├── .github
└── workflows
│ └── main.yaml
├── CHANGELOG.md
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── composer.json
├── phpcs.xml
├── phpunit.xml
└── src
└── ReferrerSpam.php
/.github/workflows/main.yaml:
--------------------------------------------------------------------------------
1 | name: "testing"
2 |
3 | on:
4 | push:
5 | branches: [ master ]
6 | pull_request:
7 | branches: [ master ]
8 |
9 | jobs:
10 | qa:
11 | name: Quality assurance
12 | runs-on: ubuntu-latest
13 |
14 | steps:
15 | - name: Checkout
16 | uses: actions/checkout@v4
17 |
18 | - name: Validate composer.json and composer.lock
19 | run: composer validate
20 |
21 | - name: Cache Composer packages
22 | id: composer-cache
23 | uses: actions/cache@v4
24 | with:
25 | path: vendor
26 | key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
27 | restore-keys: |
28 | ${{ runner.os }}-php-
29 |
30 | - name: Install dependencies
31 | if: steps.composer-cache.outputs.cache-hit != 'true'
32 | run: composer install --prefer-dist --no-progress
33 |
34 | - name: Coding Standard
35 | run: composer run-script cs
36 |
37 | tests:
38 | name: Tests
39 | runs-on: ubuntu-latest
40 |
41 | strategy:
42 | matrix:
43 | php:
44 | - 7.2
45 | - 7.3
46 | - 7.4
47 | - 8.0
48 | - 8.1
49 | - 8.2
50 | - 8.3
51 | - 8.4
52 |
53 | steps:
54 | - name: Checkout
55 | uses: actions/checkout@v4
56 |
57 | - name: Install PHP
58 | uses: shivammathur/setup-php@v2
59 | with:
60 | php-version: ${{ matrix.php }}
61 |
62 | - name: Cache PHP dependencies
63 | uses: actions/cache@v4
64 | with:
65 | path: vendor
66 | key: ${{ runner.os }}-php-${{ matrix.php }}-composer-${{ hashFiles('**/composer.json') }}
67 | restore-keys: ${{ runner.os }}-php-${{ matrix.php }}-composer-
68 |
69 | - name: Install dependencies
70 | run: composer install --prefer-dist --no-progress
71 |
72 | - name: Tests
73 | run: composer test
74 |
--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
1 | # Change Log
2 | All notable changes to this project will be documented in this file.
3 |
4 | The format is based on [Keep a Changelog](http://keepachangelog.com/)
5 | and this project adheres to [Semantic Versioning](http://semver.org/).
6 |
7 | ## [2.1.0] - 2025-03-21
8 | ### Added
9 | - Better typing.
10 |
11 | ## [2.0.4] - 2025-03-08
12 | ### Fixed
13 | - Updated dependencies and allow middlewares/utils:^4.0 [#7], [#8].
14 |
15 | ## [2.0.3] - 2022-09-27
16 | ### Fixed
17 | - Replace `true/punycode` with `symfony/polyfill-intl-idn` [#6].
18 |
19 | ## [2.0.2] - 2020-12-04
20 | ### Added
21 | - Support for PHP 8
22 |
23 | ### Fixed
24 | - Removed mindplay/composer-locator dependency [#4]
25 |
26 | ## [2.0.1] - 2020-10-13
27 | ### Fixed
28 | - TypeError on invalid referrer url [#3]
29 |
30 | ## [2.0.0] - 2019-12-07
31 | ### Added
32 | - Added a second argument to the constructor to set a `ResponseFactoryInterface`
33 |
34 | ### Removed
35 | - Support for PHP 7.0 and 7.1
36 | - The `responseFactory` option. Use the constructor argument
37 |
38 | ## [1.2.0] - 2018-08-04
39 | ### Added
40 | - PSR-17 support
41 | - New option `responseFactory`
42 |
43 | ## [1.1.0] - 2018-06-30
44 | ### Fixed
45 | - Update piwik list to matomo list [#1], [#2]
46 | - Unicode encoded domain names are converted to IDNA ASCII using `ext-intl` or `true/punicode`. [#1], [#2]
47 |
48 | ## [1.0.0] - 2018-01-27
49 | ### Added
50 | - Improved testing and added code coverage reporting
51 | - Added tests for PHP 7.2
52 |
53 | ### Changed
54 | - Upgraded to the final version of PSR-15 `psr/http-server-middleware`
55 |
56 | ### Fixed
57 | - Updated license year
58 |
59 | ## [0.5.0] - 2017-11-13
60 | ### Changed
61 | - Replaced `http-interop/http-middleware` with `http-interop/http-server-middleware`.
62 |
63 | ### Removed
64 | - Removed support for PHP 5.x.
65 |
66 | ## [0.4.0] - 2017-09-21
67 | ### Changed
68 | - Use `mindplay/composer-locator` to locate the spammers.txt file from the `piwik/referrer-spam-blacklist` package.
69 | - Append `.dist` suffix to phpcs.xml and phpunit.xml files
70 | - Changed the configuration of phpcs and php_cs
71 | - Upgraded phpunit to the latest version and improved its config file
72 | - Updated to `http-interop/http-middleware#0.5`
73 |
74 | ## [0.3.0] - 2016-12-26
75 | ### Changed
76 | - Updated tests
77 | - Updated to `http-interop/http-middleware#0.4`
78 | - Updated `friendsofphp/php-cs-fixer#2.0`
79 |
80 | ## [0.2.0] - 2016-11-27
81 | ### Changed
82 | - Updated to `http-interop/http-middleware#0.3`
83 |
84 | ## [0.1.0] - 2016-10-11
85 | First version
86 |
87 | [#1]: https://github.com/middlewares/referrer-spam/issues/1
88 | [#2]: https://github.com/middlewares/referrer-spam/issues/2
89 | [#3]: https://github.com/middlewares/referrer-spam/issues/3
90 | [#4]: https://github.com/middlewares/referrer-spam/issues/4
91 | [#6]: https://github.com/middlewares/referrer-spam/issues/6
92 | [#7]: https://github.com/middlewares/referrer-spam/issues/7
93 | [#8]: https://github.com/middlewares/referrer-spam/issues/8
94 |
95 | [2.1.0]: https://github.com/middlewares/referrer-spam/compare/v2.0.4...v2.1.0
96 | [2.0.4]: https://github.com/middlewares/referrer-spam/compare/v2.0.3...v2.0.4
97 | [2.0.3]: https://github.com/middlewares/referrer-spam/compare/v2.0.2...v2.0.3
98 | [2.0.2]: https://github.com/middlewares/referrer-spam/compare/v2.0.1...v2.0.2
99 | [2.0.1]: https://github.com/middlewares/referrer-spam/compare/v2.0.0...v2.0.1
100 | [2.0.0]: https://github.com/middlewares/referrer-spam/compare/v1.2.0...v2.0.0
101 | [1.2.0]: https://github.com/middlewares/referrer-spam/compare/v1.1.0...v1.2.0
102 | [1.1.0]: https://github.com/middlewares/referrer-spam/compare/v1.0.0...v1.1.0
103 | [1.0.0]: https://github.com/middlewares/referrer-spam/compare/v0.5.0...v1.0.0
104 | [0.5.0]: https://github.com/middlewares/referrer-spam/compare/v0.4.0...v0.5.0
105 | [0.4.0]: https://github.com/middlewares/referrer-spam/compare/v0.3.0...v0.4.0
106 | [0.3.0]: https://github.com/middlewares/referrer-spam/compare/v0.2.0...v0.3.0
107 | [0.2.0]: https://github.com/middlewares/referrer-spam/compare/v0.1.0...v0.2.0
108 | [0.1.0]: https://github.com/middlewares/referrer-spam/releases/tag/v0.1.0
109 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing Guide
2 |
3 | This project adheres to [The Code Manifesto](http://codemanifesto.com) as its guidelines for contributor interactions.
4 |
5 | ## The Code Manifesto
6 |
7 | We want to work in an ecosystem that empowers developers to reach their potential--one that encourages growth and effective collaboration. A space that is safe for all.
8 |
9 | A space such as this benefits everyone that participates in it. It encourages new developers to enter our field. It is through discussion and collaboration that we grow, and through growth that we improve.
10 |
11 | In the effort to create such a place, we hold to these values:
12 |
13 | 1. **Discrimination limits us.** This includes discrimination on the basis of race, gender, sexual orientation, gender identity, age, nationality, technology and any other arbitrary exclusion of a group of people.
14 | 2. **Boundaries honor us.** Your comfort levels are not everyone’s comfort levels. Remember that, and if brought to your attention, heed it.
15 | 3. **We are our biggest assets.** None of us were born masters of our trade. Each of us has been helped along the way. Return that favor, when and where you can.
16 | 4. **We are resources for the future.** As an extension of #3, share what you know. Make yourself a resource to help those that come after you.
17 | 5. **Respect defines us.** Treat others as you wish to be treated. Make your discussions, criticisms and debates from a position of respectfulness. Ask yourself, is it true? Is it necessary? Is it constructive? Anything less is unacceptable.
18 | 6. **Reactions require grace.** Angry responses are valid, but abusive language and vindictive actions are toxic. When something happens that offends you, handle it assertively, but be respectful. Escalate reasonably, and try to allow the offender an opportunity to explain themselves, and possibly correct the issue.
19 | 7. **Opinions are just that: opinions.** Each and every one of us, due to our background and upbringing, have varying opinions. That is perfectly acceptable. Remember this: if you respect your own opinions, you should respect the opinions of others.
20 | 8. **To err is human.** You might not intend it, but mistakes do happen and contribute to build experience. Tolerate honest mistakes, and don't hesitate to apologize if you make one yourself.
21 |
22 | ## How to contribute
23 |
24 | This is a collaborative effort. We welcome all contributions submitted as pull requests.
25 |
26 | (Contributions on wording & style are also welcome.)
27 |
28 | ### Bugs
29 |
30 | A bug is a demonstrable problem that is caused by the code in the repository. Good bug reports are extremely helpful – thank you!
31 |
32 | Please try to be as detailed as possible in your report. Include specific information about the environment – version of PHP, etc, and steps required to reproduce the issue.
33 |
34 | ### Pull Requests
35 |
36 | Good pull requests – patches, improvements, new features – are a fantastic help. Before create a pull request, please follow these instructions:
37 |
38 | * The code must follow the [PSR-2 Coding Standard](https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-2-coding-style-guide.md). Run `composer cs-fix` to fix your code before commit.
39 | * Write tests
40 | * Document any change in `README.md` and `CHANGELOG.md`
41 | * One pull request per feature. If you want to do more than one thing, send multiple pull request
42 |
43 | ### Runing tests
44 |
45 | ```sh
46 | composer test
47 | ```
48 |
49 | To get code coverage information execute the following comand:
50 |
51 | ```sh
52 | composer coverage
53 | ```
54 |
55 | Then, open the `./coverage/index.html` file in your browser.
56 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | The MIT License (MIT)
2 |
3 | Copyright (c) 2019-2025
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # middlewares/referrer-spam
2 |
3 | [![Latest Version on Packagist][ico-version]][link-packagist]
4 | [![Software License][ico-license]](LICENSE)
5 | ![Testing][ico-ga]
6 | [![Total Downloads][ico-downloads]][link-downloads]
7 |
8 | Middleware to block referrer spammers using [matomo/referrer-spam-blacklist](https://github.com/matomo-org/referrer-spam-blacklist). It returns a `403` response if the url host in the `Referer` header is in the blacklist.
9 |
10 | ## Requirements
11 |
12 | * PHP >= 7.2
13 | * A [PSR-7 http library](https://github.com/middlewares/awesome-psr15-middlewares#psr-7-implementations)
14 | * A [PSR-15 middleware dispatcher](https://github.com/middlewares/awesome-psr15-middlewares#dispatcher)
15 |
16 | `ext-intl` PHP extension is recommended otherwise [symfony/polyfill-intl-idn](https://github.com/symfony/polyfill-intl-idn) is used.
17 |
18 | ## Installation
19 |
20 | This package is installable and autoloadable via Composer as [middlewares/referrer-spam](https://packagist.org/packages/middlewares/referrer-spam).
21 |
22 | ```sh
23 | composer require middlewares/referrer-spam
24 | ```
25 |
26 | ## Usage
27 |
28 | By default, use `matomo/referrer-spam-blacklist` as a list of spammers
29 |
30 | ```php
31 | $spam = new Middlewares\ReferrerSpam();
32 | ```
33 |
34 | But you can configure a custom spam list if you don't want to use the default:
35 |
36 | ```php
37 | $spammers = [
38 | 'http://www.0n-line.tv',
39 | 'http://холодныйобзвон.рф',
40 | ];
41 |
42 | $spam = new Middlewares\ReferrerSpam($spammers);
43 | ```
44 |
45 | Optionally, you can provide a `Psr\Http\Message\ResponseFactoryInterface` as the second argument to create the error responses (`403`). If it's not defined, [Middleware\Utils\Factory](https://github.com/middlewares/utils#factory) will be used to detect it automatically.
46 |
47 | ```php
48 | $responseFactory = new MyOwnResponseFactory();
49 |
50 | $spam = new Middlewares\ReferrerSpam($spammers, $responseFactory);
51 | ```
52 |
53 | ---
54 |
55 | Please see [CHANGELOG](CHANGELOG.md) for more information about recent changes and [CONTRIBUTING](CONTRIBUTING.md) for contributing details.
56 |
57 | The MIT License (MIT). Please see [LICENSE](LICENSE) for more information.
58 |
59 | [ico-version]: https://img.shields.io/packagist/v/middlewares/referrer-spam.svg?style=flat-square
60 | [ico-license]: https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square
61 | [ico-ga]: https://github.com/middlewares/referrer-spam/workflows/testing/badge.svg
62 | [ico-downloads]: https://img.shields.io/packagist/dt/middlewares/referrer-spam.svg?style=flat-square
63 |
64 | [link-packagist]: https://packagist.org/packages/middlewares/referrer-spam
65 | [link-downloads]: https://packagist.org/packages/middlewares/referrer-spam
66 |
--------------------------------------------------------------------------------
/composer.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "middlewares/referrer-spam",
3 | "type": "library",
4 | "description": "Middleware to block referrer spammers",
5 | "license": "MIT",
6 | "keywords": [
7 | "psr-7",
8 | "psr-15",
9 | "middleware",
10 | "http",
11 | "referer",
12 | "referrer",
13 | "spam",
14 | "security"
15 | ],
16 | "homepage": "https://github.com/middlewares/referrer-spam",
17 | "support": {
18 | "issues": "https://github.com/middlewares/referrer-spam/issues"
19 | },
20 | "require": {
21 | "php": "^7.2 || ^8.0",
22 | "middlewares/utils": "^2 || ^3 || ^4",
23 | "matomo/referrer-spam-blacklist": "*",
24 | "psr/http-server-middleware": "^1",
25 | "symfony/polyfill-intl-idn": "^1.26"
26 | },
27 | "suggest": {
28 | "ext-intl": "*"
29 | },
30 | "require-dev": {
31 | "phpunit/phpunit": "^8 || ^9",
32 | "laminas/laminas-diactoros": "^2 || ^3",
33 | "friendsofphp/php-cs-fixer": "^3",
34 | "squizlabs/php_codesniffer": "^3",
35 | "oscarotero/php-cs-fixer-config": "^2",
36 | "phpstan/phpstan": "^1 || ^2"
37 | },
38 | "autoload": {
39 | "psr-4": {
40 | "Middlewares\\": "src/"
41 | }
42 | },
43 | "autoload-dev": {
44 | "psr-4": {
45 | "Middlewares\\Tests\\": "tests/"
46 | }
47 | },
48 | "scripts": {
49 | "cs": "phpcs",
50 | "cs-fix": "php-cs-fixer fix",
51 | "phpstan": "phpstan analyse",
52 | "test": "phpunit",
53 | "coverage": "phpunit --coverage-text",
54 | "coverage-html": "phpunit --coverage-html=coverage"
55 | }
56 | }
--------------------------------------------------------------------------------
/phpcs.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | Middlewares coding standard
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 | src
15 | tests
16 |
17 |
--------------------------------------------------------------------------------
/phpunit.xml:
--------------------------------------------------------------------------------
1 |
2 |
18 |
19 |
20 | tests
21 |
22 |
23 |
24 |
25 |
26 | ./src
27 |
28 | ./tests
29 | ./vendor
30 |
31 |
32 |
33 |
34 |
--------------------------------------------------------------------------------
/src/ReferrerSpam.php:
--------------------------------------------------------------------------------
1 | blackList = $blackList;
39 | $this->responseFactory = $responseFactory ?: Factory::getResponseFactory();
40 | }
41 |
42 | /**
43 | * Process a request and return a response.
44 | */
45 | public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
46 | {
47 | if ($request->hasHeader('Referer')) {
48 | if ($this->blackList === null) {
49 | $this->blackList = self::getBlackList();
50 | }
51 |
52 | // http://php.net/manual/en/function.parse-url.php#114817
53 | $referer = preg_replace_callback(
54 | '%[^:/@?&=#]+%usD',
55 | function ($matches) {
56 | return urlencode($matches[0]);
57 | },
58 | $request->getHeaderLine('Referer')
59 | );
60 |
61 | $host = parse_url((string) $referer, PHP_URL_HOST);
62 |
63 | if ($host) {
64 | $host = urldecode($host);
65 | $host = preg_replace('/^(www\.)/i', '', $host);
66 | $host = $this->encodeIDN((string) $host);
67 |
68 | if (in_array($host, $this->blackList, true)) {
69 | return $this->responseFactory->createResponse(403);
70 | }
71 | }
72 | }
73 |
74 | return $handler->handle($request);
75 | }
76 |
77 | /**
78 | * Encode IDN to ASCII form (russian url for example)
79 | */
80 | private function encodeIDN(string $domain): string
81 | {
82 | return idn_to_ascii($domain, IDNA_DEFAULT, INTL_IDNA_VARIANT_UTS46) ?: $domain;
83 | }
84 |
85 | /**
86 | * Returns the piwik's referrer spam blacklist.
87 | * @return string[]
88 | */
89 | private static function getBlackList(): array
90 | {
91 | $path = self::locateMatomoBlacklist();
92 |
93 | if ($path === null) {
94 | // @codeCoverageIgnoreStart
95 | throw new RuntimeException('Unable to locate the matomo referrer spam blacklist file');
96 | // @codeCoverageIgnoreEnd
97 | }
98 |
99 | $list = file($path, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
100 |
101 | if ($list === false) {
102 | throw new RuntimeException(sprintf('Fail reading the file %s', $path));
103 | }
104 |
105 | return $list;
106 | }
107 |
108 | private static function locateMatomoBlacklist(): ?string
109 | {
110 | $file = 'matomo/referrer-spam-blacklist/spammers.txt';
111 |
112 | //Development
113 | $path = __DIR__."/../vendor/{$file}";
114 |
115 | if (is_file($path)) {
116 | return $path;
117 | }
118 |
119 | //Production
120 | $path = __DIR__."/../../../{$file}";
121 |
122 | if (is_file($path)) {
123 | return $path;
124 | }
125 |
126 | return null;
127 | }
128 | }
129 |
--------------------------------------------------------------------------------