From cb9b4db73d332cd7f82adf7aea406f013d626828 Mon Sep 17 00:00:00 2001
From: Bui <bui@bui.pm>
Date: Mon, 6 Oct 2014 19:35:37 +0900
Subject: [PATCH 1/2] do security checks *after* checking captcha

---
 post.php | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/post.php b/post.php
index 2763d4d3..223ddd45 100644
--- a/post.php
+++ b/post.php
@@ -187,20 +187,6 @@ if (isset($_POST['delete'])) {
 	} else
 		$post['op'] = true;
 
-	if (!(($post['op'] && $_POST['post'] == $config['button_newtopic']) ||
-		(!$post['op'] && $_POST['post'] == $config['button_reply'])))
-		error($config['error']['bot']);
-	
-	// Check the referrer
-	if ($config['referer_match'] !== false &&
-		(!isset($_SERVER['HTTP_REFERER']) || !preg_match($config['referer_match'], rawurldecode($_SERVER['HTTP_REFERER']))))
-		error($config['error']['referer']);
-	
-	checkDNSBL();
-		
-	// Check if banned
-	checkBan($board['uri']);
-	
 	// Check for CAPTCHA right after opening the board so the "return" link is in there
 	if ($config['recaptcha']) {
 		if (!isset($_POST['recaptcha_challenge_field']) || !isset($_POST['recaptcha_response_field']))
@@ -214,7 +200,21 @@ if (isset($_POST['delete'])) {
 			error($config['error']['captcha']);
 		}
 	}
+
+	if (!(($post['op'] && $_POST['post'] == $config['button_newtopic']) ||
+		(!$post['op'] && $_POST['post'] == $config['button_reply'])))
+		error($config['error']['bot']);
 	
+	// Check the referrer
+	if ($config['referer_match'] !== false &&
+		(!isset($_SERVER['HTTP_REFERER']) || !preg_match($config['referer_match'], rawurldecode($_SERVER['HTTP_REFERER']))))
+		error($config['error']['referer']);
+	
+	checkDNSBL();
+		
+	// Check if banned
+	checkBan($board['uri']);
+
 	if ($post['mod'] = isset($_POST['mod']) && $_POST['mod']) {
 		require 'inc/mod/auth.php';
 		if (!$mod) {

From c7351dff091583d79688b3ee74099f374a85efdb Mon Sep 17 00:00:00 2001
From: wopot <wopot@web.de>
Date: Mon, 6 Oct 2014 17:50:05 +0200
Subject: [PATCH 2/2] 4 times "elseif" is not the way

and precalc. value sometimes help if well commentent
---
 inc/functions.php | 42 ++++++++++++++++++++++--------------------
 1 file changed, 22 insertions(+), 20 deletions(-)

diff --git a/inc/functions.php b/inc/functions.php
index 3802d19d..0454a129 100644
--- a/inc/functions.php
+++ b/inc/functions.php
@@ -679,36 +679,38 @@ function listBoards($just_uri = false) {
 
 function until($timestamp) {
 	$difference = $timestamp - time();
-	if ($difference < 60) {
+	switch(TRUE){
+	case ($difference < 60):
 		return $difference . ' ' . ngettext('second', 'seconds', $difference);
-	} elseif ($difference < 60*60) {
+	case ($difference < 3600): //60*60 = 3600
 		return ($num = round($difference/(60))) . ' ' . ngettext('minute', 'minutes', $num);
-	} elseif ($difference < 60*60*24) {
-		return ($num = round($difference/(60*60))) . ' ' . ngettext('hour', 'hours', $num);
-	} elseif ($difference < 60*60*24*7) {
-		return ($num = round($difference/(60*60*24))) . ' ' . ngettext('day', 'days', $num);
-	} elseif ($difference < 60*60*24*365) {
-		return ($num = round($difference/(60*60*24*7))) . ' ' . ngettext('week', 'weeks', $num);
+	case ($difference < 86400): //60*60*24 = 86400
+		return ($num = round($difference/(3600))) . ' ' . ngettext('hour', 'hours', $num);
+	case ($difference < 604800): //60*60*24*7 = 604800
+		return ($num = round($difference/(86400))) . ' ' . ngettext('day', 'days', $num);
+	case ($difference < 31536000): //60*60*24*365 = 31536000
+		return ($num = round($difference/(604800))) . ' ' . ngettext('week', 'weeks', $num);
+	default:
+		return ($num = round($difference/(31536000))) . ' ' . ngettext('year', 'years', $num);
 	}
-
-	return ($num = round($difference/(60*60*24*365))) . ' ' . ngettext('year', 'years', $num);
 }
 
 function ago($timestamp) {
 	$difference = time() - $timestamp;
-	if ($difference < 60) {
+	switch(TRUE){
+	case ($difference < 60) :
 		return $difference . ' ' . ngettext('second', 'seconds', $difference);
-	} elseif ($difference < 60*60) {
+	case ($difference < 3600): //60*60 = 3600
 		return ($num = round($difference/(60))) . ' ' . ngettext('minute', 'minutes', $num);
-	} elseif ($difference < 60*60*24) {
-		return ($num = round($difference/(60*60))) . ' ' . ngettext('hour', 'hours', $num);
-	} elseif ($difference < 60*60*24*7) {
-		return ($num = round($difference/(60*60*24))) . ' ' . ngettext('day', 'days', $num);
-	} elseif ($difference < 60*60*24*365) {
-		return ($num = round($difference/(60*60*24*7))) . ' ' . ngettext('week', 'weeks', $num);
+	case ($difference <  86400): //60*60*24 = 86400
+		return ($num = round($difference/(3600))) . ' ' . ngettext('hour', 'hours', $num);
+	case ($difference < 604800): //60*60*24*7 = 604800
+		return ($num = round($difference/(86400))) . ' ' . ngettext('day', 'days', $num);
+	case ($difference < 31536000): //60*60*24*365 = 31536000
+		return ($num = round($difference/(604800))) . ' ' . ngettext('week', 'weeks', $num);
+	default:
+		return ($num = round($difference/(31536000))) . ' ' . ngettext('year', 'years', $num);
 	}
-
-	return ($num = round($difference/(60*60*24*365))) . ' ' . ngettext('year', 'years', $num);
 }
 
 function displayBan($ban) {