From bb3ccfed4e827b2d18762c0707f3c2393a998eff Mon Sep 17 00:00:00 2001 From: Jacques Distler Date: Fri, 18 Jan 2008 14:49:28 -0600 Subject: [PATCH] Make life a little more difficult for spammers Sessions are now stored in a cookie (signed and Base-64 encoded). Form_spam_protection stores form_keys in the session. Make sure spambots implement both cookies and javascript, by storing hashed (with salt) keys in the session. --- .../lib/form_spam_protection.rb | 13 ++++++++----- .../lib/form_tag_helper_extensions.rb | 2 +- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/vendor/plugins/form_spam_protection/lib/form_spam_protection.rb b/vendor/plugins/form_spam_protection/lib/form_spam_protection.rb index 36580be4..783af545 100644 --- a/vendor/plugins/form_spam_protection/lib/form_spam_protection.rb +++ b/vendor/plugins/form_spam_protection/lib/form_spam_protection.rb @@ -13,11 +13,14 @@ module FormSpamProtection def protect_form_handler_from_spam unless request.get? || request.xml_http_request? - if params[:_form_key] && session[:form_keys] && session[:form_keys].keys.include?(params[:_form_key]) - session[:form_keys][params[:_form_key]][1] += 1 - if session[:form_keys][params[:_form_key]][1] >= 4 - render :text => "You cannot resubmit this form again.", :layout => 'error', :status => 403 - return false + if params[:_form_key] && session[:form_keys] + key = session.dbman.generate_digest(params[:_form_key]) + if session[:form_keys].keys.include?(key) + session[:form_keys][key][1] += 1 + if session[:form_keys][key][1] >= 4 + render :text => "You cannot resubmit this form again.", :layout => 'error', :status => 403 + return false + end end else render :text => "You must have Javascript on to submit this form.", :layout => 'error', :status => 403 diff --git a/vendor/plugins/form_spam_protection/lib/form_tag_helper_extensions.rb b/vendor/plugins/form_spam_protection/lib/form_tag_helper_extensions.rb index 46c952da..d728b475 100644 --- a/vendor/plugins/form_spam_protection/lib/form_tag_helper_extensions.rb +++ b/vendor/plugins/form_spam_protection/lib/form_tag_helper_extensions.rb @@ -8,7 +8,7 @@ module ActionView if name == :form && @protect_form_from_spam session[:form_keys] ||= {} form_key = Digest::SHA1.hexdigest(self.object_id.to_s + rand.to_s) - session[:form_keys][form_key] = [Time.now, 0] + session[:form_keys][session.dbman.generate_digest(form_key)] = [Time.now, 0] if session[:form_keys].length > 30 first = session[:form_keys].values.sort { |a,b| a[0] <=> b[0] } [0] session[:form_keys].delete(session[:form_keys].index(first))