modules/httpbl/httpbl.module

<?php

// $Id: httpbl.module,v 1.21 2009/09/17 21:30:27 praseodym Exp $

/**
 * @file
 * Implementation of http:BL for Drupal. It provides IP-based
 * blacklisting through http:BL and allows linking to a honeypot.
 *
 * @author Mark Janssen (praseodym)
 * @link http://drupal.org/project/httpbl
 * @link http://httpbl.org/
 */

/**
 *
 * Version 6.x-dev
 * Contact: praseodym (at) gmail (dot) com
 *
 * Feel free to improve this module, but please contact the author with any
 * changes you make so they can be implemented into the 'official' version.
 *
 */
 
/**
 * Cache levels.
 */
define('HTTPBL_CACHE_OFF',      0); // Cache is off
define('HTTPBL_CACHE_DB',       1); // Only database cache
define('HTTPBL_CACHE_DBDRUPAL', 2); // Both database cache and Drupal access table

/**
 * Blacklist levels.
 */
define('HTTPBL_LIST_SAFE',  0); // Not listed (or very low threat)
define('HTTPBL_LIST_GREY',  2); // Greylisted: session whitelist request permitted
define('HTTPBL_LIST_BLACK', 1); // Blacklisted: all requests blocked.

/**
 * Threshold levels.
 */
define('HTTPBL_THRESHOLD_GREY',   1); // Threshold under which a user is allowed, and above which a user is greylisted
define('HTTPBL_THRESHOLD_BLACK', 50); // Threshold under which a user is greylisted, and above which a user is blacklisted

/**
 * Check levels.
 */
define('HTTPBL_CHECK_NONE',     0); // Check nowhere
define('HTTPBL_CHECK_COMMENTS', 1); // Check only comments
define('HTTPBL_CHECK_ALL',      2); // Check all requests


/**
 * Implementation of hook_menu().
 */
function httpbl_menu() {
  $items['httpbl/whitelist'] = array(
   'title' => 'Request whitelisting',
   'page callback' => 'drupal_get_form',
   'page arguments' => array('httpbl_request_whitelist'),
   'access callback' => 'httpbl_whitelist_access',
   'access arguments' => array(),
   'type' => MENU_CALLBACK,
  );
  $items['admin/settings/httpbl'] = array(
   'title' => 'http:BL',
   'description' => 'Manage http:BL settings.',
   'page callback' => 'drupal_get_form',
   'page arguments' => array('httpbl_admin_settings'),
   'access arguments' => array('administer site configuration'),
  );

  return $items;
}

/**
 * Implementation of hook_boot().
 */
function httpbl_boot() {
  // Only continue when checks are enabled
  if (variable_get('httpbl_check', HTTPBL_CHECK_NONE) == HTTPBL_CHECK_NONE) {
    return;
  }

  $result = httpbl_check();
  if ($result) {
    if ($result == HTTPBL_LIST_GREY) {
      if ($_GET['q'] == 'httpbl/whitelist') {
        return;
      }
      $message = 'Sorry, %ip has been greylisted by <a href="%ipurl">http:BL</a>.<br>You may try whitelisting on <a href="%whitelisturl">%whitelisturl</a>.%honeypot';
    }
    else if ($result == HTTPBL_LIST_BLACK) {
      $message = 'Sorry, %ip has been blacklisted by <a href="%ipurl">http:BL</a>.%honeypot';
    }

    if ($link = variable_get('httpbl_link', NULL)) {
      $word = variable_get('httpbl_word', 'randomness');
      $link = httpbl_honeylink($link, $word);
    }

    $message = strtr($message, array('%ip' => ip_address(), '%ipurl' => _httpbl_ipdata(ip_address(), FALSE), '%honeypot' => $link, '%whitelisturl' => _httpbl_url('/httpbl/whitelist')));

    header('HTTP/1.1 403 Forbidden');
    echo $message;
    exit();
  }
}

/**
 * Implementation of hook_comment().
 */
function httpbl_comment($comment, $op) {
  if (variable_get('httpbl_check', HTTPBL_CHECK_NONE) != HTTPBL_CHECK_COMMENTS) {
    return;
  }

  switch ($op) {
  case 'insert':
  case 'update':
    $comment = (object)$comment;

    if (httpbl_check()) {
      // Unpublish and inform the user.
      $operation = comment_operations('unpublish');
      $query = $operation['unpublish'][1];
      db_query($query, $comment->cid);
      drupal_set_message(t('Your comment has been queued for moderation by site administrators and will be published after approval.'));

      // Add to our statistics
      if (variable_get('httpbl_stats', TRUE)) {
        variable_set('httpbl_stat_comment', variable_get('httpbl_stat_comment', 0)+1);
      }
    }
    return;
  }
}


/**
 * Check if an IP should be banned
 *
 * @return constant: HTTP_LIST_*
 */

function httpbl_check() {
  static $result;
  // Result was already calculated -- return.
  if (is_int($result)) {
    return $result;
  }
  
  $ip = ip_address();
  
  // Check if user is whitelisted in any way
  if (_httpbl_whitelisted($ip)) {
    $result = HTTPBL_LIST_SAFE;
  }
  // Cache is enabled - do a cache lookup
  else if ($cache = variable_get('httpbl_cache', HTTPBL_CACHE_DBDRUPAL)) {
    $result = _httpbl_cache_get($ip);
  }
  
  if (!(is_numeric($result))) {
    // Do a DNS lookup, and continue if lookup was succesful
    if ($response = httpbl_dnslookup($ip)) {
      $stats = variable_get('httpbl_stats', TRUE);
      
      // Blacklist?
      if ($response['threat'] > HTTPBL_THRESHOLD_BLACK && $response['type']) {
        if (variable_get('httpbl_log', FALSE)) {
          watchdog('httpbl', '%ip was blacklisted (%response)', array('%ip' => $ip, '%response' => $response['raw']), WATCHDOG_WARNING, _httpbl_ipdata($ip));
        }
        if ($stats) {
          variable_set('httpbl_stat_black', variable_get('httpbl_stat_black', 0)+1);
        }
        $result = HTTPBL_LIST_BLACK;
      }
      // Greylist?
      else if ($response['threat'] > HTTPBL_THRESHOLD_GREY && $response['type']) {
        if (variable_get('httpbl_log', FALSE)) {
          watchdog('httpbl', '%ip was greylisted (%response)', array('%ip' => $ip, '%response' => $response['raw']), WATCHDOG_WARNING, _httpbl_ipdata($ip));
        }
        if ($stats) {
          variable_set('httpbl_stat_grey', variable_get('httpbl_stat_grey', 0)+1);
        }
        $result = HTTPBL_LIST_GREY;
      }
      // Listed, but safe
      else {
        $result = HTTPBL_LIST_SAFE;
      }

      // Cache results
      if ($cache) {
        _httpbl_cache_set($ip, $result, 7200);
      }
    }
    // No result, safe
    else {
      if ($cache) {
        _httpbl_cache_set($ip, HTTPBL_LIST_SAFE, 10800);
      }
      $result = HTTPBL_LIST_SAFE;
    }
  }

  return $result;
}

/**
 * Implementation of hook_settings().
 */
function httpbl_admin_settings() {
  if (!$_POST && (!variable_get('httpbl_accesskey', NULL) || !variable_get('httpbl_check', HTTPBL_CHECK_NONE))) {
    drupal_set_message(t('Blacklist lookups are currently disabled; enter your access key below and enable checks to enable blacklist lookups.'), 'error');
  }

  $form['core'] = array(
    '#type' => 'fieldset',
    '#title' => t('http:BL'),
    '#description' => t('For more information about http:BL, see the <a href="http://www.projecthoneypot.org/httpbl.php">http:BL homepage</a>.'),
    '#collapsible' => TRUE,
  );

  $form['core']['httpbl_accesskey'] = array(
    '#type' => 'textfield',
    '#title' => t('http:BL Access Key'),
    '#default_value' => variable_get('httpbl_accesskey', NULL),
    '#description' => t('Your http:BL <a href="http://www.projecthoneypot.org/httpbl_configure.php">Access Key</a>.'),
    '#size' => 20,
    '#maxlength' => 12,
  );

  $form['core']['httpbl_check'] = array(
    '#type' => 'radios',
    '#title' => t('Blacklist checks'),
    '#default_value' => variable_get('httpbl_check', HTTPBL_CHECK_NONE),
    '#options' => array(
      t('Disabled'),
      t('On comment submissions'),
      t('On all requests'),
    ),
    '#description' => t('At what times the blacklist should be checked.'),
  );

  $form['honeypot'] = array(
    '#type' => 'fieldset',
    '#title' => t('Honeypot'),
    '#description' => t('Your Honeypot (spam trap) settings. For more information, see the <a href="http://www.projecthoneypot.org/">Project Honey Pot homepage</a>.'),
    '#collapsible' => TRUE,
  );

  $form['honeypot']['httpbl_footer'] = array(
    '#type' => 'checkbox',
    '#title' => t('Add link to footer'),
    '#default_value' => variable_get('httpbl_footer', FALSE),
    '#description' => t('Whether to add your honeypot link to the footer of every page.'),
  );

  $form['honeypot']['httpbl_link'] = array(
    '#type' => 'textfield',
    '#title' => t('Honeypot link'),
    '#default_value' => variable_get('httpbl_link', NULL),
    '#description' => t('Your Honeypot (spam trap) link. This can be one of your <a href="http://www.projecthoneypot.org/manage_honey_pots.php">own Honey Pots</a> or a <a href="http://www.projecthoneypot.org/manage_quicklink.php">QuickLink</a>.'),
  );

  $form['honeypot']['httpbl_word'] = array(
    '#type' => 'textfield',
    '#title' => t('Link word'),
    '#default_value' => variable_get('httpbl_word', 'randomness'),
    '#description' => t('A random word which will be used as a link.'),
  );

  $form['advanced'] = array(
    '#type' => 'fieldset',
    '#title' => t('Advanced'),
    '#collapsible' => TRUE,
    '#collapsed' => TRUE,
  );

  $form['advanced']['httpbl_log'] = array(
    '#type' => 'checkbox',
    '#title' => t('Verbose watchdog logging'),
    '#default_value' => variable_get('httpbl_log', FALSE),
    '#description' => t('Logs all positive lookups in the watchdog.'),
  );

  $form['advanced']['httpbl_stats'] = array(
    '#type' => 'checkbox',
    '#title' => t('Enable statistics'),
    '#default_value' => variable_get('httpbl_stats', TRUE),
    '#description' => t('Whether to enable counting of positive lookups. Statistics are show on the Drupal <a href="@statusreport">Status report page</a>.', array('@statusreport' => url('admin/reports/status'))),
    );
  
  $form['advanced']['httpbl_cache'] = array(
    '#type' => 'radios',
    '#title' => t('Caching'),
    '#default_value' => variable_get('httpbl_cache', HTTPBL_CACHE_DBDRUPAL),
    '#options' => array(
      t('Off'),
      t('Database cache'),
      t('Database cache and Drupal access table'),
    ),
    '#description' => t('Whether to enable database-based caching. Note that when this is disabled, IPs that fail the session whitelist test cannot be banned. The Drupal access table allows visitors to be blocked in the early stages of the bootstrap.'),
  );

  return system_settings_form($form);
}

/**
 * Form API callback to validate the httpbl settings form.
 */
function httpbl_admin_settings_validate($form, &$form_state) {
  $key = $form_state['values']['httpbl_accesskey'];

  if ($form_state['values']['httpbl_check'] && !$key) {
    form_set_error('httpbl_accesskey', t('You must enter an access key to enable blacklist checks.'));
  }

  if ($form_state['values']['httpbl_footer'] && !$form_state['values']['httpbl_link']) {
    form_set_error('httpbl_link', t('You must enter a link to be able to add it to the footer.'));
  }

  if ($key) {
    // Key should be 12 lowercase alpha characters.
    // There's no unicode allowed, so we're not using drupal_strlen().
    if (ereg('[^a-z]', $key) || strlen($key) != 12) {
      form_set_error('httpbl_accesskey', t('Your access key is formatted incorrectly.'));
    }
    else if (!count(form_get_errors())) {
      // Do a test lookup (with known result).
      $lookup = httpbl_dnslookup('127.1.80.1', $key);
      if (!$lookup || $lookup['threat'] != 80) {
        form_set_error('httpbl_accesskey', t('Testcase failed. This either means that your access key is incorrect or that there is a problem in your DNS system.'));
      }
      else {
        drupal_set_message('http:BL test completed successfully.');
      }
    }
  }

}

/**
 * Implementation of hook_footer().
 *
 * Adds a Project Honeypot link to the footer.
 */
function httpbl_footer($main = 0) {
  if (variable_get('httpbl_footer', FALSE)) {
    $link = variable_get('httpbl_link', NULL);
    $word = variable_get('httpbl_word', 'randomness');
    return httpbl_honeylink($link, $word);
  }
}

/**
 * Implementation of hook_requirements().
 *
 * Shows some basic usage statistics for the module.
 */
function httpbl_requirements($phase) {
  $requirements = array();

  if ($phase == 'runtime') {
    if (!variable_get('httpbl_accesskey', NULL) || !variable_get('httpbl_check', HTTPBL_CHECK_NONE)) {
      $requirements['httpbl'] = array(
        'description' => t('IP blacklist lookups are currently disabled; enter your access key <a href="@settings">on the settings page</a> and enable checks to enable blacklist lookups.', array('@settings' => url('admin/settings/httpbl'))),
        'severity' => REQUIREMENT_ERROR,
        'value' => t('Disabled'),
      );
      if (variable_get('httpbl_footer', FALSE)) {
        $requirements['httpbl']['severity'] = REQUIREMENT_WARNING;
      }
    }
    else {
      $stat_black = variable_get('httpbl_stat_black', 0);
      $stat_comment = variable_get('httpbl_stat_comment', 0);
      $stat_grey = variable_get('httpbl_stat_grey', 0);

      if (!variable_get('httpbl_stats', TRUE)) {
        $requirements['httpbl'] = array(
          'description' => t('http:BL is enabled.'),
          'severity' => REQUIREMENT_OK,
          'value' => t('Enabled'),
        );
      }
      else if (variable_get('httpbl_check', HTTPBL_CHECK_NONE) == HTTPBL_CHECK_COMMENTS) {
        $requirements['httpbl'] = array(
          'description' => t('http:BL is enabled and has blocked @c comments.', array('@c' => $stat_comment)),
          'severity' => REQUIREMENT_OK,
          'value' => t('Enabled'),
        );
      }
      else if (variable_get('httpbl_check', HTTPBL_CHECK_NONE) == HTTPBL_CHECK_ALL) {
        $requirements['httpbl'] = array(
          'description' => t('http:BL is enabled and has blocked @t visits (@b blacklisted and @g greylisted).', array('@t' => $stat_grey+$stat_black, '@b' => $stat_black, '@g' => $stat_grey)),
          'severity' => REQUIREMENT_OK,
          'value' => t('Enabled'),
        );
      }
      if (!variable_get('httpbl_footer', FALSE)) {
        $requirements['httpbl']['severity'] = REQUIREMENT_WARNING;
        $requirements['httpbl']['description'] .= ' '. t('However, the honeypot link is not enabled.');
      }
    }

    $requirements['httpbl']['title'] = t('http:BL');
  }

  return $requirements;
}

/**
 * Implementation of hook_cron().
 *
 * Cleans old results from the cache table and also Drupal access table if appropriate.
 */
function httpbl_cron() {
  // Only continue when caching is enabled
  if (variable_get('httpbl_cache', HTTPBL_CACHE_OFF)) {
    if (variable_get('httpbl_cache', HTTPBL_CACHE_OFF) == HTTPBL_CACHE_DBDRUPAL) {
      // Also check status so that we do not accidentally delete the site's custom access rules.
      db_query("DELETE FROM {access} WHERE mask IN (SELECT hostname FROM {httpbl} WHERE status > 0 AND expire <= %d)", time());
    }
    db_query("DELETE FROM {httpbl} WHERE expire <= %d", time());
  }
}

/**
 * Return HTML code with hidden Honeypot link
 * in one of the many styles.
 *
 * @param string $link
 * @param string $word
 * @return string
 */
function httpbl_honeylink($link, $word) {
  if (!$link) {
    return;
  }
  switch (mt_rand(0, 7)) {
    case 0:
      return '<div><a href="'. $link .'"><!-- '. $word .' --></a></div>';
    case 1:
      return '<div><a href="'. $link .'" style="display: none;">'. $word .'</a></div>';
    case 2:
      return '<div style="display: none;"><a href="'. $link .'">'. $word .'</a></div>';
    case 3:
      return '<div><a href="'. $link .'"></a></div>';
    case 4:
      return '<!-- <a href="'. $link .'">'. $word .'</a> -->';
    case 5:
      return '<div style="position: absolute; top: -250px; left: -250px;"><a href="'. $link .'">'. $word .'</a></div>';
    case 6:
      return '<div><a href="'. $link .'"><span style="display: none;">'. $word .'</span></a></div>';
    case 7:
      return '<div style="height: 0px; width: 0px;"><a href="'. $link .'">'. $word .'</a></div>';
  }
}

/**
 * Check if an IP is known to belong to a search engine
 *
 * @param string $ip
 * @return bool
 */

function httpbl_se($ip = NULL) {
  if ($response = httpbl_dnslookup($ip)) {
    $iplink = _httpbl_ipdata($ip);
    return ($response['search_engine'] === TRUE);
  }
  else {
    return FALSE;
  }
}

/**
 * Reverse IP octets
 *
 * @param string $ip
 * @return string
 */
function _httpbl_reverse_ip($ip) {
  if (!is_numeric(str_replace('.', '', $ip))) {
    return NULL;
  }
  
  $ip = explode('.', $ip);

  if (count($ip) != 4) {
    return NULL;
  }

  return $ip[3] .'.'. $ip[2] .'.'. $ip[1] .'.'. $ip[0];
}

/**
 * Determine whether a user has access to the session whitelist functionality.
 */
function httpbl_whitelist_access() {
  return (httpbl_check() == HTTPBL_LIST_GREY);
}

/**
 * Form to request a session whitelist.
 */
function httpbl_request_whitelist() {
  $form['#redirect'] = 'node';

  $form['reason'] = array(
    '#type' => 'textarea',
    '#title' => t('Reason you were blocked'),
    '#size' => 60,
    '#required' => TRUE,
  );

  $form['block'] = array(
    '#type' => 'textfield',
    '#title' => t('Leave this blank'),
    '#size' => 15,
  );

  $form['leave'] = array(
    '#type' => 'textfield',
    '#size' => 30,
    '#attributes' => array('style' => 'display: none')
  );

  $form['submit'] = array(
    '#type' => 'submit',
    '#value' => t('Whitelist request'),
  );

  return $form;
}

/**
 * Validate session whitelist request.
 * Ban the user if one of the 'forbidden' fields were filled.
 */
function httpbl_request_whitelist_validate($form, &$form_state) {
  $ip = ip_address();
  $iplink = _httpbl_ipdata($ip);

  if ($form_state['values']['block'] || $form_state['values']['leave']) {
    if (variable_get('httpbl_cache', HTTPBL_CACHE_OFF)) {
      _httpbl_cache_update($ip, 1, 86400);
      watchdog('httpbl', '%ip failed session whitelist request, blacklisted for 24 hours.', array('%ip' => $ip), WATCHDOG_WARNING, $iplink);
      print t('Whitelist request failed; your IP has been blacklisted for 24 hours.');
      exit();
    }
    else {
      watchdog('httpbl', '%ip failed session whitelist request.', array('%ip' => $ip), WATCHDOG_WARNING, $iplink);
      print t('Whitelist request failed.');
      exit();
    }
  }

  if (variable_get('httpbl_log', FALSE)) {
    watchdog('httpbl', '%ip tried a whitelist request', array('%ip' => $ip), WATCHDOG_NOTICE, $iplink);
  }
}

/**
 * Grant the session whitelist.
 */
function httpbl_request_whitelist_submit($form, &$form_state) {
  $ip = ip_address();
  $iplink = _httpbl_ipdata($ip);

  watchdog('httpbl', 'Session from %ip whitelisted. Reason for block: @reason', array('%ip' => $ip, '@reason' => check_plain($form_state['values']['reason'])), WATCHDOG_WARNING, $iplink);
  drupal_set_message(t('The current session has been whitelisted.'));
  $_SESSION['httpbl_status'] = 'white';
  drupal_goto('/');
}

/**
 * Do http:BL DNS lookup
 *
 * @param string $ip
 * @param string $key
 * @return array
 */

function httpbl_dnslookup($ip, $key = NULL) {
  // Thanks to J.Wesley2 at
  // http://www.projecthoneypot.org/board/read.php?f=10&i=1&t=1

  if (!$ip = _httpbl_reverse_ip($ip)) {
    return FALSE;
  }

  if (!$key && !$key = variable_get('httpbl_accesskey', NULL)) {
    return FALSE;
  }

  $query = $key .'.'. $ip .'.dnsbl.httpbl.org.';
  $response = gethostbyname($query);

  if ($response == $query) {
    // if the domain does not resolve then it will be the same thing we passed to gethostbyname
    return FALSE;
  }

  $values = array();
  $values['raw'] = $response;
  $response = explode('.', $response);

  if ($response[0] != '127') {
    // if the first octet is not 127, the response should be considered invalid
    watchdog('httpbl', 'Lookup failed for %ip, response was %response', array('%ip' => $ip, '%response' => $values['raw']), WATCHDOG_ERROR);
    return FALSE;
  }

  $values['last_activity'] = $response[1];
  $values['threat'] = $response[2];
  $values['type'] = $response[3];
  if ($response[3] == 0) {
    //if it's 0 then there's only one thing it can be
    $values['search_engine'] = TRUE;
  }

  if ($response[3] & 1) {
    //does it have the same bits as 1 set
    $values['suspicious'] = TRUE;
  }

  if ($response[3] & 2) {
    //does it have the same bits as 2 set
    $values['harvester'] = TRUE;
  }

  if ($response[3] & 4) {
    //does it have the same bits as 4 set
    $values['comment_spammer'] = TRUE;
  }

  return $values;
}

/**
 * Check if an IP is whitelisted through the access table or a session whitelist.
 */
function _httpbl_whitelisted($ip) {
  return (isset($_SESSION['httpbl_status']) && $_SESSION['httpbl_status'] == 'white') || (db_result(db_query_range("SELECT status FROM {access} WHERE type = 'host' AND LOWER('%s') LIKE LOWER(mask) ORDER BY status DESC", $ip, 0, 1)) == '1');
}

/**
 * Write status value into cache table
 */
function _httpbl_cache_set($ip, $status, $offset = 0) {
  db_query("DELETE FROM {httpbl} WHERE hostname = '%s'", $ip);
  db_query("INSERT INTO {httpbl} (hostname, status, expire) VALUES ('%s', %d, %d)", $ip, $status, time() + $offset);

  if ($status == HTTPBL_LIST_BLACK && variable_get('httpbl_cache', HTTPBL_CACHE_DBDRUPAL)) {
    db_query("INSERT INTO {access} (mask, type, status) VALUES ('%s', '%s', %d)", $ip, 'host', 0);
  }
}

/**
 * Update cache table
 */
function _httpbl_cache_update($ip, $status, $offset = 0) {
  db_query("UPDATE {httpbl} SET status = %d, expire = %d WHERE hostname = '%s'", $status, time() + $offset, $ip);
  
  // Note that IP addresses will not be deleted from the {access} table, but this is currently not needed.
  // TODO: check for duplicates
  //if ($status == HTTPBL_BLACKLIST && variable_get('httpbl_cache', HTTPBL_CACHE_DBDRUPAL)) {
  //  db_query("INSERT INTO {access} (mask, type, status) VALUES ('%s', '%s', %d)", $ip, 'host', 0);
  //}
}

/**
 * Get status value from cache table
 */
function _httpbl_cache_get($ip) {
  return db_result(db_query("SELECT status FROM {httpbl} WHERE hostname = '%s'", $ip));
}

/**
 * Generate a link with Project Honeypot information for a given IP address.
 */
function _httpbl_ipdata($ip, $anchor = TRUE) {
  if ($anchor) {
    return '<a href="http://www.projecthoneypot.org/search_ip.php?ip='. $ip .'">IP data</a>';
  }
  else {
    return 'http://www.projecthoneypot.org/search_ip.php?ip='. $ip;
  }
}

/**
 * Lightweight url function, since url() isn't available yet.
 */
function _httpbl_url($path = NULL) {
  global $base_url;
  $script = (strpos($_SERVER['SERVER_SOFTWARE'], 'Apache') === FALSE) ? 'index.php' : '';
  
  if (variable_get('clean_url', '0')) {
    return $base_url . $path;
  }
  else {
    return $base_url . $script .'?q='. $path;
  }
}