I've tried to manually add honeypot timing protection to a views exposed form that's being abused, but because the exposed form is 'submitted' on page load, the timing information is processed, and validation fails immediately.

CommentFileSizeAuthor
#2 honeypot-2845272-views-exposed-form-support.patch585 bytessteven jones
#4 honeypot-2845272-views-exposed-form-support-4.patch586 byteschris matthews

Issue fork honeypot-2845272

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

Steven Jones created an issue. See original summary.

steven jones’s picture

steven jones commented
Status: Active » Needs review
StatusFileSize
new honeypot-2845272-views-exposed-form-support.patch585 bytes

Here's a patch that I think detects if there's submitted exposed input and skips if there's not.

geerlingguy’s picture

geerlingguy commented
Version: 7.x-1.22 » 7.x-1.x-dev
chris matthews’s picture

chris matthews commented
StatusFileSize
new honeypot-2845272-views-exposed-form-support-4.patch586 bytes

Please correct me if this is the wrong thing to do....I used the 2 year old patch in #2 and it did apply cleanly to the most recent 7.x-1.x-dev snapshot. However, I noticed that "Hunk #1" now succeeds at line 305 whereas the previous patch in #2 succeeded at line 267. I've attached an updated patch against the most recent -dev branch that shows this, but I'm not 100% sure it's necessary. Any help/advise would be appreciated.

chris matthews’s picture

chris matthews commented
Parent issue: » #3095205: Plan for Honeypot 7.x-1.26 release
tr’s picture

tr commented
Version: 7.x-1.x-dev » 2.0.x-dev
Status: Needs review » Needs work

New features and bug fixes need to go into the most current branch first. Needs re-roll for 2.0.x-dev and a confirmation that the problem still exists in Drupal 9.

tr’s picture

tr commented
Category: Bug report » Feature request
Related issues: +#2049563: Honeypot protection on Exposed Views Filters, +#1498940: Views exposed auto submit filter doesn't work with Honeypot

Honeypot is deliberately disabled on Views exposed forms. See #1498940: Views exposed auto submit filter doesn't work with Honeypot and #2049563: Honeypot protection on Exposed Views Filters.

Changing that is a feature request.

If someone wants to research those issues and submit a patch (and test) that works without re-introducing the problems solved by those issues, then I'm happy to review and commit a fix to add this functionality.

tr’s picture

tr commented
Version: 2.0.x-dev » 2.1.x-dev
tr’s picture

tr commented
Version: 2.1.x-dev » 2.2.x-dev

jsutta made their first commit to this issue’s fork.

jsutta opened merge request !63

jsutta’s picture

jsutta commented

I've tried to manually add honeypot timing protection to a views exposed form that's being abused, but because the exposed form is 'submitted' on page load, the timing information is processed, and validation fails immediately.

jsutta’s picture

jsutta commented
Status: Needs work » Needs review