Implement spamming mitigations for comments

Message ID	20190630114527.15456-2-jelle@vdwaa.nl
State	Superseded, archived
Headers	show Return-Path: <aur-dev-bounces@archlinux.org> From: Jelle van der Waa <jelle@vdwaa.nl> To: aur-dev@archlinux.org Subject: [PATCH] Implement spamming mitigations for comments Date: Sun, 30 Jun 2019 13:45:27 +0200 Message-Id: <20190630114527.15456-2-jelle@vdwaa.nl> In-Reply-To: <20190630114527.15456-1-jelle@vdwaa.nl> References: <20190630114527.15456-1-jelle@vdwaa.nl> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: aur-dev-bounces@archlinux.org Sender: "aur-dev" <aur-dev-bounces@archlinux.org>
Series	Implement spamming mitigations for comments \| expand Implement spamming mitigations for comments

Message ID

20190630114527.15456-2-jelle@vdwaa.nl

State

Superseded, archived

Headers

From: Jelle van der Waa <jelle@vdwaa.nl>
To: aur-dev@archlinux.org
Subject: [PATCH] Implement spamming mitigations for comments
Date: Sun, 30 Jun 2019 13:45:27 +0200
Message-Id: <20190630114527.15456-2-jelle@vdwaa.nl>
In-Reply-To: <20190630114527.15456-1-jelle@vdwaa.nl>
References: <20190630114527.15456-1-jelle@vdwaa.nl>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: aur-dev-bounces@archlinux.org
Sender: "aur-dev" <aur-dev-bounces@archlinux.org>

Series

Implement spamming mitigations for comments | expand

Commit Message

Jelle van der Waa June 30, 2019, 11:45 a.m. UTC

From: Jelle van der Waa <jelle@vdwaa.nl>

Add a hidden input text field named 'website' which is hidden by CSS to
not show up for normal users. Automated bots try to fill in all text
fields, especially 'required' fields such as a 'website' when spamming a
webform. When a comment is posted with the 'website' field filled in
ignore it, so it seems that the submission is succesful.

Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl>
---
 web/html/css/aurweb.css           | 4 ++++
 web/html/pkgbase.php              | 3 ++-
 web/template/pkg_comment_form.php | 1 +
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/web/html/css/aurweb.css b/web/html/css/aurweb.css
index ef37bf5..d8716b7 100644
--- a/web/html/css/aurweb.css
+++ b/web/html/css/aurweb.css
@@ -195,3 +195,7 @@  label.confirmation,
 .comments .more {
 	font-weight: normal;
 }
+
+#id_website {
+	display: none;
+}
diff --git a/web/html/pkgbase.php b/web/html/pkgbase.php
index b716644..0241ae3 100644
--- a/web/html/pkgbase.php
+++ b/web/html/pkgbase.php
@@ -117,7 +117,8 @@  if (check_token()) {
 		list($ret, $output) = pkgreq_close($_POST['reqid'], $_POST['reason'], $_POST['comments']);
 	} elseif (current_action("do_EditComaintainers")) {
 		list($ret, $output) = pkgbase_set_comaintainers($base_id, explode("\n", $_POST['users']));
-	} elseif (current_action("do_AddComment")) {
+	} elseif (current_action("do_AddComment") && $_REQUEST['website'] === "") {
+		// website is a hidden field used to detect if a bot filled in all form elements
 		$uid = uid_from_sid($_COOKIE["AURSID"]);
 		list($ret, $output) = pkgbase_add_comment($base_id, $uid, $_REQUEST['comment']);
 		if ($ret && isset($_REQUEST['enable_notifications'])) {
diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php
index 3feee8f..23322a7 100644
--- a/web/template/pkg_comment_form.php
+++ b/web/template/pkg_comment_form.php
@@ -11,6 +11,7 @@ 
 			<p>
 				<textarea id="id_comment" name="comment" cols="80" rows="10"><?= (isset($comment_id)) ? htmlspecialchars($comment) : "" ?></textarea>
 			</p>
+				<input id="id_website" type="text" name="website"/>
 			<p>
 				<input type="submit" value="<?= (isset($comment_id)) ? __("Save") : __("Add Comment") ?>" />
 				<?php if (!isset($comment_id) && !pkgbase_user_notify($uid, $base_id)): ?>

Implement spamming mitigations for comments

Commit Message

Patch