Fossil

Check-in [54afc94ce0]
Login

Check-in [54afc94ce0]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Add the "timelineX" tag to robot-restrict processing. Move /honeypot over to the captcha.c file and have it use the resources found there.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | robot-restrict-simplified
Files: files | file ages | folders
SHA3-256: 54afc94ce057369b4e37bd365ee7f955e201e2fabbb6d76d06981bd19d4b0286
User & Date: drh 2025-08-16 00:36:03.365
Context
2025-08-16
13:57
Improved anti-robot captcha. ... (Closed-Leaf check-in: 206089acd1 user: drh tags: robot-restrict-simplified)
00:36
Add the "timelineX" tag to robot-restrict processing. Move /honeypot over to the captcha.c file and have it use the resources found there. ... (check-in: 54afc94ce0 user: drh tags: robot-restrict-simplified)
2025-08-15
23:46
Convert the g.isHuman variable into g.isRobot. ... (check-in: 6422bca15d user: drh tags: robot-restrict-simplified)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/captcha.c. 
757
758
759
760
761
762
763








764
765
766
767
768
769
770

    style_header("Captcha Test");
    @ <pre class="captcha">
    @ %s(captcha_render(zPw))
    @ </pre>
    style_finish_page();
  }
}









/*
** Check to see if the current request is coming from an agent that 
** self-identifies as a spider.
**
** If the agent does not claim to be a spider or if the user has logged
** in (even as anonymous), then return 0 without doing anything.








>
>
>
>
>
>
>
>








757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778

    style_header("Captcha Test");
    @ <pre class="captcha">
    @ %s(captcha_render(zPw))
    @ </pre>
    style_finish_page();
  }
}

/*
** WEBPAGE: honeypot
** This page is a honeypot for spiders and bots.
*/
void honeypot_page(void){
  (void)exclude_spiders(0);
}

/*
** Check to see if the current request is coming from an agent that 
** self-identifies as a spider.
**
** If the agent does not claim to be a spider or if the user has logged
** in (even as anonymous), then return 0 without doing anything.
Changes to src/robot.c. 
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

/*
** SETTING: robot-restrict                width=40 block-text
** The VALUE of this setting is a list of GLOB patterns that match
** pages for which complex HTTP requests from unauthenicated clients
** should be disallowed.  "Unauthenticated" means the user is "nobody".
** The recommended value for this setting is:
** 
**     timeline,diff,annotate,zip,fileage,file
**
** The "diff" tag covers all diffing pages such as /vdiff, /fdiff, and 
** /vpatch.  The "annotate" tag also covers /blame and /praise.  "zip"
** also covers /tarball and /sqlar.  If a tag has an "X" character appended,
** then it only applies if query parameters are such that the page is
** particularly difficult to compute.
**
** In all other case, the tag should exactly match the page name.
*/

/*
** Return the default restriction GLOB
*/
const char *robot_restrict_default(void){
  return "timeline,diff,annotate,zip,fileage,file";
}
/*
** Check to see if the page named in the argument is on the
** robot-restrict list.  If it is on the list and if the user
** is "nobody" then bring up a captcha to test to make sure that
** client is not a robot.
**








|














|








115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

/*
** SETTING: robot-restrict                width=40 block-text
** The VALUE of this setting is a list of GLOB patterns that match
** pages for which complex HTTP requests from unauthenicated clients
** should be disallowed.  "Unauthenticated" means the user is "nobody".
** The recommended value for this setting is:
** 
**     timelineX,diff,annotate,zip,fileage,file
**
** The "diff" tag covers all diffing pages such as /vdiff, /fdiff, and 
** /vpatch.  The "annotate" tag also covers /blame and /praise.  "zip"
** also covers /tarball and /sqlar.  If a tag has an "X" character appended,
** then it only applies if query parameters are such that the page is
** particularly difficult to compute.
**
** In all other case, the tag should exactly match the page name.
*/

/*
** Return the default restriction GLOB
*/
const char *robot_restrict_default(void){
  return "timelineX,diff,annotate,zip,fileage,file";
}
/*
** Check to see if the page named in the argument is on the
** robot-restrict list.  If it is on the list and if the user
** is "nobody" then bring up a captcha to test to make sure that
** client is not a robot.
**
Changes to src/style.c. 
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446

** Display CGI-variables and other aspects of the run-time
** environment, for debugging and trouble-shooting purposes.
*/
void page_test_env(void){
  webpage_error("");
}

/*
** WEBPAGE: honeypot
** This page is a honeypot for spiders and bots.
*/
void honeypot_page(void){
  unsigned int uSeed = captcha_seed();
  const char *zDecoded = captcha_decode(uSeed, 0);
  int bAutoCaptcha = db_get_boolean("auto-captcha", 0);
  char *zCaptcha = captcha_render(zDecoded);
  style_header("I think you are a robot");
  @ <p>You seem like a robot.</p>
  @
  @ <p>Is that incorrect?  Are you really human?
  @ If so, please prove it by transcribing the captcha text
  @ into the entry box below and pressing "Submit".
  @ <form action="%R/login" method="post">
  @ <input type="hidden" id="u" name="u" value="anonymous">
  @ <p>
  @ Captcha: <input type="text" id="p" name="p" value="">
  @ <input type="submit" name="in" value="Submit">
  @ 
  @ <p>Alternatively, you can <a href="%R/login">log in</a> using an
  @ existing userid.
  @
  @ <p><input type="hidden" name="cs" value="%u(uSeed)">
  @ <div class="captcha"><table class="captcha"><tr><td>\
  @ <pre class="captcha">
  @ %h(zCaptcha)
  @ </pre></td></tr></table>
  if( bAutoCaptcha ) {
     @ <input type="button" value="Fill out captcha" id='autofillButton' \
     @ data-af='%s(zDecoded)'>
     builtin_request_js("login.js");
  }
  @ </div>
  free(zCaptcha);
  @
  @ <p>We regret this inconvenience. However, robots have become so
  @ prolific and so aggressive that they will soak up too much CPU time
  @ and network bandwidth on our servers if allowed to run unchecked.
  @ Your cooperation in demonstrating that you are human is
  @ appreciated.
  style_finish_page();
}

/*
** Webpages that encounter an error due to missing or incorrect
** query parameters can jump to this routine to render an error
** message screen.
**
** For administators, or if the test_env_enable setting is true, then
** details of the request environment are displayed.  Otherwise, just








<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<








1388
1389
1390
1391
1392
1393
1394













































1395
1396
1397
1398
1399
1400
1401

** Display CGI-variables and other aspects of the run-time
** environment, for debugging and trouble-shooting purposes.
*/
void page_test_env(void){
  webpage_error("");
}














































/*
** Webpages that encounter an error due to missing or incorrect
** query parameters can jump to this routine to render an error
** message screen.
**
** For administators, or if the test_env_enable setting is true, then
** details of the request environment are displayed.  Otherwise, just
Changes to src/timeline.c. 
1828
1829
1830
1831
1832
1833
1834

1835
1836
1837
1838
1839
1840
1841

  }
  if( (!g.perm.Read && !g.perm.RdTkt && !g.perm.RdWiki && !g.perm.RdForum)
   || (bisectLocal && !g.perm.Setup)
  ){
    login_needed(g.anon.Read && g.anon.RdTkt && g.anon.RdWiki);
    return;
  }

  if( !bisectLocal ){
    etag_check(ETAG_QUERY|ETAG_COOKIE|ETAG_DATA|ETAG_CONFIG, 0);
  }
  cookie_read_parameter("y","y");
  zType = P("y");
  if( zType==0 ){
    zType = g.perm.Read ? "ci" : "all";








>








1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842

  }
  if( (!g.perm.Read && !g.perm.RdTkt && !g.perm.RdWiki && !g.perm.RdForum)
   || (bisectLocal && !g.perm.Setup)
  ){
    login_needed(g.anon.Read && g.anon.RdTkt && g.anon.RdWiki);
    return;
  }
  if( zBefore && robot_restrict("timelineX") ) return;
  if( !bisectLocal ){
    etag_check(ETAG_QUERY|ETAG_COOKIE|ETAG_DATA|ETAG_CONFIG, 0);
  }
  cookie_read_parameter("y","y");
  zType = P("y");
  if( zType==0 ){
    zType = g.perm.Read ? "ci" : "all";