Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10005

users can register without custom profile field correctly entered

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.0.8
    • Fix Version/s: 3.0.9-RC1
    • Component/s: None
    • Labels:
      None
    • Environment:
      MySQL 5.1.52
      PHP 5.2.15

      Description

      A mandatory custom profile field has been defined (custom_profile_field1.png), with a default value that is equal to the non entered value (custom_profile_field2.png). Users should therefore not be able to register without selecting a non-default value for this. This is indeed the case when registering through the phpBB registration screen. However, users (spammers) are able to register with the default value set - i.e. spammers are somehow submitting their own form to register, and it is bypassing the custom profile field validation.

        Issue Links

          Activity

          Hide
          Kellanved Kellanved [X] (Inactive) added a comment -

          Profile fields are not intended to be an anti-spam tool and are thus not well-suited to perform that role.

          The observed behavior is probably due to the dropdown validation code in functions_profile_fields custom_profile::validate_profile_field . The check only checks whether the submitted value is equal to the default. Any non-default submission will be accepted, e.g. -1, 10000000, etc.

          Show
          Kellanved Kellanved [X] (Inactive) added a comment - Profile fields are not intended to be an anti-spam tool and are thus not well-suited to perform that role. The observed behavior is probably due to the dropdown validation code in functions_profile_fields custom_profile::validate_profile_field . The check only checks whether the submitted value is equal to the default. Any non-default submission will be accepted, e.g. -1, 10000000, etc.
          Hide
          Kellanved Kellanved [X] (Inactive) added a comment -

          Also, this issue has some bearing on the issue, as validation is language dependent.

          Show
          Kellanved Kellanved [X] (Inactive) added a comment - Also, this issue has some bearing on the issue, as validation is language dependent.
          Hide
          Kellanved Kellanved [X] (Inactive) added a comment -

          This might also cause the observed behavior.

          Show
          Kellanved Kellanved [X] (Inactive) added a comment - This might also cause the observed behavior.
          Hide
          mmillmor mmillmor added a comment -

          It's a fair point that profile fields may not have been designed as an anti-spam tool, but they are the number one tool that is touted on the official phpBB anti-spam sticky-thread;

          http://www.phpbb.com/community/viewtopic.php?f=46&t=1861645

          and they feature in the phpBB knowledge base as being used for that

          http://www.phpbb.com/kb/article/custom-profile-fields-as-an-anti-spammer-tool/

          Show
          mmillmor mmillmor added a comment - It's a fair point that profile fields may not have been designed as an anti-spam tool, but they are the number one tool that is touted on the official phpBB anti-spam sticky-thread; http://www.phpbb.com/community/viewtopic.php?f=46&t=1861645 and they feature in the phpBB knowledge base as being used for that http://www.phpbb.com/kb/article/custom-profile-fields-as-an-anti-spammer-tool/
          Hide
          naderman Nils Adermann added a comment -

          I added code to validate that the submitted value is actually in the allowed range.

          Show
          naderman Nils Adermann added a comment - I added code to validate that the submitted value is actually in the allowed range.
          Hide
          brunoais brunoais added a comment -

          I was unable to find flaws in the code or reproduce the steps.

          Show
          brunoais brunoais added a comment - I was unable to find flaws in the code or reproduce the steps.

            People

            • Assignee:
              naderman Nils Adermann
              Reporter:
              mmillmor mmillmor
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development