Fix : Spam db public page

htdocs/admin/security_other.php

@@ -61,7 +61,7 @@ if (preg_match('/set_([a-z0-9_\-]+)/i', $action, $reg)) {
 		dol_print_error($db);
 	}
 } elseif ($action == 'updateform') {
-	$res1 = 1; $res2 = 1; $res3 = 1;
+	$res1 = 1; $res2 = 1; $res3 = 1; $res4 = 1;
 	if (GETPOSTISSET('MAIN_APPLICATION_TITLE')) {
 		$res1 = dolibarr_set_const($db, "MAIN_APPLICATION_TITLE", GETPOST("MAIN_APPLICATION_TITLE", 'alphanohtml'), 'chaine', 0, '', $conf->entity);
 	}
@@ -71,7 +71,10 @@ if (preg_match('/set_([a-z0-9_\-]+)/i', $action, $reg)) {
 	if (GETPOSTISSET('MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT')) {
 		$res3 = dolibarr_set_const($db, "MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT", GETPOST("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT", 'alphanohtml'), 'int', 0, '', $conf->entity);
 	}
-	if ($res1 && $res2 && $res3) {
+	if (GETPOSTISSET('MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS')) {
+		$res4 = dolibarr_set_const($db, "MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS", GETPOST("MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS", 'alphanohtml'), 'int', 0, '', $conf->entity);
+	}
+	if ($res1 && $res2 && $res3 && $res4) {
 		setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs');
 	}
 }
@@ -185,6 +188,14 @@ print '<input class="flat right width50" name="MAIN_SECURITY_MAX_IMG_IN_HTML_CON
 print '</td>';
 print '</tr>';
 
+print '<tr class="oddeven">';
+print '<td>'.$langs->trans("MaxNumberOfPostOnPublicPagesByIP").'</td><td class="right">';
+print '</td>';
+print '<td class="nowrap">';
+print '<input class="flat right width50" name="MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS" type="text" value="'.getDolGlobalInt("MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS", 1000).'"> '.strtolower($langs->trans("Posts"));
+print '</td>';
+print '</tr>';
+
 /*
 if (empty($conf->global->MAIN_APPLICATION_TITLE)) {
 	$conf->global->MAIN_APPLICATION_TITLE = "";

htdocs/langs/en_US/admin.lang

@@ -2288,5 +2288,7 @@ NoName=No name
 ShowAdvancedOptions= Show advanced options
 HideAdvancedoptions= Hide advanced options
 Images=Images
+Posts=Posts
 MaxNumberOfImagesInGetPost=Max number of images allowed in GETPOST check
+MaxNumberOfPostOnPublicPagesByIP=Max number of posts on public pages with an IP Address
 CIDLookupURL=The module brings an URL that can be used by an external tool to get the name of a thirdparty or contact from its phone number. URL to use is: 

htdocs/public/ticket/create_ticket.php

@@ -138,6 +138,7 @@ if (empty($reshook) && GETPOST('removedfile', 'alpha') && !GETPOST('save', 'alph
 
 if (empty($reshook) && $action == 'create_ticket' && GETPOST('save', 'alpha')) {
 	$error = 0;
+	$nb_post_ip = 0;
 	$origin_email = GETPOST('email', 'alpha');
 	if (empty($origin_email)) {
 		$error++;
@@ -231,6 +232,21 @@ if (empty($reshook) && $action == 'create_ticket' && GETPOST('save', 'alpha')) {
 		$object->type_code = GETPOST("type_code", 'aZ09');
 		$object->category_code = GETPOST("category_code", 'aZ09');
 		$object->severity_code = GETPOST("severity_code", 'aZ09');
+		$object->ip = (empty($_SERVER['REMOTE_ADDR']) ? 'unknown' : $_SERVER['REMOTE_ADDR']);
+
+		$sql = "SELECT COUNT(ref) as nb_tickets";
+		$sql .= " FROM ".MAIN_DB_PREFIX."ticket";
+		$sql .= " WHERE ip = '".$db->escape($object->ip)."'";
+		$resql = $db->query($sql);
+		if ($resql) {
+			$num = $db->num_rows($resql);
+			$i = 0;
+			while ($i < $num) {
+				$i++;
+				$obj = $db->fetch_object($resql);
+				$nb_post_ip = $obj->nb_tickets;
+			}
+		}
 
 		if (!is_object($user)) {
 			$user = new User($db);
@@ -289,14 +305,23 @@ if (empty($reshook) && $action == 'create_ticket' && GETPOST('save', 'alpha')) {
 
 		$object->context['disableticketemail'] = 1; // Disable emails sent by ticket trigger when creation is done from this page, emails are already sent later
 
-		$id = $object->create($user);
-		if ($id <= 0) {
+		if ($nb_post_ip >= getDolGlobalInt("MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS", 1000)) {
 			$error++;
-			$errors = ($object->error ? array($object->error) : $object->errors);
-			array_push($object->errors, $object->error ? array($object->error) : $object->errors);
+			$errors = array($langs->trans("AlreadyTooMuchPostOnThisIPAdress"));
+			array_push($object->errors, array($langs->trans("AlreadyTooMuchPostOnThisIPAdress")));
 			$action = 'create_ticket';
 		}
 
+		if (!$error) {
+			$id = $object->create($user);
+			if ($id <= 0) {
+				$error++;
+				$errors = ($object->error ? array($object->error) : $object->errors);
+				array_push($object->errors, $object->error ? array($object->error) : $object->errors);
+				$action = 'create_ticket';
+			}
+		}
+
 		if (!$error && $id > 0) {
 			if ($usertoassign > 0) {
 				$object->add_contact($usertoassign, "SUPPORTCLI", 'external', 0);

htdocs/ticket/class/ticket.class.php

@@ -459,7 +459,8 @@ class Ticket extends CommonObject
 			$sql .= "date_read,";
 			$sql .= "date_close,";
 			$sql .= "entity,";
-			$sql .= "notify_tiers_at_create";
+			$sql .= "notify_tiers_at_create,";
+			$sql .= "ip";
 			$sql .= ") VALUES (";
 			$sql .= " ".(!isset($this->ref) ? '' : "'".$this->db->escape($this->ref)."'").",";
 			$sql .= " ".(!isset($this->track_id) ? 'NULL' : "'".$this->db->escape($this->track_id)."'").",";
@@ -484,6 +485,7 @@ class Ticket extends CommonObject
 			$sql .= " ".(!isset($this->date_close) || dol_strlen($this->date_close) == 0 ? 'NULL' : "'".$this->db->idate($this->date_close)."'")."";
 			$sql .= ", ".((int) $conf->entity);
 			$sql .= ", ".(!isset($this->notify_tiers_at_create) ? '1' : "'".$this->db->escape($this->notify_tiers_at_create)."'");
+			$sql .= ", ".(!isset($this->ip) ? 'unknown' : "'".$this->db->escape($this->ip)."'");
 			$sql .= ")";
 
 			$this->db->begin();