[openlp-dev] Submitting bug reports from OpenLP to osticket
Simon Hanna
simon at hannaweb.eu
Sat Nov 11 14:23:43 EST 2017
>So
>the idea so far is to have a flask script which can act as a kinda
>proxy,
>but the issue is how can we secure this against abuse?
>
>Superflys suggestion was for the FTW to contact the server and get a
>shared
>key. Then when the exception form wants to submit to the proxy app,
>OpenLP
>generates an OTP (One Time Pin) and sends that as one of the headers.
>Kind
>of like time based two factor authentication.
>
>My suggestion was for a capacha, but as superfly correctly stated its
>not
>very user friendly. Its also another thing to get in the way of a user
>submitting a bug report.
>
>Do you guys have any alternative suggestions, or comments on the two
>above?
The question is against what kind of spam you want to defend against.
If it is against targeted, sophisticated attacks we might need something like otps. I agree with superfly on not using captchas. They are annoying for real users, which you don't want. Ideally you don't want any interaction with them.
If you want to defend against the casual spam, you don't need to put that much effort into it. Have an additional field that has to be empty for the request to be accepted. All robots usually fill every field they find, that way all robots can be sorted. If you want more protection you could even require a csrf token.
Now that I think of it, any attack that is so targeted, that the attacker looks at the source code of OpenLP can easily generate valid otps themselves... So I recommend what I wrote above.
The script could do smarter sanity checks, making sure there is a valid trace attached or what not...
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
More information about the openlp-dev
mailing list