Support Forum

Advanced Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
general-topic
Failed captcha entries bringing down server
Avatar
ari salomon
Member
sp_UserOfflineSmall Offline
Aug 19, 2013 - 2:34 pm

I just went in to try and edit the sp-post.php with the intention of checking to see if the captcha was even filled out, and if it was blank halt execution there. This should kill the majority of the bots while causing a minimal impact on real people. However, I am running into an issue trying to figure out exactly what I should be checking for. Tracing through the code it appears as if there are 3 checks, 1) a honeypot for whether or not the url field has been filled out, 2) a built in math captcha, and 3) an addon for a capthca located in wp-content/sp-resources/forum-plugins/captcha/library/sp-captcha.php.

Based on the actual errors getting submitted to the database it appears that it is the addon that is blank when the form is submitted. I cannot tell though if this means that it is getting checked first, or if 1 & 2 are being checked and pass and then it fails on 3. My guess is that it is the former. Where should I be looking to implement an emptiness test (or filled in test in the case of the url) for these fields, if I want them to be checked before anything else happens? What exactly should I be checking and where should I put it in the code?

Thanks.

Avatar
Mr Papa
Simi Valley, CA
SP Master
Free Members
sp_UserOfflineSmall Offline
Aug 19, 2013 - 10:03 pm

I am not sure where you got some of what you said... so lets walk through it...

a post gets submitted via the submit button... there is some js that runs there and does a few initial checks such as is there any post content?  if it passes the js validation, the form gets submitted...

then we go through and validate that the user making the post actually has permission to post in that forum/topic...  the post can be rejected at this point...  currently, we dont fire any kind of hook here, but we have already added one into the next version of SP, so theoretically you could hook in here and do your checks...

then we go through and validate the data...  this is where we make sure the data meets a bunch of other requirements to be posted, ie number of links, valid guest name, not a duplicate post, etc...  again, no hook here, but there is one already in next version so someplace else you could hook into the process...

at this point, the post class is happy with the post.. but we still need to open it up to other plugins to add any needed checks... so we fire the sph_new_forum_post hook for this... 

This is where captcha is hooked into for checking...  so captcha will actually be the first check...  It hooks in with normal priority of 10... so you could hook in with higher priority and do your checks first...

any other plugins hooked in to that hook will also run their checks...

if all those pass, then we run the math spam check if you the user permission requires it... the math spam check may not be needed if users have permission to bypass the check...

assuming all the passes, we save the data to the db, perform post saving stuff... and fire on last hook to for those that want to know a new post is official - sph_post_create...

and that is it...  I am not sure what you mean by #1... we dont do a honeypot... or have a hidden url field... wonder if there is some other plugin at work here?  or perhaps I am misunderstanding what you are seeing...

when the captcha runs, it verifies that the $_POST['captcha'] fields matches... so you should be able to hook in at higher priority on hook sph_new_forum_post, check that field and if empty, return an error and bail...

the hook passes a $newpost array...  just set $newpost['error'] element to some error string, return the array and the post saving will be aborted...

 

Avatar
ari salomon
Member
sp_UserOfflineSmall Offline
Aug 20, 2013 - 4:44 am

we dont do a honeypot… or have a hidden url field… wonder if there is some other plugin at work here?  or perhaps I am misunderstanding what you are seeing…

In sp-api/sp-api-primitives.php, function sp_spamcheck(), first if{} block:

    # Check dummy input field
    if (array_key_exists ('url', $_POST)) {
        if (!empty($_POST['url'])) {
            $spamcheck[0] = true;
            $spamcheck[1] = sp_text('Form not filled by human hands!');
            return $spamcheck;
        }
    }

That corresponds to a hidden field on the form named "url", which is, from what I can tell, generated on line 401 of sp-startup/site/sp-site-support-functions.php:

        $out = '<input type="hidden" size="30" name="url" value="" /></p>'."\n";

That is, as far as I know, in the core SimplePress, and not in a plugin.

What I want to do is if it is not a human, halt all further processing, and I need to put this as high up in the code as possible. I don't know whether or not the bots are filling out the url field, since it's not getting that far, so I would like to create a check for the empty captcha at the top, prior to even checking if the user has permissions, in order to prevent these bots from using up the server resources. What exactly would I need to check for, and where should I put this check? I am ok with a non-graceful die() at that point as well, so no need for any pretty error messages.

 *note: I stated that I wanted to put this check in sp-post.php based on the earlier suggestion on where to block the transient entries, and because the naming scheme suggests that file is what is initially invoked when a post is submitted. However, if there is a more efficient (eg, further up in the process) place where I should place this check please let me know, thanks.

Avatar
Yellow Swordfish
Glinton, England
SP Master
sp_UserOfflineSmall Offline
Aug 20, 2013 - 6:40 am

the line numbers have clearly changed in sp-site-support.php but I assume you are referring to the function spa_register_math() which is where this is still used. It is not used in the post editor form. That is used in the WP registration form if the user wishes to add the 'math' question to it.

If you interrupt the process in the sp-post.php file then really that is not going to give you much as it still means a page load - and a die() in there would just leave things in limbo.

If you REALLY want to stop the processing then you need to get something into the JavaScript validation routine that is called on the submit of the editor form. Have you looked at that?

At the moment it is hard, of course, to change JavaScript without changes being lost on the next plugin update but as I believe the WordPress team are talking about introducing a filter/action type hook interface for JavaScript code and if that does get into WP core then that is the opportunity to do this safely.

andy-signature.png
YELLOW
SWORDFISH
Avatar
ari salomon
Member
sp_UserOfflineSmall Offline
Aug 20, 2013 - 2:21 pm

Ok, this is getting really frustrating...

Changing Javascript will not stop the bots. The bots are, I am fairly certain, not loading the page to begin with. What I need to do is this:

If on a post submission the captcha is empty, not process anything. What do I look for as far as the form fields to make this check, and where in the files should I put it for maximum effectiveness?

Avatar
Yellow Swordfish
Glinton, England
SP Master
sp_UserOfflineSmall Offline
Aug 20, 2013 - 3:30 pm
if (isset($_POST['captcha']) && $_POST['captcha'] == $_SESSION['captcha'])

That is what is used to check if the captcha is present and has been correctly filled.

And if you want to check things then right at the very top of sp-post.php before anything else should work.

andy-signature.png
YELLOW
SWORDFISH
Avatar
ari salomon
Member
sp_UserOfflineSmall Offline
Aug 20, 2013 - 7:52 pm

Thank you, so far this seems to be working. I appreciate the help.

Avatar
Mr Papa
Simi Valley, CA
SP Master
Free Members
sp_UserOfflineSmall Offline
Aug 20, 2013 - 8:38 pm

good news... thanks for the update...

Forum Timezone: Europe/Stockholm
Most Users Ever Online: 1170
Currently Online:
Guest(s) 1
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Mr Papa: 19448
Ike: 2086
Brandon: 864
kvr28: 804
jim: 650
FidoSysop: 577
Conrad_Farlow: 531
fiddlerman: 358
Stefano Prete: 325
Member Stats:
Guest Posters: 620
Members: 17366
Moderators: 0
Admins: 4
Forum Stats:
Groups: 7
Forums: 17
Topics: 10128
Posts: 79626