From 8efb82ca436da465ed778170aac7854e56cf96f9 Mon Sep 17 00:00:00 2001 From: Vladimir Bryzgalov Date: Sat, 18 Apr 2026 00:22:39 +0500 Subject: [PATCH] fix: phone leak, field-by-value detection, strict Flamingo email fallback MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Three pilot-surfaced issues in one pass: 1. PhoneParser regex used '\s' in the candidate character class, so a digit on a following flattened line bled into the phone. '+7977 6277470\n1' (phone + trailing checkbox value) parsed as 12 digits, producing '+797762774701'. Replaced '\s' with a literal space so newlines/tabs stop the candidate. 2. Custom-themed forms don't use 'your-name' / 'your-email' keys (washanyanya.ru has text-211 / text-212 / name_user). Added FieldDetector::find_name + find_email as fallbacks. Classifier and MessageFormatter now call them if no standard key matches, so 'Александр' in text-211 is recognised as a cyrillic name and scored / displayed accordingly. 3. FlamingoHelper copied '_from_email' into 'your-email' without validating it. Flamingo derives that meta from whatever field it considers "first"; on phone-first forms it ends up holding the phone number. Now we only copy _from_email if it contains '@', and dropped the _from_name shortcut entirely — FieldDetector handles the name via the actual field values. Tests: +1 FieldDetectorTest (13 cases); +2 PhoneParserTest cases for newline/tab bleeds; +1 ClassifierTest case; +1 MessageFormatterTest case for custom field keys. Full suite 53/53 green. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../plans/2026-04-17-cf7-spam-to-telegram.md | 26 +++- .../2026-04-17-cf7-spam-to-telegram-design.md | 10 +- includes/class-classifier.php | 2 + includes/class-field-detector.php | 56 +++++++++ includes/class-flamingo-helper.php | 15 ++- includes/class-message-formatter.php | 2 + includes/class-phone-parser.php | 7 +- tests/ClassifierTest.php | 17 +++ tests/FieldDetectorTest.php | 116 ++++++++++++++++++ tests/MessageFormatterTest.php | 27 ++++ tests/PhoneParserTest.php | 18 +++ 11 files changed, 283 insertions(+), 13 deletions(-) create mode 100644 includes/class-field-detector.php create mode 100644 tests/FieldDetectorTest.php diff --git a/docs/superpowers/plans/2026-04-17-cf7-spam-to-telegram.md b/docs/superpowers/plans/2026-04-17-cf7-spam-to-telegram.md index d733ee9..5423c3f 100644 --- a/docs/superpowers/plans/2026-04-17-cf7-spam-to-telegram.md +++ b/docs/superpowers/plans/2026-04-17-cf7-spam-to-telegram.md @@ -446,7 +446,12 @@ final class PhoneParser // Find a run of digits, spaces, dashes, parens, dots and a leading '+', // with at least 10 digits in total. Walk candidates left-to-right and // pick the first that yields 10 or 11 digits. - if (!preg_match_all('/\+?[\d][\d\s().\-]{8,}/u', $text, $m)) { + // NOTE: the space class is a literal ' ' — not '\s'. If '\s' is used + // a newline or tab between two adjacent form fields (phone value, + // then checkbox value) would bleed into the phone and append extra + // digits. MessageFormatter/Classifier flatten fields with "\n" before + // calling us, so this matters in practice. + if (!preg_match_all('/\+?[\d][\d ().\-]{8,}/u', $text, $m)) { return null; } @@ -755,7 +760,9 @@ final class Classifier $text_all = self::concat_fields($fields); $name = self::pick_field($fields, ['your-name', 'name', 'имя', 'fio']); + if ($name === '') $name = FieldDetector::find_name($fields); $email = self::pick_field($fields, ['your-email', 'email', 'e-mail', 'mail']); + if ($email === '') $email = FieldDetector::find_email($fields); $message = self::pick_field($fields, ['your-message', 'message', 'comment', 'сообщение', 'вопрос']); $score = 0; @@ -1142,7 +1149,9 @@ final class MessageFormatter $phone = PhoneParser::parse(self::flatten_fields_for_phone($fields)); $name = self::pick($fields, ['your-name', 'name', 'имя', 'fio']); + if ($name === '') $name = FieldDetector::find_name($fields); $email = self::pick($fields, ['your-email', 'email', 'e-mail', 'mail']); + if ($email === '') $email = FieldDetector::find_email($fields); $message = self::pick($fields, ['your-message', 'message', 'comment', 'сообщение', 'вопрос']); $lines = []; @@ -1941,12 +1950,17 @@ final class FlamingoHelper $out[$name] = $val; } } - // Convenience: expose Akismet's "from" name / email so the formatter's - // standard slots aren't empty for most submissions. - $from_name = (string)get_post_meta($post->ID, '_from_name', true); + // Flamingo's "_from_name" and "_from_email" are derived heuristically + // from whatever field the plugin considers the "first" — on custom + // forms without dedicated email / name fields this produces garbage + // (e.g. phone number under _from_email). Only trust _from_email if + // it actually looks like an email; _from_name is not trustworthy at + // all, so leave it to FieldDetector (run by Classifier / Message- + // Formatter) to identify a name from any field value. $from_email = (string)get_post_meta($post->ID, '_from_email', true); - if ($from_name !== '' && !isset($out['your-name'])) $out['your-name'] = $from_name; - if ($from_email !== '' && !isset($out['your-email'])) $out['your-email'] = $from_email; + if ($from_email !== '' && strpos($from_email, '@') !== false && !isset($out['your-email'])) { + $out['your-email'] = $from_email; + } return $out; } diff --git a/docs/superpowers/specs/2026-04-17-cf7-spam-to-telegram-design.md b/docs/superpowers/specs/2026-04-17-cf7-spam-to-telegram-design.md index 1d0f814..9475fc8 100644 --- a/docs/superpowers/specs/2026-04-17-cf7-spam-to-telegram-design.md +++ b/docs/superpowers/specs/2026-04-17-cf7-spam-to-telegram-design.md @@ -63,7 +63,8 @@ cf7-spam-to-telegram/ │ ├── class-classifier.php # Эвристика, score → label, reasons │ ├── class-phone-parser.php # Нормализация RU-телефонов │ ├── class-domain-formatter.php # Punycode → кириллица (idn_to_utf8) -│ ├── class-message-formatter.php # Сборка HTML-сообщения, inline-клавиатура +│ ├── class-field-detector.php # Fallback поиск имени/email когда ключи формы нестандартны +│ ├── class-message-formatter.php # Сборка HTML-сообщения │ ├── class-retro-importer.php # Ретро-выгрузка из Flamingo │ ├── class-flamingo-helper.php # Извлечение полей и reason из Flamingo │ └── sources/ @@ -221,6 +222,13 @@ apply_filters('cf7stg_classifier_keywords', $default_keywords); apply_filters('cf7stg_classifier_thresholds', ['client' => 3, 'spam' => -2]); ``` +**Поиск полей формы.** Сначала пробуются известные CF7-ключи — `your-name`, `name`, `имя`, `fio` для имени; `your-email`, `email`, `e-mail`, `mail` для e-mail; `your-message`, `message`, `comment`, `сообщение`, `вопрос` для текста. Если ничего не нашлось (например, на сайте форма с кастомными именами полей `text-211`, `name_user` и т.п.), подключается `FieldDetector`: + +- `find_name(fields)` — первое значение без цифр/URL/@, длиной 2..80, состоящее только из letter-characters (любой скрипт), пробелов, дефисов и апострофов. +- `find_email(fields)` — первое значение, матчащее `^\S+@\S+\.\S+$`. + +Телефон всегда ищется `PhoneParser::parse()` по конкатенации всех полей — имена ключей не важны. + ## 9. MessageFormatter — формат сообщения в Telegram - **parse_mode:** `HTML` (строже и предсказуемее, чем MarkdownV2). diff --git a/includes/class-classifier.php b/includes/class-classifier.php index 31f588f..a6f7986 100644 --- a/includes/class-classifier.php +++ b/includes/class-classifier.php @@ -59,7 +59,9 @@ final class Classifier $text_all = self::concat_fields($fields); $name = self::pick_field($fields, ['your-name', 'name', 'имя', 'fio']); + if ($name === '') $name = FieldDetector::find_name($fields); $email = self::pick_field($fields, ['your-email', 'email', 'e-mail', 'mail']); + if ($email === '') $email = FieldDetector::find_email($fields); $message = self::pick_field($fields, ['your-message', 'message', 'comment', 'сообщение', 'вопрос']); $score = 0; diff --git a/includes/class-field-detector.php b/includes/class-field-detector.php new file mode 100644 index 0000000..2e56fc8 --- /dev/null +++ b/includes/class-field-detector.php @@ -0,0 +1,56 @@ + 80) continue; + if (preg_match('/\d/u', $v)) continue; + if (preg_match('#https?://|www\.|@#iu', $v)) continue; + // Must start with a letter and contain only letter-like characters + if (preg_match('/^\p{L}[\p{L}\s\.\-\']{1,79}$/u', $v)) { + return $v; + } + } + return ''; + } + + /** + * First value that looks like an email address. + */ + public static function find_email(array $fields): string + { + foreach ($fields as $v) { + if (is_array($v)) { + $v = implode(' ', array_map('strval', $v)); + } + $v = trim((string)$v); + if ($v === '') continue; + if (preg_match('/^\S+@\S+\.\S+$/u', $v)) { + return $v; + } + } + return ''; + } +} diff --git a/includes/class-flamingo-helper.php b/includes/class-flamingo-helper.php index 6a2b76b..2bac80a 100644 --- a/includes/class-flamingo-helper.php +++ b/includes/class-flamingo-helper.php @@ -56,12 +56,17 @@ final class FlamingoHelper $out[$name] = $val; } } - // Convenience: expose Akismet's "from" name / email so the formatter's - // standard slots aren't empty for most submissions. - $from_name = (string)get_post_meta($post->ID, '_from_name', true); + // Flamingo's "_from_name" and "_from_email" are derived heuristically + // from whatever field the plugin considers the "first" — on custom + // forms without dedicated email / name fields this produces garbage + // (e.g. phone number under _from_email). Only trust _from_email if + // it actually looks like an email; _from_name is not trustworthy at + // all, so leave it to FieldDetector (run by Classifier / Message- + // Formatter) to identify a name from any field value. $from_email = (string)get_post_meta($post->ID, '_from_email', true); - if ($from_name !== '' && !isset($out['your-name'])) $out['your-name'] = $from_name; - if ($from_email !== '' && !isset($out['your-email'])) $out['your-email'] = $from_email; + if ($from_email !== '' && strpos($from_email, '@') !== false && !isset($out['your-email'])) { + $out['your-email'] = $from_email; + } return $out; } diff --git a/includes/class-message-formatter.php b/includes/class-message-formatter.php index 27c24e9..17bf409 100644 --- a/includes/class-message-formatter.php +++ b/includes/class-message-formatter.php @@ -35,7 +35,9 @@ final class MessageFormatter $phone = PhoneParser::parse(self::flatten_fields_for_phone($fields)); $name = self::pick($fields, ['your-name', 'name', 'имя', 'fio']); + if ($name === '') $name = FieldDetector::find_name($fields); $email = self::pick($fields, ['your-email', 'email', 'e-mail', 'mail']); + if ($email === '') $email = FieldDetector::find_email($fields); $message = self::pick($fields, ['your-message', 'message', 'comment', 'сообщение', 'вопрос']); $lines = []; diff --git a/includes/class-phone-parser.php b/includes/class-phone-parser.php index e5b7dc9..de4f3dc 100644 --- a/includes/class-phone-parser.php +++ b/includes/class-phone-parser.php @@ -20,7 +20,12 @@ final class PhoneParser // Find a run of digits, spaces, dashes, parens, dots and a leading '+', // with at least 10 digits in total. Walk candidates left-to-right and // pick the first that yields 10 or 11 digits. - if (!preg_match_all('/\+?[\d][\d\s().\-]{8,}/u', $text, $m)) { + // NOTE: the space class is a literal ' ' — not '\s'. If '\s' is used + // a newline or tab between two adjacent form fields (phone value, + // then checkbox value) would bleed into the phone and append extra + // digits. MessageFormatter/Classifier flatten fields with "\n" before + // calling us, so this matters in practice. + if (!preg_match_all('/\+?[\d][\d ().\-]{8,}/u', $text, $m)) { return null; } diff --git a/tests/ClassifierTest.php b/tests/ClassifierTest.php index c5d383a..17ac355 100644 --- a/tests/ClassifierTest.php +++ b/tests/ClassifierTest.php @@ -154,4 +154,21 @@ final class ClassifierTest extends TestCase } self::assertTrue($matched); } + + public function test_detects_cyrillic_name_under_custom_field_key(): void + { + // Real form on washanyanya.ru uses keys like 'text-211' / 'text-212' + // instead of 'your-name' / 'your-tel'. Classifier must still award + // +1 for a cyrillic name via the value-based heuristic. + $fields = [ + 'text-211' => 'Александр', + 'text-212' => '+79776277470', + ]; + $r = Classifier::classify($fields, ['reason' => 'Akismet']); + $has_name = false; + foreach ($r['reasons'] as $reason) { + if (strpos($reason['text'], 'кириллическое имя') !== false) $has_name = true; + } + self::assertTrue($has_name, 'expected +1 кириллическое имя via value heuristic'); + } } diff --git a/tests/FieldDetectorTest.php b/tests/FieldDetectorTest.php new file mode 100644 index 0000000..0ff1222 --- /dev/null +++ b/tests/FieldDetectorTest.php @@ -0,0 +1,116 @@ + 'Александр', + 'text-212' => '+79776277470', + ]); + self::assertSame('Александр', $r); + } + + public function test_finds_multiword_cyrillic_name(): void + { + $r = FieldDetector::find_name(['x' => 'Анна Петровна']); + self::assertSame('Анна Петровна', $r); + } + + public function test_finds_latin_name(): void + { + $r = FieldDetector::find_name(['x' => 'John Smith']); + self::assertSame('John Smith', $r); + } + + public function test_skips_values_with_digits(): void + { + $r = FieldDetector::find_name([ + 'a' => '+79776277470', + 'b' => 'Ольга', + ]); + self::assertSame('Ольга', $r); + } + + public function test_skips_urls(): void + { + $r = FieldDetector::find_name([ + 'a' => 'https://evil.com', + 'b' => 'Павел', + ]); + self::assertSame('Павел', $r); + } + + public function test_skips_emails(): void + { + $r = FieldDetector::find_name([ + 'a' => 'anna@mail.ru', + 'b' => 'Анна', + ]); + self::assertSame('Анна', $r); + } + + public function test_skips_too_short(): void + { + $r = FieldDetector::find_name([ + 'a' => 'X', + 'b' => 'Дарья', + ]); + self::assertSame('Дарья', $r); + } + + public function test_skips_too_long(): void + { + $r = FieldDetector::find_name([ + 'a' => str_repeat('а', 200), + 'b' => 'Лена', + ]); + self::assertSame('Лена', $r); + } + + public function test_no_name_returns_empty(): void + { + $r = FieldDetector::find_name([ + 'a' => '+79031234567', + 'b' => '1', + 'c' => 'http://x.y', + ]); + self::assertSame('', $r); + } + + public function test_finds_email(): void + { + $r = FieldDetector::find_email(['x-1' => 'user@example.com']); + self::assertSame('user@example.com', $r); + } + + public function test_no_email_returns_empty_when_only_phone(): void + { + $r = FieldDetector::find_email([ + 'x' => 'Иван', + 'y' => '+79031234567', + ]); + self::assertSame('', $r); + } + + public function test_email_is_trimmed(): void + { + $r = FieldDetector::find_email(['x' => ' anna@mail.ru ']); + self::assertSame('anna@mail.ru', $r); + } + + public function test_first_email_wins_when_multiple(): void + { + $r = FieldDetector::find_email([ + 'a' => 'first@a.ru', + 'b' => 'second@b.ru', + ]); + self::assertSame('first@a.ru', $r); + } +} diff --git a/tests/MessageFormatterTest.php b/tests/MessageFormatterTest.php index 11ac568..4c284c2 100644 --- a/tests/MessageFormatterTest.php +++ b/tests/MessageFormatterTest.php @@ -151,4 +151,31 @@ final class MessageFormatterTest extends TestCase self::assertStringContainsString('🟡 неясно', $r['text']); } + + public function test_custom_form_field_keys_are_detected(): void + { + // washanyanya.ru-style form — fields are named text-NNN, name_user, + // etc. We must still pull out name + phone via value heuristics. + $fields = [ + 'text-211' => 'Александр', + 'text-212' => '+79776277470', + 'checkbox-382' => '1', + ]; + $classification = Classifier::classify($fields, ['reason' => 'Akismet']); + $r = MessageFormatter::build([ + 'fields' => $fields, 'classification' => $classification, + 'site_title' => 's.ru', 'form_title' => 'f', + 'submitted_at' => '18.04.2026', 'reason' => 'Akismet', + 'ip' => '', 'user_agent' => '', 'is_retro' => false, + ]); + + // Name resolves to 'Александр' via FieldDetector + self::assertStringContainsString('Александр', $r['text']); + // Phone correctly parsed (11 digits, no trailing checkbox '1') + self::assertStringContainsString('+7 (977) 627-74-70', $r['text']); + // Email stays empty (no @-like value) + self::assertStringContainsString("📧 (не указан)", $r['text']); + // The checkbox value should still appear in 'Прочие поля' + self::assertStringContainsString('checkbox-382: 1', $r['text']); + } } diff --git a/tests/PhoneParserTest.php b/tests/PhoneParserTest.php index 010553e..1cea073 100644 --- a/tests/PhoneParserTest.php +++ b/tests/PhoneParserTest.php @@ -72,4 +72,22 @@ final class PhoneParserTest extends TestCase self::assertSame('+74951234567', $r['e164']); self::assertTrue($r['is_russian']); } + + public function test_digits_on_next_line_do_not_leak_into_number(): void + { + // Pilot bug: CF7 spam flatten joined values with "\n"; '\s' in the + // candidate regex matched newlines, so '+79776277470\n1' (phone then + // a checkbox value on the next line) turned into a 12-digit number + // ending in 1. + $r = PhoneParser::parse("+79776277470\n1"); + self::assertSame('+79776277470', $r['e164']); + self::assertTrue($r['is_russian']); + } + + public function test_tab_between_fields_does_not_leak(): void + { + // Same family as above but with tabs. + $r = PhoneParser::parse("89031234567\t1"); + self::assertSame('+79031234567', $r['e164']); + } }