This is an attempt to mitigate the spam flood which has targeted
aur.archlinux.org in a simple and (hopefully) effective way. As
described in the commit message it just adds a hidden field which these
automated bots fill in to make the form submission look "valid" for
normal users nothing changes.
I also created a patch for account registration, but that patch is a bit
bigger and I'm not sure if these automated bot setups are smart enough
to report that registration fails although one can argue that they can
detect if a comment was 'submitted'. Either way the comment patch has
the smallest impact codewise and is an easy way to figure out if it
works.
Greetings,
Jelle van der Waa
From: Jelle van der Waa
Add a hidden input text field named 'website' which is hidden by CSS to
not show up for normal users. Automated bots try to fill in all text
fields, especially 'required' fields such as a 'website' when spamming a
webform. When a comment is posted with the 'website' field filled in
ignore it, so it seems that the submission is succesful.
Signed-off-by: Jelle van der Waa
---
web/html/css/aurweb.css | 4 ++++
web/html/pkgbase.php | 3 ++-
web/template/pkg_comment_form.php | 1 +
3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/web/html/css/aurweb.css b/web/html/css/aurweb.css
index ef37bf5..d8716b7 100644
--- a/web/html/css/aurweb.css
+++ b/web/html/css/aurweb.css
@@ -195,3 +195,7 @@ label.confirmation,
.comments .more {
font-weight: normal;
}
+
+#id_website {
+ display: none;
+}
diff --git a/web/html/pkgbase.php b/web/html/pkgbase.php
index b716644..0241ae3 100644
--- a/web/html/pkgbase.php
+++ b/web/html/pkgbase.php
@@ -117,7 +117,8 @@ if (check_token()) {
list($ret, $output) = pkgreq_close($_POST['reqid'], $_POST['reason'], $_POST['comments']);
} elseif (current_action("do_EditComaintainers")) {
list($ret, $output) = pkgbase_set_comaintainers($base_id, explode("\n", $_POST['users']));
- } elseif (current_action("do_AddComment")) {
+ } elseif (current_action("do_AddComment") && $_REQUEST['website'] === "") {
+ // website is a hidden field used to detect if a bot filled in all form elements
$uid = uid_from_sid($_COOKIE["AURSID"]);
list($ret, $output) = pkgbase_add_comment($base_id, $uid, $_REQUEST['comment']);
if ($ret && isset($_REQUEST['enable_notifications'])) {
diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php
index 3feee8f..23322a7 100644
--- a/web/template/pkg_comment_form.php
+++ b/web/template/pkg_comment_form.php
@@ -11,6 +11,7 @@
<p>
<textarea id="id_comment" name="comment" cols="80" rows="10"><?= (isset($comment_id)) ? htmlspecialchars($comment) : "" ?></textarea>
</p>
+ <input id="id_website" type="text" name="website"/>
<p>
<?php if (!isset($comment_id) && !pkgbase_user_notify($uid, $base_id)): ?>
--
2.22.0