Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secure the contact_form from spammers #8168

Merged
merged 1 commit into from Aug 29, 2017

Conversation

Projects
None yet
@hibatallahAouadni
Copy link
Contributor

commented Jul 20, 2017

Questions Answers
Branch? 1.6.1.x
Description? I adopt the solution in this link to solve the problem of spamming the contact form
Type? bug fix
Category? FO
BC breaks? no
Deprecations? no
Fixed ticket? http://forge.prestashop.com/browse/PSCSX-9132
How to test?
@@ -36,9 +36,11 @@ class ContactControllerCore extends FrontController
public function postProcess()
{
if (Tools::isSubmit('submitMessage')) {
$saveContactKey = $this->context->cookie->formCleContact;

This comment has been minimized.

Copy link
@xBorderie

xBorderie Jul 20, 2017

Contributor

Could you remove the French? formCleContact is not really international ;)

This comment has been minimized.

Copy link
@hibatallahAouadni

hibatallahAouadni Jul 21, 2017

Author Contributor

thanks @xBorderie ;)

@hibatallahAouadni hibatallahAouadni force-pushed the hibatallahAouadni:PSCSX-9132 branch from 1f14557 to faae14e Jul 21, 2017

@maximebiloe maximebiloe added this to the 1.6.1.17 milestone Jul 21, 2017

$this->context->smarty->assign(array(
'contacts' => Contact::getContacts($this->context->language->id),
'message' => html_entity_decode(Tools::getValue('message'))
'message' => html_entity_decode(Tools::getValue('message')),
'contactKey' => $contactKey

This comment has been minimized.

Copy link
@LittleBigDev

LittleBigDev Jul 24, 2017

Contributor

Please add a comma even after the last array item

This comment has been minimized.

Copy link
@hibatallahAouadni

@hibatallahAouadni hibatallahAouadni force-pushed the hibatallahAouadni:PSCSX-9132 branch from faae14e to 1482ace Jul 26, 2017

@marionf

This comment has been minimized.

Copy link
Contributor

commented Aug 28, 2017

Hello @hibatallahAouadni

I can't send message anymore

capture du 2017-08-28 15-38-34

@hibatallahAouadni

This comment has been minimized.

Copy link
Contributor Author

commented Aug 28, 2017

Hello @marionf
I'm really sorry but I didn't manage to reproduce your issue, I send 3 mails just right now and all have been successfully sent (see screenshots) and I tried it with customers and visitors.

  • success message:
    contactanos buen gusto
  • received mails (BO):
    sav buen gusto
@marionf

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2017

Hello @hibatallahAouadni
It's ok, it's working.
Thanks!

@maximebiloe maximebiloe merged commit 47cf535 into PrestaShop:1.6.1.x Aug 29, 2017

2 checks passed

codacy/pr Good work! A positive pull request.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@maximebiloe

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2017

Thanks @hibatallahAouadni

@yaya85

This comment has been minimized.

Copy link

commented Oct 8, 2017

Verry good solotion, but in the 1.6.1.17 version it seems to give an error on the contact page when you try to send >http://prntscr.com/gumu69

I added the 2 rows to the contact page form, but still having an error.
When i add the ContactController.php from 1.6.1.16 it seems to work.

Do i need to change or add something to make it work in 1.6.1.17 ?

@bumarius

This comment has been minimized.

Copy link
Contributor

commented Oct 8, 2017

Hello,

please DO NOT forget also to modify contact.tpl

**<input type="text" name="url" value="" class="hidden" />**
**<input type="hidden" name="contactKey" value="{$contactKey}" />**
<button type="submit" name="submitMessage" id="submitMessage" class="xxxxxxxxxxxxxxxx" style="margin-top: 0 !important;">

best regards

@yaya85

This comment has been minimized.

Copy link

commented Oct 8, 2017

Hi Bumarius,

You mean contact-form.tpl right? I already added this 2 lines of code. > http://prntscr.com/guv1i9

Is there anything else what we have to change?

Thanks!

@seigieu

This comment has been minimized.

Copy link
Contributor

commented Feb 17, 2018

I developed module for this today using reCaptcha "I'm not a robot" : https://github.com/seigieu/seigisecurecontact
You can get it from git or there is link where you can download redy-to-install zip.

@PrestaShark

This comment has been minimized.

Copy link
Contributor

commented Feb 21, 2018

Same thing as @marionf mentioned.
An error occurred while sending the message in FO, but message is available in BO.
Presta 1.6.1.10
It was related with SMTP missconfiguration... Customer change it's password and error occur in BO because confirmation email was unable to send.


@yaya85 check email configuration and/or SMTP configuration/password.

@seigieu thanks for module but reCaptcha will not work in this case. Spammers will pass through reCaptcha validation...

@seigieu

This comment has been minimized.

Copy link
Contributor

commented Feb 21, 2018

@PrestaShark Which "case" you mean? What does not work?

@crsisti1
Copy link

left a comment

what changes do i have to make?i don't understand

@DaoPuig

This comment has been minimized.

Copy link

commented Mar 12, 2018

I used another solution and works for me.

ContactController.php inside the PostProcess function after the first if (Tools::isSubmit('sumbitMessage'))

// Get contact email
$em = trim(Tools::getValue('from'));
// We will use it to check russian mails
$length = strlen('.ru');
$message = Tools::getValue('message');

// Check if the mail contact is a russian email
if (substr($em, -$length) === '.ru') {
$this->errors[] = Tools::displayError('Invalid email address.');
// Check if content is written in russian
} elseif ($this->isRussian($message)) {
$this->errors[] = Tools::displayError('Invalid content.');
} .....
// Function to check if the message is written in russian
private function isRussian($text) {
return preg_match('/[А-Яа-яЁё]/u', $text);
}

@seigieu

This comment has been minimized.

Copy link
Contributor

commented Mar 12, 2018

@DaoPuig That's putting all russians in one bag. And I had problems with Chinese spam, so if you want to generalize protection, add chinese letters also. And would also add checking for links and domains in message :)

@DaoPuig

This comment has been minimized.

Copy link

commented Mar 13, 2018

@seigieu You are right, my bad. I came from that thread link about Russian messages spamming.
Actually, I had only spam from Russians and I tried to help with a fast hack :D

@seigieu

This comment has been minimized.

Copy link
Contributor

commented Mar 13, 2018

@DaoPuig think fastest and best solution is one I posted above. No generalization and no spam. Almost cannot be bypassed, since google updates it on regular basis.

@PrestaShark

This comment has been minimized.

Copy link
Contributor

commented Mar 14, 2018

Guys. Just for mention. Solution posted in this pull request failed to block russian spammers. Upgraded ContactController and tpl file and mail.ru spam pass through contact form easily even paired with ReCaptcha. WTF

@alegout

This comment has been minimized.

Copy link
Contributor

commented Mar 14, 2018

Hi @PrestaShark, i'm currently working on a PR to limit these spams issues on the contactform.
For a robust solution, consider using a captcha solution like ReCaptcha (We can not add one because we can not require users to install FreeType).
If you are on 1.6, please disable sendtofriends module.
If the problem's not solved, are on 1.7 and have Recaptcha running, please create an issue and give us more details please, we'll check ASAP.

Best regards

@PrestaShark

This comment has been minimized.

Copy link
Contributor

commented Mar 14, 2018

Hi. Details are clear. Changes in this pull request not work anymore. Spamers rebuild their scripts.
1.6.1.14 with pull fixes = failed to stop mail.ru spam

@alegout

This comment has been minimized.

Copy link
Contributor

commented Mar 14, 2018

You said that you have a ReCaptcha module, can you please test with javascript disabled if your module is working?

Thank you

@DaoPuig

This comment has been minimized.

Copy link

commented Mar 14, 2018

@PrestaShark My solution is still working at least in my shop, as a fast hack you can try it.

@PrestaShark

This comment has been minimized.

Copy link
Contributor

commented Mar 14, 2018

@DaoPuig yes i trying it too but with Your hack no email are send anymore and notifications in BO are not work. Messages are saved in DB. Any ideas?

if (Tools::isSubmit('submitMessage')) { $saveContactKey = $this->context->cookie->contactFormKey; $extension = array('.txt', '.rtf', '.doc', '.docx', '.pdf', '.zip', '.png', '.jpeg', '.gif', '.jpg'); $file_attachment = Tools::fileAttachment('fileUpload'); $em = trim(Tools::getValue('from')); $length = strlen('.ru'); $message = Tools::getValue('message'); // Html entities is not usefull, iscleanHtml check there is no bad html tags. $url = Tools::getValue('url'); if (!($from = trim(Tools::getValue('from'))) || !Validate::isEmail($from)) { $this->errors[] = Tools::displayError('Invalid email address.'); } elseif (substr($em, -$length) === '.ru') { $this->errors[] = Tools::displayError('Invalid email address.'); } elseif ($this->isRussian($message)) { $this->errors[] = Tools::displayError('Invalid content.'); } elseif (!$message) { $this->errors[] = Tools::displayError('The message cannot be blank.'); } elseif (!Validate::isCleanHtml($message)) { $this->errors[] = Tools::displayError('Invalid message'); } elseif (!($id_contact = (int)Tools::getValue('id_contact')) || !(Validate::isLoadedObject($contact = new Contact($id_contact, $this->context->language->id)))) { $this->errors[] = Tools::displayError('Please select a subject from the list provided. '); } elseif (!empty($file_attachment['name']) && $file_attachment['error'] != 0) { $this->errors[] = Tools::displayError('An error occurred during the file-upload process.'); } elseif (!empty($file_attachment['name']) && !in_array(Tools::strtolower(substr($file_attachment['name'], -4)), $extension) && !in_array(Tools::strtolower(substr($file_attachment['name'], -5)), $extension)) { $this->errors[] = Tools::displayError('Bad file extension'); } elseif ($url === false || !empty($url) || $saveContactKey != (Tools::getValue('contactKey'))) { $this->errors[] = Tools::displayError('An error occurred while sending the message.'); } else {

@seigieu

This comment has been minimized.

Copy link
Contributor

commented Mar 14, 2018

@alegout If you mean my module... then no. Can see no point in no-javascript support. It's like 0.001% of users. Javascript is everywhere (fix me, if I'm wrong).

@jchelink

This comment has been minimized.

Copy link

commented Mar 14, 2018

@DaoPuig Hi, your solution works for me for now :) Thanks
v1.6.1.1

@alegout

This comment has been minimized.

Copy link
Contributor

commented Mar 14, 2018

yes you are right, but a bot just call the url, do not even see your recaptcha :)

@alegout

This comment has been minimized.

Copy link
Contributor

commented Mar 14, 2018

ok @seigieu my bad, i saw that you valid the captcha in back-end, so 👍 i tought that is was only a javascript validation like another module i saw. sorry :)

@jocel1

This comment has been minimized.

Copy link
Contributor

commented Mar 15, 2018

FYI https://github.com/nenes25/eicaptcha seems to work quite well to prevent spam by using recaptcha (0.4.x branch for prestashop 1.6.x, 2.x for prestashop 1.7.x)

@mittermichal

This comment has been minimized.

Copy link

commented Mar 19, 2018

FYI this commit breaks all older 1.6 custom templates since they miss
<input type="text" name="url" value="" class="hidden" /> <input type="hidden" name="contactKey" value="{$contactKey}" />

@fire2

This comment has been minimized.

Copy link

commented Apr 17, 2018

I updated PS to 1.6.1.18 (from 1.6.1.16) and this change was included. So I updated my theme and added those 2 hidden inputs to the contact form. However I still get an error when trying to send the form because the submitted contactkey and the key in the form do not match. I added a die() with both values in that validation check and it fails, I really don't understand why.

You can check there: tienda(dot)deflamenco(dot)com/en/contact-us

What could be happening?

@tzak902

This comment has been minimized.

Copy link

commented Jun 13, 2018

Hi guys, what about 1.7.2.5 branch

@mhd6

This comment has been minimized.

Copy link

commented Apr 24, 2019

Hello my friend, I did not understand or put the secret key ? Thanks you

https://github.com/PrestaShop/PrestaShop/pull/8168/files/1482acec6e91a6e694b9638d42ac69be391dd7fc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.