Bug #89420

Make honeypot in ext:forms more reliable

Added by Christian Eßl 7 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Form Framework
Start date:
2019-10-15
Due date:
% Done:

100%

TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:
Remote Sprint

Description

We encountered problems with the honeypot in ext:form, that a lot of spam messages still come through.

The way the honeypot currently works is, that a random, visually hidden, input element is inserted into every form by default.
If the hidden input has a value, the user will be automatically redirected to the form (instead of calling the finishers).
In that case, all values that were previously present in the form, will be refilled again, except the honeypot field (which now has a different id).
This means, if the bot now just resubmits the form after the first failed attempt, without changing any of the values, the form will now successfully be submitted.

I will provide a patch later, that refills the honeypot field on a successful bot detection. At least in our tests in the wild, this has significantly reduced the spam messages.


Related issues

Related to TYPO3 Core - Bug #91435: The 'form' Honeypot partial inserts invalid HTML New 2020-05-19

Associated revisions

Revision af043ee3 (diff)
Added by Christian Eßl 6 months ago

[BUGFIX] Disable browser autofill feature for the honeypot field

Use the form element name for the autocomplete html attribute
for honeypot fields to prevent browsers "autofill" feature
to fill the honeypot field.

Resolves: #89420
Releases: master, 9.5
Change-Id: Ifee039477e1070043fdd0007340a95799dac5b6f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62000
Tested-by: TYPO3com <>
Tested-by: Björn Jacob <>
Tested-by: Mathias Brodala <>
Tested-by: Ralf Zimmermann <>
Reviewed-by: Mathias Brodala <>
Reviewed-by: Björn Jacob <>
Reviewed-by: Ralf Zimmermann <>

Revision 33a011f5 (diff)
Added by Christian Eßl 6 months ago

[BUGFIX] Disable browser autofill feature for the honeypot field

Use the form element name for the autocomplete html attribute
for honeypot fields to prevent browsers "autofill" feature
to fill the honeypot field.

Resolves: #89420
Releases: master, 9.5
Change-Id: Ifee039477e1070043fdd0007340a95799dac5b6f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62376
Tested-by: Mathias Brodala <>
Tested-by: TYPO3com <>
Tested-by: Björn Jacob <>
Tested-by: Ralf Zimmermann <>
Reviewed-by: Mathias Brodala <>
Reviewed-by: Björn Jacob <>
Reviewed-by: Ralf Zimmermann <>

History

#1 Updated by Gerrit Code Review 7 months ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62000

#2 Updated by Susanne Moog 6 months ago

  • Sprint Focus set to Remote Sprint

#3 Updated by Gerrit Code Review 6 months ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62000

#4 Updated by Gerrit Code Review 6 months ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62000

#5 Updated by Gerrit Code Review 6 months ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62000

#6 Updated by Gerrit Code Review 6 months ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62000

#7 Updated by Gerrit Code Review 6 months ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62000

#8 Updated by Christian Eßl 6 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#9 Updated by Gerrit Code Review 6 months ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62376

#10 Updated by Christian Eßl 6 months ago

  • Status changed from Under Review to Resolved

#11 Updated by Benni Mack 5 months ago

  • Status changed from Resolved to Closed

#12 Updated by Andreas Lochner 3 months ago

Problem still exists. If you click the submit button a second time you bypass the honeypot.

#13 Updated by Bjoern Jacob 3 months ago

Thank your Andreas for your feedback. Please do not re-open issues :)

Unfortunately, the days of honeypots are over. The solution is not reliable anymore. The autofill functionality of Chrome/ Chromium is enormous and ATM kind of quirky. Do you have the possibility to use powerful tools like Spam Assassin on your mail server? We definitely recommend this in favor of the honeypot solution. It would be great to learn about your ideas to improve the current situation.

#14 Updated by Dmitry Dulepov 3 months ago

The solution seems to be wrong completely because the only thing it does is: it sets the autocomplete attribute to invalid value ('off' or 'on' is allowed, nothing else). So I do not see how this may work and I do not understand how this got approved. "The fix" creates invalid html on the page.

#15 Updated by Wolfgang Klinger 6 days ago

  • Related to Bug #91435: The 'form' Honeypot partial inserts invalid HTML added

Also available in: Atom PDF