From patchwork Sun Jun 30 12:45:36 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jelle van der Waa X-Patchwork-Id: 1168 Return-Path: Delivered-To: patchwork@archlinux.org Received: from apollo.archlinux.org (localhost [127.0.0.1]) by apollo.archlinux.org (Postfix) with ESMTP id E25E0106E52EF for ; Sun, 30 Jun 2019 12:45:54 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on apollo X-Spam-Level: X-Spam-Status: No, score=-2.2 required=5.0 tests=DKIM_INVALID=1, DKIM_SIGNED=0.1,MAILING_LIST_MULTI=-1,RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001 autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-BL-Results: [127.0.0.11] [127.0.9.2] Received: from orion.archlinux.org (orion.archlinux.org [IPv6:2a01:4f8:160:6087::1]) by apollo.archlinux.org (Postfix) with ESMTPS for ; Sun, 30 Jun 2019 12:45:54 +0000 (UTC) Received: from orion.archlinux.org (localhost [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id C175A139D3444F; Sun, 30 Jun 2019 12:45:50 +0000 (UTC) Received: from luna.archlinux.org (luna.archlinux.org [5.9.250.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by orion.archlinux.org (Postfix) with ESMTPS; Sun, 30 Jun 2019 12:45:50 +0000 (UTC) Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id 879C22C000; Sun, 30 Jun 2019 12:45:50 +0000 (UTC) Authentication-Results: luna.archlinux.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=vdwaa-nl.20150623.gappssmtp.com header.i=@vdwaa-nl.20150623.gappssmtp.com header.b=Q/kO37lL Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id 3D8A32BFFF for ; Sun, 30 Jun 2019 12:45:47 +0000 (UTC) Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70]) by luna.archlinux.org (Postfix) with ESMTPS for ; Sun, 30 Jun 2019 12:45:47 +0000 (UTC) Received: from orion.archlinux.org (localhost [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id 70CD6139D3444C for ; Sun, 30 Jun 2019 12:45:41 +0000 (UTC) Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by orion.archlinux.org (Postfix) with ESMTPS for ; Sun, 30 Jun 2019 12:45:41 +0000 (UTC) Received: by mail-ed1-x52c.google.com with SMTP id z25so18246895edq.9 for ; Sun, 30 Jun 2019 05:45:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vdwaa-nl.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=r3/pF0YVV71cCXL6a3kFHRRYdgqi20aV5iB6PQJnpjY=; b=Q/kO37lLTVQmFkU1FV1UlS4CE8ugr0d0h0xZVAimUzrF+gPoSFT4BHE88gVBMWGaz5 TAU1ZhGtbxcGgCmzt3Gj154E7ZYteGRQJ9V6wjZ7ZjJZXxOKvqroPVg61dVsK4szYjm+ goZbk0X/UkpGPmLDnXoUY8rtFFOTeimvcvINWx2hLMG6UDc7rO5folAiKejzyAjlThVF aEdUtwwMpqdT5KqejjWdKgWdktumNg9fM39E3gYSnXLZWjUJRfowXBHAt/JWW/XWyM+L 6EH5nUbOHjFtBBDN/yZcSloUHDS4ITS/LoqxwWmYJ8j6sWno7w0JnnecwE8JPTj8v6C6 jPGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=r3/pF0YVV71cCXL6a3kFHRRYdgqi20aV5iB6PQJnpjY=; b=plKbW9Zvh96vLVMWF09UfYzm3kX/oDF6XVm8nd0rnkD8CxgP2zd8CnMVKFVOM4j61G qOUje3uhXDOodfBWl7wWEXC9TvFBvypyM2yoF4u1N8qjhLSP89gVhDeZPh3M3ILdn+CW Ivjx1tyZXEo22knuuYpQbw7Fp2mDrTGc/ywLjXHMi2Fiv25a1G9niNG23TKxbaxVDngt 4BBQf90XWM+GY+FHlFdHcQ0uxUp4QiNsUascvLtWgdeX13op1W9YyYttzb750j9CRta/ PY9WO3msTkgNQ/s7X+riXcN/1njzeJu45Ucy+ku936w+974k5xwxacQB+w1Q2f9HOsye bI8w== X-Gm-Message-State: APjAAAXUD/h4SSy2XAAQIWlFQjhXp4uJ8LHZBs4Q4HXGhY90sRYFhV/h XVkdZqasrekeUhGJ3Q31KcN+HN2oB8h4/A== X-Google-Smtp-Source: APXvYqwp3cqGZNagdnBWToTqUMZYWZ8r61ff2qu9gGp53hz5tkHh8PWSXmgOYtIaS/QCX+apjdFcAw== X-Received: by 2002:a50:b122:: with SMTP id k31mr23105077edd.204.1561898739641; Sun, 30 Jun 2019 05:45:39 -0700 (PDT) Received: from localhost.localdomain (83-84-17-34.cable.dynamic.v4.ziggo.nl. [83.84.17.34]) by smtp.gmail.com with ESMTPSA id h10sm2565269ede.93.2019.06.30.05.45.38 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Sun, 30 Jun 2019 05:45:38 -0700 (PDT) From: Jelle van der Waa X-Google-Original-From: Jelle van der Waa To: aur-dev@archlinux.org Subject: [PATCH v2] Implement spamming mitigations for comments Date: Sun, 30 Jun 2019 14:45:36 +0200 Message-Id: <20190630124536.18622-1-jelle@vdwaa.nl> X-Mailer: git-send-email 2.22.0 MIME-Version: 1.0 X-BeenThere: aur-dev@archlinux.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Arch User Repository \(AUR\) Development" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: aur-dev-bounces@archlinux.org Sender: "aur-dev" From: Jelle van der Waa Add a hidden input text field named 'website' which is hidden by CSS to not show up for normal users. Automated bots try to fill in all text fields, especially 'required' fields such as a 'website' when spamming a webform. When a comment is posted with the 'website' field filled in ignore it, so it seems that the submission is succesful. Signed-off-by: Jelle van der Waa --- web/html/css/aurweb.css | 4 ++++ web/html/pkgbase.php | 3 ++- web/template/pkg_comment_form.php | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/web/html/css/aurweb.css b/web/html/css/aurweb.css index 81bf9ab..aa0a7b0 100644 --- a/web/html/css/aurweb.css +++ b/web/html/css/aurweb.css @@ -199,3 +199,7 @@ label.confirmation, .error { color: red; } + +#id_website { + display: none; +} diff --git a/web/html/pkgbase.php b/web/html/pkgbase.php index b716644..0241ae3 100644 --- a/web/html/pkgbase.php +++ b/web/html/pkgbase.php @@ -117,7 +117,8 @@ if (check_token()) { list($ret, $output) = pkgreq_close($_POST['reqid'], $_POST['reason'], $_POST['comments']); } elseif (current_action("do_EditComaintainers")) { list($ret, $output) = pkgbase_set_comaintainers($base_id, explode("\n", $_POST['users'])); - } elseif (current_action("do_AddComment")) { + } elseif (current_action("do_AddComment") && $_REQUEST['website'] === "") { + // website is a hidden field used to detect if a bot filled in all form elements $uid = uid_from_sid($_COOKIE["AURSID"]); list($ret, $output) = pkgbase_add_comment($base_id, $uid, $_REQUEST['comment']); if ($ret && isset($_REQUEST['enable_notifications'])) { diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php index 3feee8f..23322a7 100644 --- a/web/template/pkg_comment_form.php +++ b/web/template/pkg_comment_form.php @@ -11,6 +11,7 @@

+

" />