Skip to content
This repository has been archived by the owner on Jun 10, 2024. It is now read-only.

Missing server invalidation #42

Open
herzaso opened this issue Jan 16, 2017 · 5 comments
Open

Missing server invalidation #42

herzaso opened this issue Jan 16, 2017 · 5 comments

Comments

@herzaso
Copy link

herzaso commented Jan 16, 2017

Once a form has been posted, the server does not invalidate it, nor does it provide a method to do so.
This might results in a spamming problem since many spambots simply records the end URL for the POSTed data and use that for posting spam.
In it's easiest form, the server invalidation should have checked that that honeypot field exists and is empty. Otherwise, if honeypot was introduced after the spambot got the URL, it does not protect from spam.

Also, there are many more protections against spamming that could have helped (check out http://nedbatchelder.com/text/stopbots.html)

@mishbahr
Copy link
Owner

I confused as to what you are suggesting that I should improve.

djangocms-forms supports both "honey pot" and ReCaptcha.

And they both do server side validation!

See djangocms_forms.fields.ReCaptchaField and djangocms_forms.fields.HoneyPotField

@herzaso
Copy link
Author

herzaso commented Jan 16, 2017

HoneyPotField just checks for the value and not for the existance of the field.

In my situation, I had a working contact form without any spam protection.
Since a spambot got to my form, I can't get rid of it. That's because it has probably saved the URL for the POST (without the honeypot) and it's using it without even entering my form again.

What I suggest, is adding a is_valid method for the Form that will make sure that the honeypot exists but empty. Also, I suggest allowing users to modify or add to this validation

@mishbahr
Copy link
Owner

I think the best way we can resolve this is to add a hook to form clean logic as a signal.. that you could use add additional logic?

@herzaso
Copy link
Author

herzaso commented Jan 16, 2017

I'm not familiar enough with signals.
I understand that I'll be notified on the right event but would I be able to change the outcome? (that is, to render the form invalid in case I find it as such)
If the answer is yes, then I guess it should be OK.

Also, is there a way to change the honeypot's name/type?

@mishbahr
Copy link
Owner

Re: signal

Alternative option would be to allow people to subclass djangocms_forms.forms.FormBuilder
to add custom clean logic.

I think that might be a better option.

I'm super busy at the moment.. so can't promise to implement anything immediately!
But I'll try my best to make the changes as soon as I can. Thanks


Also, is there a way to change the honeypot's name/type?

Not at the moment.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants