Problem/Motivation

Recently a new spam strategy has surfaced, where the attack vector is to add a comment to an old and closed issue, attaching a lot of PDF files with the spam payload. This works (from the spammer's perspective), because search engines index the contents of PDF files.

Cleaning this up takes more time, because deleting the spam comment has no effect. The PDF files are associated with the issue summary, which in itself is not spam, and shall not be deleted.

Proposed resolution

Do not allow users without the 'confirmed' role to upload PDF files to an issue.

Community members without the 'confirmed' role should be able to to upload patches (for obvious reasons) and images (.png and .jpg) in order to document a problem, so not allowing community members without the 'confirmed' role is not an option.

However. I don't see a use case where uploading a PDF file to an issue is of much benefit, so we should at least not allow users without the 'confirmed' role do it. To simplify the implementation, we may disallow upload of PDF to any role, as I don't see a use case for allowing it. However, the problem with this permission is only with users without the 'confirmed' role.

Comments

gisle created an issue. See original summary.

drumm’s picture

drumm
he/him
Location NY, US
commented

This does seem like it will be necessary with all the PDF issue file spam we’ve been getting. It will have to be custom code, Drupal doesn’t have a UI for this specific of a restriction.

gisle’s picture

gisle
he/him
Primary language Norwegian Bokmål
Location Norway
commented

Isn't there a "Allowed file extensions" setting for the file upload field?

Currently, the file upload widget says:

Allowed file types: jpg jpeg gif png txt asciidoc md xls pdf ppt pps odt fodt ods fods odp fodp gz tgz patch diff zip test info po pot psd yml mov mp4 avi mkv.

I believe removing "pdf" from this list should fix it.

It will afffect all users, not just those without the 'confirmed' role. But as I say in the issue summary: "To simplify the implementation, we may disallow upload of PDF to any role, as I don't see a use case for allowing it."

PS: The "xls" and "ppt" extension may be problematic as well. Spammers haven't discovered them yet, but I think the contents of all the MS Office formats, inkluding "xls" and "ppt" are also indexed by Google et al. Text formats that contains URLs, such as "md" may also be problematic, but we may postpone that until spammers learn to exploit them.

drumm’s picture

drumm
he/him
Location NY, US
commented

Ah, I missed that part. I’ve seen some tools for webpage screenshots generate PDFs, especially if they are getting the full scrollable height, not just one screen. Presentation slides could also be useful. I haven't seen too many other PDFs actually being used legitimately in the few days of issue uploads that I’ve checked, but I don’t want to shut them down without more data.

Denying access to the whole upload field for non-confirmed users would be easy. Probably also not something we want to do, since new contributors are often asked to take screenshots for issues.

drumm’s picture

drumm
he/him
Location NY, US
commented
Assigned: Unassigned » drumm

The rate that this spam is being uploaded looks to be increasing.

  • drumm committed 62ee130 on 7.x-3.x 
    Issue #3250707: Do not allow users without the 'confirmed' role upload...
drumm’s picture

drumm
he/him
Location NY, US
commented
Status: Active » Fixed

This restriction is now deployed. Non-confirmed users can’t upload PDFs.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.