View Issue Details

IDProjectCategoryView StatusLast Update
0025908mantisbtsecuritypublic2019-07-10 01:49
ReporterRealityRipple Assigned To 
PrioritynormalSeveritytweakReproducibilityN/A
Status newResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0025908: Block URLs in Public Notes from Anonymous Accounts
Description

If an anonymous account is required, for, say, automated reporting by software, or just because you'd rather not prompt your users to create an (or another) account, there should probably be some extra spam prevention methods added in. My suggestion is simple: block the anonymous account from sending Notes with URLs in them.

Private notes probably aren't a big deal, since spammers are unlikely to target a single person. If this changes in the future, it can easily be changed, however. But for now, it makes for a good alternate way for legitimate anonymous users to post URLs in notes if necessary.

I've created a quick and dirty test implementation based on a dead-simple algorithm I've been using on my own website for years. Changes are very welcome.

TagsNo tags attached.

Activities

RealityRipple

RealityRipple

2019-07-08 14:52

reporter   ~0062367

Pull Request of Test Implementation at https://github.com/mantisbt/mantisbt/pull/1525

vboctor

vboctor

2019-07-10 01:49

manager   ~0062374

Thanks @RealityRipple for your contribution.

I'm generally not convinced that allowing anonymous user to contribute content is a good setup. There is obviously the spam risk, but there are also the fact that it is not a setup that allows for collaboration with the user who submitted the issue or even have some pseudo identity for them to know who said what.

The antispam work was mainly don't for providing some very basic protection for users that signup and then contribute content.

Given the above and that that the suggested anti-spam work in this PR is content based, I was wondering if it would be better to implement this as a plugin that can hook into EVENT_BUGNOTE_DATA event, and do one of the following:

  1. block the submission with appropriate error message if it has undesired content (i.e. urls as per your current implementation).
  2. create the note with a temporary message and queue up the real message for approval by someone with appropriate access, once approach update the note with the real text or text updated by the moderator.

Anyways, implementing 1 above should be simple as a plugin.

Issue History

Date Modified Username Field Change
2019-07-08 14:48 RealityRipple New Issue
2019-07-08 14:52 RealityRipple Note Added: 0062367
2019-07-10 01:49 vboctor Note Added: 0062374