From 7b2a8e9212564c343fc4db9a8b95f1d755ca38b6 Mon Sep 17 00:00:00 2001
From: Thierry Parmentelat <thierry.parmentelat@inria.fr>
Date: Tue, 19 Jul 2022 16:48:53 +0200
Subject: [PATCH] make the site registration page more picky, and refuse
 numeric-only inputs

---
 planetlab/sites/register.php  |  1 +
 planetlab/sites/site_form.php | 28 ++++++++++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/planetlab/sites/register.php b/planetlab/sites/register.php
index ef332bd..f9ed091 100644
--- a/planetlab/sites/register.php
+++ b/planetlab/sites/register.php
@@ -41,6 +41,7 @@ function non_empty_address ($address) {
 if (! $empty_form ) {
   // Look for missing/blank entries
   $error = form_check_required ($site_form, $input);
+  $error .= form_check_non_numeric($site_form, $input);
   $messages= array();
   $verboses= array();
 
diff --git a/planetlab/sites/site_form.php b/planetlab/sites/site_form.php
index 939ba58..18afdd4 100644
--- a/planetlab/sites/site_form.php
+++ b/planetlab/sites/site_form.php
@@ -202,6 +202,34 @@ function form_check_required ($form, $input) {
   return $error;
 }
 
+// 2022 may 07
+// some additional checks to stay clear of some robots triggering
+// site registration storms
+// would detect an error if any of the folowing fields are
+// only numbers (the attack typically fills everything with '1')
+// besides, need to dig a bit because
+// the site registration that we get can't be Deleted
+// because some fields are missing (PI Phone and Tech Phone for example)
+function form_check_non_numeric($form, $input) {
+  $to_check = ["name", "login_base", "abbreviated_name", "url"];
+  $only_numeric = array();
+//  var_dump($form);
+  foreach ($form as $fullname => $item) {
+    list($objname, $field) = explode(":", $fullname);
+    if (in_array($field, $to_check) && is_numeric($input[$objname][$field])) {
+      $only_numeric[] = $item['title'];
+    }
+  }
+  if (empty($only_numeric))
+    return "";
+  $error = "<ul>";
+  foreach ($only_numeric as $field) {
+    $error .= "<li> Field '$field' can not be only numeric.</li>";
+  }
+  $error .= "</ul>";
+  return $error;
+}
+
 // displays the actual form, with values from $input
 // if $outline_missing is set, missing required fields are outlined
 // fields typed as 'password' are displayed differently
-- 
2.43.0