View Issue Details

IDProjectCategoryView StatusLast Update
0007741mantisbtfeaturepublic2013-06-10 03:08
ReporterTomSpilmanAssigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
Status acknowledgedResolutionopen 
Product Version1.0.1 
Target VersionFixed in Version 
Summary0007741: Captcha for guest reports and comments
Description

I've had some spam traffic issues on our mantis tracker lately via the guest account. The quick and simple fix is to require registration to enter bugs and comment on them. The problem is that i've found that less bugs get reported when the reporting system requires registration. So i'd like to allow guest reporting on our tracker, but limit the ability for scripts to be used to spam the system.

The best option here seems to be adding a required captcha test when a guest reports or comments on an issue. It seems like the existing code from the signup captcha should allow for quick implementation.

This feature should be an option for the admin.

TagsNo tags attached.

Relationships

has duplicate 0010965 closeddhx Add possibility for captcha on anonymous posts 

Activities

TomSpilman

TomSpilman

2007-02-08 11:30

reporter   ~0014014

I really need this fix!

2007-02-09 01:10

 

bugnote_add.php (2,264 bytes)
<?php
	# Mantis - a php based bugtracking system
	# Copyright (C) 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
	# Copyright (C) 2002 - 2004  Mantis Team   - mantisbt-dev@lists.sourceforge.net
	# This program is distributed under the terms and conditions of the GPL
	# See the README and LICENSE files for details

	# --------------------------------------------------------
	# $Id: bugnote_add.php,v 1.46 2005/07/25 16:34:10 thraxisp Exp $
	# --------------------------------------------------------
?>
<?php
	# Insert the bugnote into the database then redirect to the bug page
?>
<?php
	require_once( 'core.php' );

	// If we're anonymous... check the public key from 
	// the captcha test first!
	$f_public_key	= gpc_get_int( 'public_key', '' );
	$f_captcha		= gpc_get_string( 'captcha', '' );
	$f_captcha		= strtolower( trim( $f_captcha ) );
	
	if ( current_user_is_anonymous() )
	{
		// If we have no key or it's invalid then display the captcha again.
		$t_key = strtolower( substr( md5( config_get( 'password_confirm_hash_magic_string' ) . $f_public_key ), 1, 5) );
		if ( $t_key != $f_captcha ) 
		{
			include_once( 'bugnote_captcha.php' );
			return;
		}
	}

	$t_core_path = config_get( 'core_path' );

	require_once( $t_core_path.'bug_api.php' );
	require_once( $t_core_path.'bugnote_api.php' );
?>
<?php
	$f_bug_id		= gpc_get_int( 'bug_id' );
	$f_private		= gpc_get_bool( 'private' );
	$f_bugnote_text	= gpc_get_string( 'bugnote_text', '' );

	if ( bug_is_readonly( $f_bug_id ) ) {
		error_parameters( $f_bug_id );
		trigger_error( ERROR_BUG_READ_ONLY_ACTION_DENIED, ERROR );
	}

	access_ensure_bug_level( config_get( 'add_bugnote_threshold' ), $f_bug_id );
	
	$t_bug = bug_get( $f_bug_id, true );
	if( $t_bug->project_id != helper_get_current_project() ) {
		# in case the current project is not the same project of the bug we are viewing...
		# ... override the current project. This to avoid problems with categories and handlers lists etc.
		$g_project_override = $t_bug->project_id;
	}

	$f_bugnote_text = trim( $f_bugnote_text );

	# check for blank bugnote
	if ( !is_blank( $f_bugnote_text ) ) {
		bugnote_add( $f_bug_id, $f_bugnote_text, $f_private );
		email_bugnote_add( $f_bug_id );
	}

	print_successful_redirect_to_bug( $f_bug_id );
?>
bugnote_add.php (2,264 bytes)

2007-02-09 01:10

 

bugnote_captcha.php (1,736 bytes)
<?php
	# Mantis - a php based bugtracking system
	# Copyright (C) 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
	# Copyright (C) 2002 - 2004  Mantis Team   - mantisbt-dev@lists.sourceforge.net
	# This program is distributed under the terms and conditions of the GPL
	# See the README and LICENSE files for details

	# --------------------------------------------------------
	# $Id: bugnote_add2.php
	# --------------------------------------------------------
?>
<?php
	# Insert the bugnote into the database then redirect to the bug page
?>
<?php
	require_once( 'core.php' );

	html_page_top1();
	html_page_top2();

	$t_key = mt_rand( 0,99999 );
?>
<br>
<br>
<center>
<form name="captcha_form" method="post" action="bugnote_add.php">
<input type="hidden" name="bug_id" value="<?php echo gpc_get_int( 'bug_id' ) ?>">
<input type="hidden" name="private" value="<?php echo gpc_get_bool( 'private' ) ?>">
<input type="hidden" name="bugnote_text" value="<?php echo gpc_get_string( 'bugnote_text', '' ) ?>">
<table class="width50" cellspacing="1">
<tr>
	<td class="form-title" colspan="3">
		<?php echo lang_get( 'add_bugnote_button' ) ?>
	</td>
</tr>
<tr class="row-1">
	<td class="category">
		<?php echo "Guest accounts must enter this code as it is shown in the box on the right" ?>:
	</td>
	<td>
		<?php print_captcha_input( 'captcha', '' ) ?>
	</td>
	<td>
		<img src="make_captcha_img.php?public_key=<?php echo $t_key ?>">
		<input type="hidden" name="public_key" value="<?php echo $t_key ?>">
	</td>
</tr>
<tr>
	<td class="center" colspan="3">
		<input type="submit" class="button" value="<?php echo lang_get( 'add_bugnote_button' ) ?>" />
	</td>
</tr>
</table>
</form>
</center>
<br>
<br>
<?php
	html_page_bottom1a( __FILE__ );
?>
bugnote_captcha.php (1,736 bytes)
TomSpilman

TomSpilman

2007-02-09 01:13

reporter   ~0014016

Last edited: 2007-02-09 01:14

I got home to find over 40 spam posts in the bug notes on our mantis tracker, so i collected my own bounty. I've attached my changes to bugnote_add.php and my bugnote_captcha.php. It's a very simple implementation, but it seems to work fine. I'll look to do the same on bug reports as well soon.

With someone who knows the system better to clean it up, it would make a great addition to Mantis.

vboctor

vboctor

2007-02-24 02:19

manager   ~0014097

Another advantage for requiring registration is that you are more likely to get feedback when you ask questions.

But I agree that this should be an administrator's decision. If you end up implementing the captcha for reports as well, please attach a zip file with all modified PHP files.

Zamolxis

Zamolxis

2010-01-05 08:45

reporter   ~0024044

Last edited: 2010-01-05 08:52

View 2 revisions

@TomSpilman: Here is a workaround until this is implemented - give anonymous Viewer profile, but then, from Manage Config > Workflow Thresholds, give them the right to create reports (but NOT to add/edit notes).

This will help you get rid of a lot of spam, while guests would still be able to add reports. The downside is that genuine guests won't be able to add notes, but it's still a decent compromise solution until Captcha codes will be introduced.

EDIT: There is a small "bug" (?) with that set-up though, namely that guests have to follow an external link to the "Report Issue" page in order to create the report. I'm not yet decided if that's a good or a bad thing. On one hand it increases the chance that I get only genuine reporters, if they have to follow the links we have on the project website or forum, on the other hand, if one of these reporters who prefers to stay anonymous puts the Mantis View Issues page in their favorites, they won't have the Report Issue link on top to use it.

TomSpilman

TomSpilman

2010-01-05 09:37

reporter   ~0024046

Since i fixed this by adding a Captcha to my old copy of Mantis i've had zero spam posts.... so as far as i'm concerned this bug is fixed for me.

If Mantis didn't adopt my modification thats ok with me i guess.

btsbits

btsbits

2010-11-07 14:58

reporter   ~0027277

Last edited: 2010-11-07 15:05

View 3 revisions

My solution:
edit the '/bug_report_page.php' and '/bug_report_advanced_page.php' files: just before <!-- Submit Button --> add to each:

<?php //begin stone's captcha for anon login
if (current_user_is_anonymous())
{
?>
<tr class="row-1">
<td class="category">
    <span class="required">*</span><?php echo lang_get( 'signup_captcha_request' ) ?>:
</td>
<td>
    <?php print_captcha_input( 'captcha', '' ) ?>

    <img src="make_captcha_img.php?public_key=<?php echo $t_key ?>">
    <input type="hidden" name="public_key" value="<?php echo $t_key ?>">
</td>

</tr>
<?php
}
//end of stone's captcha for anon login?>
then in '/bug_report.php' after $t_bug_data->target_version = ...... add:

// begin stone captcha check for anon user
if (current_user_is_anonymous())
{
    $f_captcha      = gpc_get_string( 'captcha', '' );
    $f_public_key   = gpc_get_int( 'public_key', '' );
    $f_captcha = strtolower( trim( $f_captcha ) );
    $t_key = strtolower( substr( md5( config_get( 'password_confirm_hash_magic_string' ) . $f_public_key ), 1, 5) );

    if ( $t_key != $f_captcha ) {
        trigger_error( ERROR_SIGNUP_NOT_MATCHING_CAPTCHA, ERROR );
    }
}
// end of stone captcha check for anon user

that's all you need to do.

simsmaster

simsmaster

2010-11-11 09:38

reporter  

bug_report.php.diff (979 bytes)
--- C:/Users/Niklas/Downloads/mantisbt-1.2.3/bug_report.php	Di 14. Sep 15:40:10 2010
+++ C:/Users/Niklas/Downloads/bug_report.php	Do 11. Nov 15:18:45 2010
@@ -78,6 +78,20 @@
 		$t_bug_data->target_version = gpc_get_string( 'target_version', '' );
 	}
 
+	// begin stone captcha check for anon user
+    if (current_user_is_anonymous())
+    {
+        $f_captcha = gpc_get_string( 'captcha', '' );
+        $f_public_key = gpc_get_int( 'public_key', '' );
+        $f_captcha = strtolower( trim( $f_captcha ) );
+        $t_key = strtolower( substr( md5( config_get( 'password_confirm_hash_magic_string' ) . $f_public_key ), 1, 5) );
+
+        if ( $t_key != $f_captcha ) {
+            trigger_error( ERROR_SIGNUP_NOT_MATCHING_CAPTCHA, ERROR );
+        }
+    }
+    // end of stone captcha check for anon user
+	
 	# if a profile was selected then let's use that information
 	if ( 0 != $t_bug_data->profile_id ) {
 		if ( profile_is_global( $t_bug_data->profile_id ) ) {
bug_report.php.diff (979 bytes)
simsmaster

simsmaster

2010-11-11 09:38

reporter  

bug_report_page.php.diff (1,085 bytes)
--- C:/Users/Niklas/Downloads/mantisbt-1.2.3/bug_report_page.php	Di 14. Sep 15:40:10 2010
+++ C:/Users/Niklas/Downloads/bug_report_page.php	Do 11. Nov 15:18:52 2010
@@ -511,6 +511,26 @@
 			<label><input <?php echo helper_get_tab_index() ?> type="checkbox" id="report_stay" name="report_stay" <?php check_checked( $f_report_stay ) ?> /> <?php echo lang_get( 'check_report_more_bugs' ) ?></label>
 		</td>
 	</tr>
+	
+	<?php //begin stone's captcha for anon login
+    if (current_user_is_anonymous())
+    {
+    ?>
+    <tr class="row-1">
+    <td class="category">
+        <span class="required">*</span><?php echo lang_get( 'signup_captcha_request' ) ?>:
+    </td>
+    <td>
+        <?php print_captcha_input( 'captcha', '' ) ?>
+    
+        <img src="make_captcha_img.php?public_key=<?php echo $t_key ?>">
+        <input type="hidden" name="public_key" value="<?php echo $t_key ?>">
+    </td>
+	</tr>
+    <?php
+    }
+    //end of stone's captcha for anon login?>
+	
 	<tr>
 		<td class="left">
 			<span class="required"> * <?php echo lang_get( 'required' ) ?></span>
bug_report_page.php.diff (1,085 bytes)
simsmaster

simsmaster

2010-11-11 09:39

reporter  

bugnote_add.php.diff (1,104 bytes)
--- C:/Users/Niklas/Downloads/mantisbt-1.2.3/bugnote_add.php	Di 14. Sep 15:40:10 2010
+++ C:/Users/Niklas/Downloads/bugnote_add.php	Do 11. Nov 15:16:48 2010
@@ -36,7 +36,21 @@
 	$f_private		= gpc_get_bool( 'private' );
 	$f_time_tracking	= gpc_get_string( 'time_tracking', '0:00' );
 	$f_bugnote_text	= trim( gpc_get_string( 'bugnote_text', '' ) );
+	
+	// begin stone captcha check for anon user
+    if (current_user_is_anonymous())
+    {
+        $f_captcha = gpc_get_string( 'captcha', '' );
+        $f_public_key = gpc_get_int( 'public_key', '' );
+        $f_captcha = strtolower( trim( $f_captcha ) );
+        $t_key = strtolower( substr( md5( config_get( 'password_confirm_hash_magic_string' ) . $f_public_key ), 1, 5) );
 
+        if ( $t_key != $f_captcha ) {
+            trigger_error( ERROR_SIGNUP_NOT_MATCHING_CAPTCHA, ERROR );
+        }
+    }
+    // end of stone captcha check for anon user
+
 	$t_bug = bug_get( $f_bug_id, true );
 	if( $t_bug->project_id != helper_get_current_project() ) {
 		# in case the current project is not the same project of the bug we are viewing...
bugnote_add.php.diff (1,104 bytes)
simsmaster

simsmaster

2010-11-11 09:39

reporter  

bugnote_add_inc.php.diff (983 bytes)
--- C:/Users/Niklas/Downloads/mantisbt-1.2.3/bugnote_add_inc.php	Di 14. Sep 15:40:10 2010
+++ C:/Users/Niklas/Downloads/bugnote_add_inc.php	Do 11. Nov 15:18:31 2010
@@ -68,8 +68,28 @@
 ?>
 	</td>
 </tr>
+
 <?php } ?>
 
+<?php //begin stone's captcha for anon login
+    if (current_user_is_anonymous())
+    {
+    ?>
+    <tr class="row-1">
+    <td class="category">
+        <span class="required">*</span><?php echo lang_get( 'signup_captcha_request' ) ?>:
+    </td>
+    <td>
+        <?php print_captcha_input( 'captcha', '' ) ?>
+    
+        <img src="make_captcha_img.php?public_key=<?php echo $t_key ?>">
+        <input type="hidden" name="public_key" value="<?php echo $t_key ?>">
+    </td>
+	</tr>
+    <?php
+    }
+    //end of stone's captcha for anon login?>
+
 <?php if ( config_get('time_tracking_enabled') ) { ?>
 <?php if ( access_has_bug_level( config_get( 'time_tracking_edit_threshold' ), $f_bug_id ) ) { ?>
 <tr <?php echo helper_alternate_class() ?>>
simsmaster

simsmaster

2010-11-11 09:42

reporter   ~0027334

I´ve uploaded diffs with fixes. They include captchas for bugnotes and bug reports for anonymous users.
Maybe the need a bit CSS Tuning, but they work.
All what I´ve done is to adapt the idea from btsbits to bugnotes.

btsbits

btsbits

2010-11-12 02:41

reporter   ~0027337

Last edited: 2010-11-12 02:42

View 2 revisions

i forgot 1 line to randomize the captcha before the image (<img src="make_captcha......):

$t_key = mt_rand( 0,99999 );

put this line in bug_report_page.php, bug_report_advanced_page.php, and bugnote_add_inc.php otherwise the captcha will always be the same, and essentially useless.

simsmaster

simsmaster

2010-11-13 05:44

reporter  

bugnote_add_inc.php.diff.new (1,012 bytes)
simsmaster

simsmaster

2010-11-13 05:44

reporter  

bug_report_page.php.diff.new (1,114 bytes)
simsmaster

simsmaster

2010-11-13 05:46

reporter   ~0027356

Ok, I´ve corrected the diff´s (the .new files)
Even the static captcha stoped the spambots for me, they´re really stupid :D

btsbits

btsbits

2013-06-10 02:24

reporter   ~0037157

we have diffs, can't it be added to the code now? is there still development happening on mantis?

atrol

atrol

2013-06-10 03:08

developer   ~0037158

Submitting a patch increases the chances of improvement eventually making it into MantisBT core. All contributions are welcome and greatly appreciated.

Patch submissions can be made in several ways. In the order of preference:

  1. Send us a Pull Request on our Github repository [1]
  2. Attach a GIT patch to the issue
  3. Attach a Unified Diff, clearly specifying the patch's base release

Kindly avoid to upload entire modified PHP files.

Please make sure that your submissions adhere to our Coding Guidelines [2], if they don't your patch might be rejected.

[1] https://github.com/mantisbt/mantisbt
[2] http://www.mantisbt.org/wiki/doku.php/mantisbt:coding_guidelines

Issue History

Date Modified Username Field Change
2007-01-28 01:17 TomSpilman New Issue
2007-01-28 01:57 TomSpilman Sponsorship Added TomSpilman: US$ 100
2007-01-28 01:57 TomSpilman Sponsorship Total 0 => 100
2007-02-08 11:29 TomSpilman Sponsorship Updated TomSpilman: US$ 200
2007-02-08 11:29 TomSpilman Sponsorship Total 100 => 200
2007-02-08 11:29 TomSpilman Sponsorship Updated TomSpilman: US$ 300
2007-02-08 11:29 TomSpilman Sponsorship Total 200 => 300
2007-02-08 11:30 TomSpilman Note Added: 0014014
2007-02-09 01:09 TomSpilman Sponsorship Deleted TomSpilman: US$ 300
2007-02-09 01:09 TomSpilman Sponsorship Total 300 => 0
2007-02-09 01:10 TomSpilman File Added: bugnote_add.php
2007-02-09 01:10 TomSpilman File Added: bugnote_captcha.php
2007-02-09 01:13 TomSpilman Note Added: 0014016
2007-02-09 01:14 TomSpilman Note Edited: 0014016
2007-02-24 02:19 vboctor Note Added: 0014097
2007-02-24 02:19 vboctor Status new => acknowledged
2009-09-19 10:45 dhx Relationship added has duplicate 0010965
2010-01-05 08:45 Zamolxis Note Added: 0024044
2010-01-05 08:52 Zamolxis Note Edited: 0024044 View Revisions
2010-01-05 09:37 TomSpilman Note Added: 0024046
2010-11-07 14:58 btsbits Note Added: 0027277
2010-11-07 14:59 btsbits Note Edited: 0027277 View Revisions
2010-11-07 15:05 btsbits Note Edited: 0027277 View Revisions
2010-11-11 09:38 simsmaster File Added: bug_report.php.diff
2010-11-11 09:38 simsmaster File Added: bug_report_page.php.diff
2010-11-11 09:39 simsmaster File Added: bugnote_add.php.diff
2010-11-11 09:39 simsmaster File Added: bugnote_add_inc.php.diff
2010-11-11 09:42 simsmaster Note Added: 0027334
2010-11-12 02:41 btsbits Note Added: 0027337
2010-11-12 02:42 btsbits Note Edited: 0027337 View Revisions
2010-11-13 05:44 simsmaster File Added: bugnote_add_inc.php.diff.new
2010-11-13 05:44 simsmaster File Added: bug_report_page.php.diff.new
2010-11-13 05:46 simsmaster Note Added: 0027356
2013-06-10 02:24 btsbits Note Added: 0037157
2013-06-10 03:08 atrol Note Added: 0037158