As designed Registration Honeypots

[Ozzy47]

Affected version

2.1

When a bot or a user somehow fills out a honeypot, from what I can tell they should be seeing a error message.

        foreach ($this->honeyPotFields AS $field)
        {
            $value = $request->filter($this->getFieldName($field), 'str');
            if ($value !== '')
            {
                $error = \XF::phrase('some_fields_contained_unexpected_data_try_again');
                return false;
            }

That is out of src/XF/Service/User/RegisterForm.php and from what I see the user should be seeing the error message some_fields_contained_unexpected_data_try_again but they don't, they are just redirected to the registration form.

 

[Chris D]

This is intentional.

At this point we know it isn't a legit user so we essentially short circuit the process and redirect them back to the registration form. This generates an entirely new set of fields and probably adds a layer of confusion potentially.

 

[Ozzy47]

This is intentional.

At this point we know it isn't a legit user so we essentially short circuit the process and redirect them back to the registration form. This generates an entirely new set of fields and probably adds a layer of confusion potentially.

I’m all down for that, works great. Question is though shouldn’t they be seeing an error according to that code or am I reading it wrong?

 

[Chris D]

That code sets the $error variable, but we decide not to do anything with that, and simply perform a redirection instead.

/** @var \XF\Service\User\RegisterForm $regForm */
$regForm = $this->service('XF:User\RegisterForm', $this->session());
if (!$regForm->isValidRegistrationAttempt($this->request(), $error))
{
   // they failed something that a legit user shouldn't fail, redirect so the key is different
   $regForm->clearStateFromSession($this->session());
   return $this->redirect($this->buildLink('register'));
}

 

[Ozzy47]

Thanks, helps understand the flow of things.