#!/usr/bin/python2 # Check out if the line above reflects the python location on your server, edit if required ################################################################################## # A Simple GuestBook Script written by Andrea Cabibbo # ###### # # Feel free to use/modify/redistribute the code # # # # # however please preserve this header. # # # # # ####### # # # If you find bugs or have suggestions, please contact # # # # # the author at http://wwww.cellbiol.com # # ###### # ################################################################################## ## LET'S START BY SETTING SOME VARIABLES AND OPTIONS # THESE VALUES SHOULD BE EDITED TO MATCH YOUR OWN IN ORDER FOR THE SCRIPT TO WORK!!! ## # the following variables should be edited to match your own environment gbook_name='The Name of Your Great Guestbook' gbook_dir_abspath='/home/youraccount/public_html/guestbook_dir/' # absolute path of the directory containing your guestbook html file gbook_filename='test.html' # name of the html guestbook file gbook_url='http://www.yourdomain.com/guestbook_dir/test.html' # url of the html guestbook file do_sendmail='1' sendmail_path='/usr/sbin/sendmail' admin_email='your_email@yourdomain.com' gbook_email='gbook@yourdomain.com' # address 'of the guestbook' # the following is the html template for the posts. You can change this to fit the appearance of your web site. The variables are in the form #variable# and will be replaced by the actual values grabbed from the form template='<B>Name:</B> #name#<BR><B>E-Mail:</B> #email#<BR><B>Date Posted: </B>#date#<BR><B>Message: </B>#message#<HR width="20%" align=left><BR>' forbidden_strings=['viagra','xanax','cialis','tamiflu','ambien','zolof','hgh','pharmacy','vicodin','fuck','suck','shit','<script','<h1','<iframe','<embed','<object']# forbidden strings in message banned_ips=['212.93.10.22','33.20.55.32']# IP addresses that will be blocked and not allowed to post on the guestbook # end variables #import cgitb; cgitb.enable() import sys import os sys.path.insert(0, os.getcwd()) import cgi import string class guestbook: import re import string def __init__(self,post,book_id=1): self.book_id=book_id # importing required modules import sys import os sys.path.insert(0, os.getcwd()) import string import time import re self.admin_email=admin_email self.gbook_email=gbook_email self.gbook_url=gbook_url self.gbook_dir_abspath=gbook_dir_abspath self.gbook_filename=gbook_filename self.gbook_abspath=self.gbook_dir_abspath+self.gbook_filename self.do_sendmail=do_sendmail self.gbook_name=gbook_name self.sendmail_path=sendmail_path self.log_file='gbook_id_%s_log.txt'%self.book_id self.template=template self.post_ip_addr=post.get_ip() self.post=post self.post_check=post.check_post() self.check=self.post_check[0] self.errors=self.post_check[1] self.postweb=post.format_web(self.template) self.postlog=post.format_log() print 'content-type: text/html\n\n' new_post_mssg='To:'+self.admin_email+'\nFrom:'+self.gbook_email+'\nSubject: New Post from: '+self.gbook_name+'\nThere is a new post at:\n\n'+self.gbook_url spam_attempt_mssg='To:'+self.admin_email+'\nFrom:'+self.gbook_email+'\nSubject: SPAM/SCRIPT POSTING ATTEMPT FAILED at '+self.gbook_name+'\nSomedody tried to spam the following guestbook:\n\n'+self.gbook_url if self.check=='spam': print '<B>IP: </B>%s - <B>status: </B>logged<P>'%self.post_ip_addr print 'Thank you for your message, go back to the <a href="%s">Guestbook</A>'%self.gbook_url self.send_mail_pipe(spam_attempt_mssg) self.update_log() elif self.check=='failed': print '<font color=red><B>While checking your post the following errors were encountered:</B></font><P>' for line in self.errors: print line+'<BR>' elif self.check=='OK': self.update_guestbook() self.update_log() self.send_mail_pipe(new_post_mssg) print 'Guestbook updated successfully, go back to the <a href="%s">Guestbook</A>'%self.gbook_url def send_mail_pipe(self,mssg): # sending an e-mail to admin by opening a pipe to sendmail import os # open a pipe to the mail program and # write the data to the pipe p = os.popen("%s -t" % self.sendmail_path, 'w') p.write(mssg) exitcode = p.close() def update_guestbook(self): import re ins_tag='COMMENTS-START' str1=re.compile(ins_tag) temp_a=[] a=open(self.gbook_abspath) # Opening the GuestBook file b=a.readlines() # Reading the file into an array a.close() count=0 # a security check to avoid adding a comment more than once (why this should happen is actually unclear) for line in b: if str1.search(line) and count==0: # if the tag line is reached and no comment was still inserted temp_a.append(line) # we add the line temp_a.append(self.postweb+'\n') # and then add the guestbook post as formatted before count=1 else: # if this is a regular line, without the tag (as most lines but one!) temp_a.append(line) # we just add the line to the temporary holder array a=open(self.gbook_abspath,'w') # we open and erase the guestbook file for line in temp_a: # and write down the new info from the temporary array to the guestbook page a.write(line) a.close() # Job finished, new post inserted in the guestbook #print_file('html/header.txt') #print_file(file_name) # This would print-out the whole guestbook page return 'OK' def update_log(self): temp_a=[] b=open ('guestbook_log.txt','a') # LOGGING THE POST AND IP ADDRESS OF THE VISITOR b.write('<ENTRY>\n') b.write(self.postlog) ip_line='\nposted from the following IP address: %s\n'%self.post_ip_addr b.write(ip_line) b.write('</ENTRY>\n\n') b.close() class post: def __init__(self,name,email,message,ip_addr): self.name=name self.email=email self.message=message self.fs=forbidden_strings self.ip_addr=ip_addr import time import string now = time.localtime(time.time()) self.date=time.asctime(now) # This creates a formatted string with the current date and time def get_ip(self): return self.ip_addr def check_post(self): import re errors=[] check='OK' if len(self.message)>3000: errors.append('Message exceeds 3000 characters') check='failed' if len(self.email)>30: errors.append('E-mail address exceeds 30 characters') check='failed' if len(self.name)>20: errors.append('Name exceeds 20 characters') check='failed' if self.name=='': errors.append('Name field empty') check='failed' if self.message=='': errors.append('Message field empty') check='failed' for exp in self.fs: comp=re.compile(exp,re.I | re.S) if comp.search(self.message) or comp.search(self.email) or comp.search(self.name): check='spam' # we specially tag this situation of script/spam attack to handle later errors.append('Problems with the message') break return (check,errors) def format_web(self,template): import string mes2='' for char in self.message: # turning \r or \n characters into html breaks if char=='\n' or char=='\r': mes2=mes2+'<BR>' else: mes2=mes2+char message=mes2 formatted_message=string.join(string.split(string.join(string.split(string.join(string.split(string.join(string.split(template,'#name#'),self.name),'#email#'),self.email),'#message#'),message),'#date#'),self.date) return formatted_message def format_log(self): mes2='' for char in self.message: mes2=mes2+char message=mes2 formatted_message='Name: '+self.name+'\nE-Mail: '+self.email+'\nDate Posted: '+self.date+'\nMessage: '+self.message+'\nIP Address: '+self.ip_addr return formatted_message if __name__=='__main__': form = cgi.FieldStorage() #print string.join(form.keys(),', ') keys=form.keys() name=form['name'].value email=form['email'].value message=form['message'].value ip_addr=cgi.os.environ['REMOTE_ADDR'] check_ip='OK' for ip in banned_ips: if ip_addr==ip: check_ip='failed' if check_ip=='OK': this_post=post(name,email,message,ip_addr) gbook=guestbook(this_post) else: print 'content-type: text/html\n\n' # Preparing to give an output to the visitor and a link back to the guestbook print '%s was banned'%ip_addr