[PATCH v2] Implement spamming mitigations for comments
From: Jelle van der Waa <jelle@vdwaa.nl> Add a hidden input text field named 'website' which is hidden by CSS to not show up for normal users. Automated bots try to fill in all text fields, especially 'required' fields such as a 'website' when spamming a webform. When a comment is posted with the 'website' field filled in ignore it, so it seems that the submission is succesful. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> --- web/html/css/aurweb.css | 4 ++++ web/html/pkgbase.php | 3 ++- web/template/pkg_comment_form.php | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/web/html/css/aurweb.css b/web/html/css/aurweb.css index 81bf9ab..aa0a7b0 100644 --- a/web/html/css/aurweb.css +++ b/web/html/css/aurweb.css @@ -199,3 +199,7 @@ label.confirmation, .error { color: red; } + +#id_website { + display: none; +} diff --git a/web/html/pkgbase.php b/web/html/pkgbase.php index b716644..0241ae3 100644 --- a/web/html/pkgbase.php +++ b/web/html/pkgbase.php @@ -117,7 +117,8 @@ if (check_token()) { list($ret, $output) = pkgreq_close($_POST['reqid'], $_POST['reason'], $_POST['comments']); } elseif (current_action("do_EditComaintainers")) { list($ret, $output) = pkgbase_set_comaintainers($base_id, explode("\n", $_POST['users'])); - } elseif (current_action("do_AddComment")) { + } elseif (current_action("do_AddComment") && $_REQUEST['website'] === "") { + // website is a hidden field used to detect if a bot filled in all form elements $uid = uid_from_sid($_COOKIE["AURSID"]); list($ret, $output) = pkgbase_add_comment($base_id, $uid, $_REQUEST['comment']); if ($ret && isset($_REQUEST['enable_notifications'])) { diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php index 3feee8f..23322a7 100644 --- a/web/template/pkg_comment_form.php +++ b/web/template/pkg_comment_form.php @@ -11,6 +11,7 @@ <p> <textarea id="id_comment" name="comment" cols="80" rows="10"><?= (isset($comment_id)) ? htmlspecialchars($comment) : "" ?></textarea> </p> + <input id="id_website" type="text" name="website"/> <p> <input type="submit" value="<?= (isset($comment_id)) ? __("Save") : __("Add Comment") ?>" /> <?php if (!isset($comment_id) && !pkgbase_user_notify($uid, $base_id)): ?> -- 2.22.0
On Sun, 30 Jun 2019 at 08:45:36, Jelle van der Waa wrote:
From: Jelle van der Waa <jelle@vdwaa.nl>
Add a hidden input text field named 'website' which is hidden by CSS to not show up for normal users. Automated bots try to fill in all text fields, especially 'required' fields such as a 'website' when spamming a webform. When a comment is posted with the 'website' field filled in ignore it, so it seems that the submission is succesful.
Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> --- web/html/css/aurweb.css | 4 ++++ web/html/pkgbase.php | 3 ++- web/template/pkg_comment_form.php | 1 + 3 files changed, 7 insertions(+), 1 deletion(-)
Thanks! I added this to our live setup. Let's see whether it actually reduces the amount of spam.
participants (2)
-
Jelle van der Waa
-
Lukas Fleischer