jamesturk / django-honeypot Goto Github PK
View Code? Open in Web Editor NEW๐ฏ Generic honeypot utilities for use in django projects.
License: BSD 2-Clause "Simplified" License
๐ฏ Generic honeypot utilities for use in django projects.
License: BSD 2-Clause "Simplified" License
I have followed instructions given to me on creating forms in django, as I have thought that the app was referring to html form at first. But even when I did, I always get the error html page. what am I doing wrong?
Here is what I did:
http://stackoverflow.com/questions/16780086/how-do-i-install-an-app-that-doesnt-have-models-or-views
The README mentions that HONEYPOT_VALUE
and HONEYPOT_VERIFIER
can be used to "implement a more advanced technique such as using timestamps".
It would be nice to include a recipe so people don't have to reinvent the wheel. I use something like this:
utils/honeypot.py
:
import time
from django.core.signing import BadSignature, Signer
SALT = 'honey'
def value_generator():
# Return monotonic timestamp (won't ever go backwards)
signer = Signer(salt=SALT)
value = int(time.monotonic())
return signer.sign(value)
def value_verifier(value):
# Verify that the submitted value was generated at most
# an hour (in seconds) ago
signer = Signer(salt=SALT)
try:
value = signer.unsign(value)
except BadSignature:
return False
else:
return 0 < time.monotonic() - int(value) < 60 * 60
settings.py
:
import utils.honeypot
HONEYPOT_VALUE = honeypot.value_generator
HONEYPOT_VERIFIER = honeypot.value_verifier
Some more advanced bots can recognize that fields with display:none
should not be filled.
We can achieve something similar to display:none
without actually using it.
We recently got a bot submission on our contact form using django-honeypot, which is the reason I'm suggesting the change.
These CSS properties can replace display:none
:
opacity: 0;
position: absolute;
top: 0;
left: 0;
height: 0;
width: 0;
z-index: -1;
Kind regards.
Using the combined middleware of this app, HoneypotMiddleware, I cannot save anything I try to change on admin without getting the 400 bad request error page honeypot/honeypot_error.html.
Nothing is entered into the value that the honeypot input field uses when I try to save.
Removing the middleware and honeypot configuration from settings.py completely fixed the problem. It would still be useful to have django-honeypot work even on admin pages.
Dependabot couldn't authenticate with https://pypi.python.org/simple/.
You can provide authentication details in your Dependabot dashboard by clicking into the account menu (in the top right) and selecting 'Config variables'.
Hello,
I have a big project where I recently added honeypot as dependency. I enabled the honeypot.middleware.HoneypotMiddleware middleware but then every single test that performs a POST breaks, because, of course, the honeypot field is not being sent.
I've investigated what Django does for the CSRF middleware, and they have a couple of hacks in place that I'm not sure apply for honeypot, since those require that the test Client gets instantiated with a custom parameter enforce_csrf_checks=False.
Can you think of any other way of using the middleware without breaking all the tests? (the existing tests are too many, adding the honeypot field to each one does not scale).
Thank you.
AttributeError at /
'function' object has no attribute 'as_view'
i'm having above error when i try to use decorator within my class based view
How exempt all secure when use API of REST? Because I have 400 error when send POST with ajax to API
or meaybe I can add headers to check?
csrf changes broke things, easy fix
pip install django-honeypot installs version 1.1.0, released on December 9, 2023.
I made a quick change few years ago to exclude urls from being checked. See domenkozar@99e423e
Hi there,
the check_honeypot
currently only works with view methods as the inner decorator function assumes to be request
the first argument. I tried to use the application with class based views, but the decorator will get passed self
as the first argument.
Just an idea for an improvement!
With kind regards,
Henning
When I add honeypot.middleware.HoneypotViewMiddleware
to MIDDLEWARE
in settings.py I get the following error message
File "/opt/project/ncn/ncn/wsgi.py", line 16, in <module>
application = get_wsgi_application()
File "/usr/local/lib/python3.6/dist-packages/django/core/wsgi.py", line 13, in get_wsgi_application
return WSGIHandler()
File "/usr/local/lib/python3.6/dist-packages/django/core/handlers/wsgi.py", line 135, in __init__
self.load_middleware()
File "/usr/local/lib/python3.6/dist-packages/django/core/handlers/base.py", line 37, in load_middleware
mw_instance = middleware(handler)
TypeError: object() takes no parameters
The latest version in pypi doesn't work with Django 3.0.
As I see, you have already fixed this in master. Will be great to have this fix uploaded to pypi :)
admin_honeypot.LoginAttempt.ip_address: (fields.W900) IPAddressField has been deprecated. Will be removed in Django 1.9.
Use GenericIPAddressField instead.
The middleware content type check key and types are hardcoded and therefore don't allow honeypotting some pages they should. Perhaps the keys and types could be added as settings to override the defaults:
_HTML_TYPES = ('text/html', 'application/xhtml+xml')
content_type = response['Content-Type'].split(';')[0]
I believe response['Content-Type'] isn't working for me because my header is response['content-type'] or similar.
This is because in the middleware you call render_to_string which eventually makes a call to force_unicode. Now when you call re.sub a conversion has to be made. The solution is to inline the template with triple quotes and not call render_to_string.
If I don't pass the field name agument to the decorator then honeypot works fine.
Pseudo code below...
@check_honeypot('foo_field')
def contact_form(request, form_class=ContactForm)
...
Exception message:
AttributeError at /contact/
'str' object has no attribute 'module'
Request Method: GET
Request URL: http://127.0.0.1:8000/contact/
Exception Type: AttributeError
Exception Value:
'str' object has no attribute 'module'
Exception Location: /System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/functools.py in update_wrapper, line 33
Why did pipenv
make this downgrade in Pipfile.lock
?
"django": {
- "markers": "python_version >= '3.8'",
- "version": "==4.1.13"
+ "markers": "python_version >= '3.10'",
+ "version": "==5.0"
},
"django-honeypot": {
- "version": "==1.0.4"
+ "version": "==0.9.0"
},
Fixed in:
% python3.12 -m venv .venv
% source .venv/bin/activate
% pip install --upgrade pip
% pip install django==5.0 django-honeypot==1.0.4
--> Failure
% pip install django==5.0 django-honeypot
--> Success but with django-honeypot
downgraded to v0.9.0
Please release a new version to PyPI. โ Done!
This seems to work perfect on development server but as soon as I deploy and attempt to use this functionality I get Server Error (500). Any insight would be truly appreciated.
I also mentioned this issue in django-cookie-consent. Maybe both maintainers could work together to sort this out.
jazzband/django-cookie-consent#26
2 issues when using the combined middleware with django-cookie-consent.
Removing the combined middleware and django-honeypot completely caused both issues to go away.
First one is that I am unable to accept or decline cookies from the cookie bar that django-cookie-consent uses:
https://github.com/bmihelac/django-cookie-consent/blob/master/tests/core/templates/test_page.html
POST http://127.0.0.1:8000/cookies/accept/Stripe,Youtube/ 400 (Bad Request)
django-cookie-consent line showing the problem:
fetch(e.target.getAttribute("href"), {method: "POST"})
Failed to load resource. Responded a status of 400.
Tried changing the field name setting and that did not work.
The second one is that I am unable to use {% extends app/file.html %} to customize the honeypot_error.html file to make it look like the CSS the rest of my project uses.
If accepting or declining from the cookie bar:
POST http://127.0.0.1:8000/cookies/decline/Stripe,Youtube/ 500 (Internal Server Error)
django-cookie-consent line showing the problem:
fetch(e.target.getAttribute("href"), {method: "POST"})
If filling out the form (at /contact/ for example) and passing a value to the hidden django-honeypot value:
AttributeError at /contact/
'str' object has no attribute 'COOKIES'
cookie_consent/util.py in get_cookie_dict_from_request, line 36
https://github.com/bmihelac/django-cookie-consent/blob/master/cookie_consent/util.py
I want to implement time stamp based verification. i.e, if the form is submitted too fast I want it to be invalid.
In other words I want a custom validator.
You say in reademe that this is possible, but I'm unable to figure out how.
Please direct me to the method to achieve this.
Thanks!
I'm not understanding how to override the template without writing to the honeypot templates in the package. Is there a way to do this, and if so could this be explained more clearly in the documentation?
Thanks!
I'm not familiar with poetry but I think the line
Django = "^2.2"
in the pyroject.toml is causing this error when I try to install 1.0.0:
django-honeypot 1.0.0 depends on Django<3.0 and >=2.2
You will need to adapt your class:
Otherwise you will get an error like this:
File "/usr/local/lib/python2.7/dist-packages/django/utils/autoreload.py", line 226, in wrapper
fn(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/commands/runserver.py", line 142, in inner_run
handler = self.get_handler(*args, **options)
File "/usr/local/lib/python2.7/dist-packages/django/contrib/staticfiles/management/commands/runserver.py", line 27, in get_handler
handler = super(Command, self).get_handler(*args, **options)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/commands/runserver.py", line 64, in get_handler
return get_internal_wsgi_application()
File "/usr/local/lib/python2.7/dist-packages/django/core/servers/basehttp.py", line 49, in get_internal_wsgi_application
return import_string(app_path)
File "/usr/local/lib/python2.7/dist-packages/django/utils/module_loading.py", line 20, in import_string
module = import_module(module_path)
File "/usr/lib/python2.7/importlib/init.py", line 37, in import_module
import(name)
File "/home/ubuntu/workspace/src/escalert/wsgi.py", line 16, in
application = get_wsgi_application()
File "/usr/local/lib/python2.7/dist-packages/django/core/wsgi.py", line 14, in get_wsgi_application
return WSGIHandler()
File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/wsgi.py", line 153, in init
self.load_middleware()
File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py", line 82, in load_middleware
mw_instance = middleware(handler)
TypeError: object() takes no parameters
Would be cool if you could fix that!
`
The conflict is caused by:
The user requested Django==4.0.1
django-honeypot 1.0.2 depends on Django<4.0 and >=2.2
To fix this you could try to:
I am getting a conflict error with this package in django4.0.1.
Looks like you didn't dump it to django4 yet. Hope to see the update as soon as possible.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.