Plone form spam and forgery protection

Posted by sh23 at Nov 19, 2013 02:59 PM |
What it's for, how it works, and why it's sometimes overzealous

If you look after a Plone form, try this:

  1. While not logged in to Plone, view the form.
  2. In another tab in the same browser login to Plone.
  3. Submit the form.

Ouch! What happened?

Web forms in general have 2 main gotchas:

  1. If a form operates in a certain way, you can be tricked into filling it in and submitting it when you didn't mean to. This could be very bad if, for example, you were logged in to your bank account and clicked a specially constructed URL in an email or on another web page. This is known as a cross-site request forgery (CSRF). Your bank will have protection against this.
  2. They attract spam submissions. These are usually sent automatically in order to probe for vulnerabilities or in the hope the they get published.

We use PloneFormGen to provide forms in Plone. It provides a mechanism to protect a form against the first gotcha completely, and to provide some protection against the second. This mechanism is enabled by default.

It uses 2 approaches.

  1. It ensures that form submissions resulting from a link being clicked are rejected.
  2. It also adds a hidden field to the form that encodes contextual information such as the current user name. Forms are rejected if this field doesn't match. The reasoning being that if the form is submitted by a different user or to a different Plone system from the one responsible for generating it, then it's suspicious.

It was approach 2 that bit us. Unfortunately, logging in between loading and submitting a form changes the user name from anonymous to that of the logged in user. People don't usually do this. They usually load the form, fill it in and submit it. However, if a form is asking a large amount of information, and especially if it may require browsing non-public areas of the site to compile, then you could see this issue.

If you have a form that you suspect may experience this, there are a few options:

  1. If the people filling in the form all have University IT accounts, then grant view rights to the form instead of publishing it. This will ensure that the form is only loaded and submitted by logged in users.
  2. Providing your form isn't triggering anything automatically and you don't get too much spam, turn off the protection. The option is under the "Overrides" tab of the "Edit" view, right at the bottom. It's named "CSRF Protection".
  3. Add a note in the "Form Prologue" field cautioning against logging in or out between loading and submitting the form.

About Me - Steven Hayles

Share this page: