From 3dc8777c4ef9c7e06bebe567328eceb53332ae6b Mon Sep 17 00:00:00 2001 From: datorik Date: Fri, 17 Apr 2026 09:51:57 +0300 Subject: [PATCH 1/5] New.Code.Add "all_headers" parameter --- lib/CleantalkAntispam.php | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/lib/CleantalkAntispam.php b/lib/CleantalkAntispam.php index c184567..82582bd 100644 --- a/lib/CleantalkAntispam.php +++ b/lib/CleantalkAntispam.php @@ -164,6 +164,38 @@ private function getCleanTalkResponse() * * @return string JSON encoded request data */ + /** + * Get all HTTP headers from the current request + * + * @return string JSON encoded headers or empty string if not available + */ + private function getAllHeaders() + { + // Try apache_request_headers() first + $ct_tmp = function_exists('apache_request_headers') ? apache_request_headers() : []; + + // Fallback for Nginx or other servers - parse from $_SERVER + if (empty($ct_tmp)) { + $ct_tmp = []; + foreach ($_SERVER as $key => $value) { + if (strpos($key, 'HTTP_') === 0) { + $headerKey = str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($key, 5))))); + $ct_tmp[$headerKey] = $value; + } + } + } + + // Wiping session cookies from request + $cookie_name = isset($ct_tmp['Cookie']) ? 'Cookie' + : (isset($ct_tmp['cookie']) ? 'cookie' : 'COOKIE'); + + if (isset($ct_tmp[$cookie_name])) { + unset($ct_tmp[$cookie_name]); + } + + return !empty($ct_tmp) ? json_encode($ct_tmp) : ''; + } + private function prepareCleanTalkRequestData() { $data = array( @@ -176,6 +208,7 @@ private function prepareCleanTalkRequestData() 'js_on' => !empty($this->event_token) ? 1 : 0, 'event_token' => $this->event_token, 'agent' => 'php-cleantalk-check', + 'all_headers' => $this->getAllHeaders(), 'sender_info' => @json_encode( array( 'REFFERRER' => !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '', From fee399dfb5396cc484c1ee5d468fc2a415eb4d5c Mon Sep 17 00:00:00 2001 From: Glomberg Date: Thu, 23 Apr 2026 11:21:44 +0300 Subject: [PATCH 2/5] Fix. Code. Code style fixed. --- .gitignore | 1 + lib/CleantalkAntispam.php | 64 +++++++++++++++++++-------------------- 2 files changed, 33 insertions(+), 32 deletions(-) diff --git a/.gitignore b/.gitignore index 35b7bfe..c0ae10d 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ composer.lock .DS_Store .DS_Store? *.swp +/tests/.phpunit.result.cache diff --git a/lib/CleantalkAntispam.php b/lib/CleantalkAntispam.php index 82582bd..587e518 100644 --- a/lib/CleantalkAntispam.php +++ b/lib/CleantalkAntispam.php @@ -159,43 +159,43 @@ private function getCleanTalkResponse() return new CleantalkResponse(@json_decode($response_raw), null); } + /** + * Get all HTTP headers from the current request + * + * @return string JSON encoded headers or empty string if not available + */ + private function getAllHeaders() + { + // Try apache_request_headers() first + $ct_tmp = function_exists('apache_request_headers') ? apache_request_headers() : []; + + // Fallback for Nginx or other servers - parse from $_SERVER + if (empty($ct_tmp)) { + $ct_tmp = []; + foreach ($_SERVER as $key => $value) { + if (strpos($key, 'HTTP_') === 0) { + $headerKey = str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($key, 5))))); + $ct_tmp[$headerKey] = $value; + } + } + } + + // Wiping session cookies from request + $cookie_name = isset($ct_tmp['Cookie']) ? 'Cookie' + : (isset($ct_tmp['cookie']) ? 'cookie' : 'COOKIE'); + + if (isset($ct_tmp[$cookie_name])) { + unset($ct_tmp[$cookie_name]); + } + + return !empty($ct_tmp) ? json_encode($ct_tmp) : ''; + } + /** * Prepare the request data for the CleanTalk API. * * @return string JSON encoded request data */ - /** - * Get all HTTP headers from the current request - * - * @return string JSON encoded headers or empty string if not available - */ - private function getAllHeaders() - { - // Try apache_request_headers() first - $ct_tmp = function_exists('apache_request_headers') ? apache_request_headers() : []; - - // Fallback for Nginx or other servers - parse from $_SERVER - if (empty($ct_tmp)) { - $ct_tmp = []; - foreach ($_SERVER as $key => $value) { - if (strpos($key, 'HTTP_') === 0) { - $headerKey = str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($key, 5))))); - $ct_tmp[$headerKey] = $value; - } - } - } - - // Wiping session cookies from request - $cookie_name = isset($ct_tmp['Cookie']) ? 'Cookie' - : (isset($ct_tmp['cookie']) ? 'cookie' : 'COOKIE'); - - if (isset($ct_tmp[$cookie_name])) { - unset($ct_tmp[$cookie_name]); - } - - return !empty($ct_tmp) ? json_encode($ct_tmp) : ''; - } - private function prepareCleanTalkRequestData() { $data = array( From d7c8362a9596e2f724524e4821dc7049e04968ba Mon Sep 17 00:00:00 2001 From: Glomberg Date: Thu, 23 Apr 2026 12:05:47 +0300 Subject: [PATCH 3/5] Fix. All headers. Remove sensitive data from collected headers. --- lib/CleantalkAntispam.php | 40 +++++++++++++++++++++++++++++++++------ 1 file changed, 34 insertions(+), 6 deletions(-) diff --git a/lib/CleantalkAntispam.php b/lib/CleantalkAntispam.php index 587e518..9c3d9a8 100644 --- a/lib/CleantalkAntispam.php +++ b/lib/CleantalkAntispam.php @@ -180,12 +180,40 @@ private function getAllHeaders() } } - // Wiping session cookies from request - $cookie_name = isset($ct_tmp['Cookie']) ? 'Cookie' - : (isset($ct_tmp['cookie']) ? 'cookie' : 'COOKIE'); - - if (isset($ct_tmp[$cookie_name])) { - unset($ct_tmp[$cookie_name]); + // Remove sensitive headers before sending them to the external service. + $sensitive_headers = array( + 'cookie', + 'set-cookie', + 'authorization', + 'proxy-authorization', + 'x-csrf-token', + 'x-xsrf-token', + 'x-api-key', + 'api-key', + 'x-auth-token', + 'x-access-token', + 'x-forwarded-client-cert', + ); + $sensitive_patterns = array( + 'token', + 'secret', + 'signature', + 'api-key', + 'apikey', + 'auth', + ); + foreach ($ct_tmp as $header_name => $_value) { + $normalized_header_name = strtolower($header_name); + if (in_array($normalized_header_name, $sensitive_headers, true)) { + unset($ct_tmp[$header_name]); + continue; + } + foreach ($sensitive_patterns as $pattern) { + if (strpos($normalized_header_name, $pattern) !== false) { + unset($ct_tmp[$header_name]); + break; + } + } } return !empty($ct_tmp) ? json_encode($ct_tmp) : ''; From 9cedf7a725752dae60ec8e8cc78813e33cc44b7f Mon Sep 17 00:00:00 2001 From: Glomberg Date: Thu, 23 Apr 2026 13:50:51 +0300 Subject: [PATCH 4/5] Fix. All headers. Returning result fixed. --- lib/CleantalkAntispam.php | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/CleantalkAntispam.php b/lib/CleantalkAntispam.php index 9c3d9a8..2e258f5 100644 --- a/lib/CleantalkAntispam.php +++ b/lib/CleantalkAntispam.php @@ -216,7 +216,17 @@ private function getAllHeaders() } } - return !empty($ct_tmp) ? json_encode($ct_tmp) : ''; + if ( empty($ct_tmp) ) { + return ''; + } + + $json = json_encode($ct_tmp); + + if ( $json === false ) { + return ''; + } + + return $json; } /** From e5b795830816d373178f9883fb4a0bd40054e672 Mon Sep 17 00:00:00 2001 From: Glomberg Date: Thu, 23 Apr 2026 14:06:30 +0300 Subject: [PATCH 5/5] Fix. All headers. Getting headers fixed. --- lib/CleantalkAntispam.php | 10 ++-------- lib/HTTP/Helper.php | 9 ++++----- 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/lib/CleantalkAntispam.php b/lib/CleantalkAntispam.php index 2e258f5..f9568e8 100644 --- a/lib/CleantalkAntispam.php +++ b/lib/CleantalkAntispam.php @@ -170,14 +170,8 @@ private function getAllHeaders() $ct_tmp = function_exists('apache_request_headers') ? apache_request_headers() : []; // Fallback for Nginx or other servers - parse from $_SERVER - if (empty($ct_tmp)) { - $ct_tmp = []; - foreach ($_SERVER as $key => $value) { - if (strpos($key, 'HTTP_') === 0) { - $headerKey = str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($key, 5))))); - $ct_tmp[$headerKey] = $value; - } - } + if ( empty($ct_tmp) ) { + $ct_tmp = Helper::httpGetHeaders(); } // Remove sensitive headers before sending them to the external service. diff --git a/lib/HTTP/Helper.php b/lib/HTTP/Helper.php index 9992acb..2974051 100644 --- a/lib/HTTP/Helper.php +++ b/lib/HTTP/Helper.php @@ -502,11 +502,10 @@ public static function httpGetHeaders() continue; } - $key_parts[$part_index] = function_exists('mb_strtolower') ? mb_strtolower( - $part - ) : strtolower( - $part - ); + $key_parts[$part_index] = + function_exists('mb_strtolower') + ? mb_strtolower($part) + : strtolower($part); $key_parts[$part_index][0] = strtoupper($key_parts[$part_index][0]); } $server_key = implode('-', $key_parts);