--- includes/common.inc.orig	2005-09-12 23:47:37.000000000 -0400
+++ includes/common.inc	2005-09-13 22:28:30.000000000 -0400
@@ -1042,6 +1042,53 @@
 }
 
 /**
+ * Set a hidden 'form_token' field to be included in a form, used to validate
+ * that the resulting submission was actually generated by a local form. 
+ *
+ * @param $key
+ *   A unique key to identify the form that is currently being displayed.
+ *   This identical key is later used to validate that the resulting submission
+ *   actually originated with this form.
+ * @result
+ *   A themed HTML string representing the hidden token field.
+ */
+function form_token($key) {
+  // this private key should always be kept secret
+  if (!variable_get('drupal_private_key', '')) {
+    variable_set('drupal_private_key', mt_rand());
+  }
+
+  // the verification token is an md5 hash of the form key and our private key
+  return form_hidden('form_token', md5($key . variable_get('drupal_private_key', '')));
+}
+
+/**
+ * Verify that the hidden 'form_token' field was actually generated with our
+ * private key.
+ *
+ * @param $edit
+ *  An array containing the form that needs to be validated.
+ * @param $key
+ *  The same key that was used to generate the 'form_token'.
+ * @param $error_message
+ *  An optional error message to display if the form does not validate.
+ * @result
+ *  There is nothing returned from this function, but if the 'form_token' does
+ *  not validate an error is generated, preventing the submission.
+ */
+function form_validate($edit, $key, $error_message = NULL) {
+  if ($error_message == NULL) {
+    // set a generic default error message
+    $error = t('Validation error, please try again.  If this error persists, please contact the site administrator.');
+  }
+
+  if ($edit['form_token'] != md5($key . variable_get('drupal_private_key', ''))) {
+    // setting this error will cause the form to fail validation
+    form_set_error('form_token', $error);
+  }
+}
+
+/**
  * File an error against the form element with the specified name.
  */
 function form_set_error($name, $message) {
--- modules/comment.module.orig	2005-09-12 23:55:25.000000000 -0400
+++ modules/comment.module	2005-09-13 22:31:29.000000000 -0400
@@ -517,6 +517,9 @@
       }
     }
   }
+  // verify that this submission was actually generated using a local form
+  form_validate($edit, 'comment'. $edit['nid'] . $edit['pid']);
+
   return $edit;
 }
 
@@ -1424,6 +1427,8 @@
   $form .= form_hidden('pid', $edit['pid']);
   $form .= form_hidden('nid', $edit['nid']);
   $form .= form_hidden('uid', $edit['uid']);
+  // generate a token used to validate that submissions came from this form 
+  $form .= form_token('comment'. $edit['nid'] . $edit['pid']);
 
   $form .= form_submit(t('Preview comment'));