REQUEST['secrethash2'];
+		
+		//check for spam via honeypot
+		if(!isset($_REQUEST['robotest']) || !empty($_REQUEST['robotest'])){ 
+			echo _("Form could not be sent.");
+			showfooter();
+			exit;
+		}
 
 		if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "")
 		{
@@ -603,26 +610,23 @@ require_once('../includes/lib/l10n.php');
 		}
 	}
 
-	if($oldid == 11 && $process != "" && $_REQUEST['support'] != "yes")
-	{
-		$message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
-
-		sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
-		showheader(_("Welcome to CAcert.org"));
-		echo _("Your message has been sent.");
-		showfooter();
-		exit;
-	}
-
-	if($oldid == 11 && $process != "" && $_REQUEST['support'] == "yes")
+	if($oldid == 11 && $process != "")
 	{
 		$message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
-
-		sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
-		showheader(_("Welcome to CAcert.org"));
-		echo _("Your message has been sent to the general support list.");
-		showfooter();
-		exit;
+		if (isset($process[0])){
+			sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
+			showheader(_("Welcome to CAcert.org"));
+			echo _("Your message has been sent to the general support list.");
+			showfooter();
+			exit;
+		}
+		if (isset($process[1])){
+			sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
+			showheader(_("Welcome to CAcert.org"));
+			echo _("Your message has been sent.");
+			showfooter();
+			exit;
+		}
 	}
 
 	if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
diff --git a/www/styles/default.css b/www/styles/default.css
index 9fdd85c..c97e429 100644
--- a/www/styles/default.css
+++ b/www/styles/default.css
@@ -651,3 +651,7 @@ div.footerbar {
   padding: 10px 10px 10px 10px;
 }
 
+/************ Honeypot  ***********/
+
+.robotic { display: none; }
+