System to process, filter and validate empty comments

the same story can be found here.

Peter, thanks for replying to my earlier post 67670. The attacks I've been getting all seem to use a zero-length post instead of a space character. If I look in my logs they all follow the same pattern: get a comment reply page, do a zero-byte post to that page, follow the redirection to the result page. I've attached a couple of log entries below.

So even though we can stop the spam with your fix, I don't understand why those posts are accepted. Why doesn't the existing 'Comment field is required' error-checking kick in and block the post?

Regards, MrB

65.200.179.195 - - [08/Jun/2006:02:46:48 -0500] "GET /drupal/comment/reply/295?PHPSESSID=507b0c161d62086617230826e06158a3 HTTP/1.0" 200 17339 "http://www.batgung.com/drupal/comment/reply/295?PHPSESSID=507b0c161d62086617230826e06158a3" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
65.200.179.195 - - [08/Jun/2006:02:46:50 -0500] "POST /drupal/comment/reply/295?PHPSESSID=507b0c161d62086617230826e06158a3 HTTP/1.0" 302 0 "http://www.batgung.com/drupal/comment/reply/295?PHPSESSID=507b0c161d62086617230826e06158a3" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
65.200.179.194 - - [08/Jun/2006:02:46:51 -0500] "GET /twosquaremeterman#comment-3726 HTTP/1.0" 200 16408 "http://www.batgung.com/drupal/comment/reply/295?PHPSESSID=507b0c161d62086617230826e06158a3" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"

195.175.37.6 - - [08/Jun/2006:02:48:32 -0500] "GET /drupal/comment/reply/329?PHPSESSID=9d47fc8ab99cba8902cf59642fb1b2dc HTTP/1.0" 200 13879 "http://www.batgung.com/drupal/comment/reply/329?PHPSESSID=9d47fc8ab99cba8902cf59642fb1b2dc" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
195.175.37.6 - - [08/Jun/2006:02:48:34 -0500] "POST /drupal/comment/reply/329?PHPSESSID=9d47fc8ab99cba8902cf59642fb1b2dc HTTP/1.0" 302 0 "http://www.batgung.com/drupal/comment/reply/329?PHPSESSID=9d47fc8ab99cba8902cf59642fb1b2dc" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
195.175.37.6 - - [08/Jun/2006:02:48:35 -0500] "GET /homesick#comment-3727 HTTP/1.0" 200 12882 "http://www.batgung.com/drupal/comment/reply/329?PHPSESSID=9d47fc8ab99cba8902cf59642fb1b2dc" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"

203.228.184.177 - - [08/Jun/2006:03:17:21 -0500] "GET /drupal/comment/reply/352?PHPSESSID=08ca908651c563bdfc79e113eb16a562 HTTP/1.1" 200 28724 "http://www.batgung.com/drupal/comment/reply/352?PHPSESSID=08ca908651c563bdfc79e113eb16a562" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
203.228.184.177 - - [08/Jun/2006:03:17:26 -0500] "POST /drupal/comment/reply/352?PHPSESSID=08ca908651c563bdfc79e113eb16a562 HTTP/1.0" 302 0 "http://www.batgung.com/drupal/comment/reply/352?PHPSESSID=08ca908651c563bdfc79e113eb16a562" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
203.228.184.177 - - [08/Jun/2006:03:17:28 -0500] "GET /where#comment-3728 HTTP/1.1" 200 35244 "http://www.batgung.com/drupal/comment/reply/352?PHPSESSID=08ca908651c563bdfc79e113eb16a562" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"

203.236.16.41 - - [08/Jun/2006:04:04:53 -0500] "GET /drupal/comment/reply/321?PHPSESSID=ca0168c7b941ed69b62923a62e5213ef HTTP/1.0" 200 17458 "http://www.batgung.com/drupal/comment/reply/321?PHPSESSID=ca0168c7b941ed69b62923a62e5213ef" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
203.236.16.43 - - [08/Jun/2006:04:04:56 -0500] "POST /drupal/comment/reply/321?PHPSESSID=ca0168c7b941ed69b62923a62e5213ef HTTP/1.0" 302 0 "http://www.batgung.com/drupal/comment/reply/321?PHPSESSID=ca0168c7b941ed69b62923a62e5213ef" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
203.236.16.44 - - [08/Jun/2006:04:04:58 -0500] "GET /babypressure#comment-3730 HTTP/1.0" 200 17059 "http://www.batgung.com/drupal/comment/reply/321?PHPSESSID=ca0168c7b941ed69b62923a62e5213ef" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"

218.56.32.230 - - [08/Jun/2006:04:26:20 -0500] "GET /drupal/comment/reply/317?PHPSESSID=b1f72efe6bf76c3427997739f4d7b4d7 HTTP/1.0" 200 13929 "http://www.batgung.com/drupal/comment/reply/317?PHPSESSID=b1f72efe6bf76c3427997739f4d7b4d7" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
218.56.32.230 - - [08/Jun/2006:04:26:36 -0500] "POST /drupal/comment/reply/317?PHPSESSID=b1f72efe6bf76c3427997739f4d7b4d7 HTTP/1.0" 302 0 "http://www.batgung.com/drupal/comment/reply/317?PHPSESSID=b1f72efe6bf76c3427997739f4d7b4d7" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
218.56.32.230 - - [08/Jun/2006:04:26:46 -0500] "GET /redpockets#comment-3731 HTTP/1.0" 200 13010 "http://www.batgung.com/drupal/comment/reply/317?PHPSESSID=b1f72efe6bf76c3427997739f4d7b4d7" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"

There are a number of modules that filter comments. It is possible that your visitors are posting something illegal that is removed by a module but after the comment field is accepted as not zero length. If you have a module that removes javascript by removing <script></script> then the following may happen:
1/ The first validation decides the comment field is not zero length.
2/ The filter will remove the script element leaving a zero length comment.
3/ The zero length comment is written to the database.

My modification works if the check occurs after everything else is removed, after all the other forms of validation and filtering are complete. Place the modification at the end of comment_validate() just before the return.

petermoulding.com/web_architect

won't you try to make a patch?

i think it is best looked at by someone who knows the comment module to make sure it is the right code in the right place and does not introduce other problems.

This is not fixable, not in the general sense.

First, a site may have any filter enabled. This means that, to be good, we need to check for emptyness after filtering. But, that means we need to start detecting 'empty' content such as <br />. One possible approach is to see if there is any non-HTML, non-whitespace content. But this can hinder specialized filters and content (e.g. posting only an image tag would become disallowed).

Another trick is to use non-printable unicode characters. There are plenty, we cannot detect all of them.

The point of the comment validation is to make sure people don't accidentally forget a body (granted, this is rare). A full solution to this problem would check the resulting output in a smart way, discarding non-content tags and non-printable characters and whitespace. It's a lot of work, for IMO very little benefit.

One problem I struck when trying to delete the empty entries was the lack of subject text. When I listed empty entries, there was no subject which means no text in the link to the comment. The code that creates links to comments with empty subjects may need to insert a space so that the link works. If we cannot prevent empty entries at creation then perhaps we can make sure the links to the comments work so we can review the content before deletion.

@Steven: I agree with you, and because of that this should be a new feature in the HEAD.

IMO, this is a critical feature to control the way comments are inserted. With Drupal popularization we should add features to protect from SPAM, avoid mistakes from users and help site administrators in their moderation task.

Is this still an issue with 5.0 form API ?

I'm having this problem with 4.7.4 now. The fix above doesn't seem to do it for me for some reason. I think that a reasonable effort should be made to prevent empty contents, even if it won't be perfect. Spammers aren't interested in empty comments, they want to get their stupid links/sploits posted. So they won't go to great lengths to trick the filter into not seeing some exotic unprintable character or a br tag. The annoyance factor would be much lower, though.

@steven: yes it is. I've just added a new comment with one space, and it was allowed.

Another duplicate at http://drupal.org/node/76333

Fixed by #117748: Trim required fields on validate.

Automatically closed -- issue fixed for two weeks with no activity.