derhansen/form_crshield
Composer 安装命令:
composer require derhansen/form_crshield
包简介
Challenge/response spambot protection for ext:form - Challenge/response spambot protection for TYPO3 ext:form - Adds a hidden input field containing a challenge string to forms. Client must execute included JavaScript to calculate the expected response.
README 文档
README
Challenge/response spam shield for TYPO3 ext:form
What is it?
This TYPO3 extension provides a Challenge/response spam shield for TYPO3 ext:form to prevent automated form submissions.
How does it work?
Challenge/response spam shield adds a hidden input field to every form generated by the TYPO3 form extension. The input field has a precalculated value with a challenge. The included JavaScript will use the challenge to calculate an expected response which will be checked on every form submission. If the expected response is not submitted, validation for the hidden input field is considered as failed and no email will be sent.
In order to make automatic form submissions harder for spambots with active JavaScript, a configurable delay for the JavaScript response calculation can be defined in the extension settings (default value: 3 seconds).
Can the protection be bypassed?
Yes, the challenge/response spam shield can be bypassed, if the algorithm used by the extension is implemented to a spambot. This is however unlikely, since the spambot either has to use JavaScript (which I believe most spambots do not) or has to extract the challenge from the parsed HTML and must calculate and submit the response correctly.
Requirements
The extension uses JavaScript to calculate the expected response, so if JavaScript is disabled on client side, form submission will not be possible.
A modern webbrowser is required to run the JavaScript. Internet Explorer < 11 is not supported.
Installation
Just install the extension on your TYPO3 website using composer or the TYPO3 extension manager. No further configuration is required.
Extension settings
The extension has the following extension settings, which can be adjusted if required. The default values should however be fine for most websites.
crJavaScriptDelay
Defines the delay in seconds for the JavaScript response calculation. The default value is 3 seconds.
minimumPageExpirationTime
If the calculated page cache lifetime if very low (e.g. 60 seconds), it may not be possible to fill out a
form before the expiration time for the CR response is reached. This setting defines the minimum amount of
second, the calculated page cache lifetime must have. Default value is 900 seconds.
additionalPageExpirationTime
Defines the amount of seconds, which is added to the calculated page cache lifetime, if the calculated page cache
lifetime is below the defined value in minimumPageExpirationTime.
obfuscationMethod
Defines the obfuscation method used for the challenge/response calculation. Possible values are:
1- ROT13 (default value)2- Reverse String
Logging
To log failed requests, it is possible to use a dedicated logfile like shown below:
$GLOBALS['TYPO3_CONF_VARS']['LOG']['Derhansen']['FormCrshield']['writerConfiguration'] = [
\TYPO3\CMS\Core\Log\LogLevel::DEBUG => [
\TYPO3\CMS\Core\Log\Writer\FileWriter::class => [
'logFile' => \TYPO3\CMS\Core\Core\Environment::getVarPath() . '/log/form-crshield.log',
]
]
];
Usage in own extensions
The extension provides the service ChallengeResponseService which can be used to retrieve and validate
the challenge and the expected response. 3rd party extensions can use this service and the included JavaScript
snippet to implement the challenge/response protection in their own forms (e.g. Extbase forms).
Versions
| Version | TYPO3 | PHP | Support/Development |
|---|---|---|---|
| 4.x | 14.x | 8.2 - 8.5 | Features, Bugfixes, Security Updates |
| 3.x | 13.x | 8.2 - 8.5 | Features, Bugfixes, Security Updates |
| 2.x | 13.x | 8.2 - 8.4 | Features, Bugfixes, Security Updates |
| 1.x | 10.4 - 12.4 | 7.2 - 8.4 | Features, Bugfixes, Security Updates |
Reporting a Vulnerability
Please report vulnerabilities to security@typo3.org.
Extensions using the challenge/response algorithm
The following extensions use the challenge/response algorithm:
Thanks for sponsoring
- Thanks to 3m5. Media GmbH for supporting my open source work on this extension
derhansen/form_crshield 适用场景与选型建议
derhansen/form_crshield 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 239.86k 次下载、GitHub Stars 达 20, 最近一次更新时间为 2022 年 07 月 02 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「form」 「TYPO3 CMS」 「extbase」 「spam protection」 「challenge response」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 derhansen/form_crshield 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 derhansen/form_crshield 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 derhansen/form_crshield 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
GraphQL authentication for your headless Craft CMS applications.
Set Links with a specific language parameter
Diese Contao 4 Erweiterung stellt Google reCAPTCHA V2 in Form eines neuen Formularfeldes im Formulargenerator bereit. This extension provides Google reCAPTCHA V2 in the form of a new form field in the form generator of Contao Open Source CMS.
Supercharged text field validation.
TYPO3 CMS extension to create gallery content element with preset crop ratios and pagination
An interactive tour through the TYPO3 backend.
统计信息
- 总下载量: 239.86k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 20
- 点击次数: 26
- 依赖项目数: 3
- 推荐数: 1
其他信息
- 授权协议: GPL-2.0-or-later
- 更新时间: 2022-07-02