diff mbox series

[v2] Implement spamming mitigations for comments

Message ID 20190630124536.18622-1-jelle@vdwaa.nl
State New
Headers show
Series [v2] Implement spamming mitigations for comments | expand

Commit Message

Jelle van der Waa June 30, 2019, 12:45 p.m. UTC 
From: Jelle van der Waa <jelle@vdwaa.nl>

Add a hidden input text field named 'website' which is hidden by CSS to
not show up for normal users. Automated bots try to fill in all text
fields, especially 'required' fields such as a 'website' when spamming a
webform. When a comment is posted with the 'website' field filled in
ignore it, so it seems that the submission is succesful.

Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl>
---
 web/html/css/aurweb.css           | 4 ++++
 web/html/pkgbase.php              | 3 ++-
 web/template/pkg_comment_form.php | 1 +
 3 files changed, 7 insertions(+), 1 deletion(-)

Comments

Lukas Fleischer June 30, 2019, 12:56 p.m. UTC | #1 
On Sun, 30 Jun 2019 at 08:45:36, Jelle van der Waa wrote:
> From: Jelle van der Waa <jelle@vdwaa.nl>
> 
> Add a hidden input text field named 'website' which is hidden by CSS to
> not show up for normal users. Automated bots try to fill in all text
> fields, especially 'required' fields such as a 'website' when spamming a
> webform. When a comment is posted with the 'website' field filled in
> ignore it, so it seems that the submission is succesful.
> 
> Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl>
> ---
>  web/html/css/aurweb.css           | 4 ++++
>  web/html/pkgbase.php              | 3 ++-
>  web/template/pkg_comment_form.php | 1 +
>  3 files changed, 7 insertions(+), 1 deletion(-)
> 

Thanks!

I added this to our live setup. Let's see whether it actually reduces
the amount of spam.
diff mbox series

Patch

diff --git a/web/html/css/aurweb.css b/web/html/css/aurweb.css
index 81bf9ab..aa0a7b0 100644
--- a/web/html/css/aurweb.css
+++ b/web/html/css/aurweb.css
@@ -199,3 +199,7 @@  label.confirmation,
 .error {
 	color: red;
 }
+
+#id_website {
+	display: none;
+}
diff --git a/web/html/pkgbase.php b/web/html/pkgbase.php
index b716644..0241ae3 100644
--- a/web/html/pkgbase.php
+++ b/web/html/pkgbase.php
@@ -117,7 +117,8 @@  if (check_token()) {
 		list($ret, $output) = pkgreq_close($_POST['reqid'], $_POST['reason'], $_POST['comments']);
 	} elseif (current_action("do_EditComaintainers")) {
 		list($ret, $output) = pkgbase_set_comaintainers($base_id, explode("\n", $_POST['users']));
-	} elseif (current_action("do_AddComment")) {
+	} elseif (current_action("do_AddComment") && $_REQUEST['website'] === "") {
+		// website is a hidden field used to detect if a bot filled in all form elements
 		$uid = uid_from_sid($_COOKIE["AURSID"]);
 		list($ret, $output) = pkgbase_add_comment($base_id, $uid, $_REQUEST['comment']);
 		if ($ret && isset($_REQUEST['enable_notifications'])) {
diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php
index 3feee8f..23322a7 100644
--- a/web/template/pkg_comment_form.php
+++ b/web/template/pkg_comment_form.php
@@ -11,6 +11,7 @@ 
 			<p>
 				<textarea id="id_comment" name="comment" cols="80" rows="10"><?= (isset($comment_id)) ? htmlspecialchars($comment) : "" ?></textarea>
 			</p>
+				<input id="id_website" type="text" name="website"/>
 			<p>
 				<input type="submit" value="<?= (isset($comment_id)) ? __("Save") : __("Add Comment") ?>" />
 				<?php if (!isset($comment_id) && !pkgbase_user_notify($uid, $base_id)): ?>