[PATCH] Implement spamming mitigations for comments
This is an attempt to mitigate the spam flood which has targeted aur.archlinux.org in a simple and (hopefully) effective way. As described in the commit message it just adds a hidden field which these automated bots fill in to make the form submission look "valid" for normal users nothing changes. I also created a patch for account registration, but that patch is a bit bigger and I'm not sure if these automated bot setups are smart enough to report that registration fails although one can argue that they can detect if a comment was 'submitted'. Either way the comment patch has the smallest impact codewise and is an easy way to figure out if it works. Greetings, Jelle van der Waa
From: Jelle van der Waa <jelle@vdwaa.nl> Add a hidden input text field named 'website' which is hidden by CSS to not show up for normal users. Automated bots try to fill in all text fields, especially 'required' fields such as a 'website' when spamming a webform. When a comment is posted with the 'website' field filled in ignore it, so it seems that the submission is succesful. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> --- web/html/css/aurweb.css | 4 ++++ web/html/pkgbase.php | 3 ++- web/template/pkg_comment_form.php | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/web/html/css/aurweb.css b/web/html/css/aurweb.css index ef37bf5..d8716b7 100644 --- a/web/html/css/aurweb.css +++ b/web/html/css/aurweb.css @@ -195,3 +195,7 @@ label.confirmation, .comments .more { font-weight: normal; } + +#id_website { + display: none; +} diff --git a/web/html/pkgbase.php b/web/html/pkgbase.php index b716644..0241ae3 100644 --- a/web/html/pkgbase.php +++ b/web/html/pkgbase.php @@ -117,7 +117,8 @@ if (check_token()) { list($ret, $output) = pkgreq_close($_POST['reqid'], $_POST['reason'], $_POST['comments']); } elseif (current_action("do_EditComaintainers")) { list($ret, $output) = pkgbase_set_comaintainers($base_id, explode("\n", $_POST['users'])); - } elseif (current_action("do_AddComment")) { + } elseif (current_action("do_AddComment") && $_REQUEST['website'] === "") { + // website is a hidden field used to detect if a bot filled in all form elements $uid = uid_from_sid($_COOKIE["AURSID"]); list($ret, $output) = pkgbase_add_comment($base_id, $uid, $_REQUEST['comment']); if ($ret && isset($_REQUEST['enable_notifications'])) { diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php index 3feee8f..23322a7 100644 --- a/web/template/pkg_comment_form.php +++ b/web/template/pkg_comment_form.php @@ -11,6 +11,7 @@ <p> <textarea id="id_comment" name="comment" cols="80" rows="10"><?= (isset($comment_id)) ? htmlspecialchars($comment) : "" ?></textarea> </p> + <input id="id_website" type="text" name="website"/> <p> <input type="submit" value="<?= (isset($comment_id)) ? __("Save") : __("Add Comment") ?>" /> <?php if (!isset($comment_id) && !pkgbase_user_notify($uid, $base_id)): ?> -- 2.22.0
participants (1)
-
Jelle van der Waa