Bug #28939 for Net-Akismet: significant bug in Net::Akismet

Wed Aug 22 07:09:16 2007 john [...] neggie.net - Ticket created

Subject:	significant bug in Net::Akismet
Date:	Wed, 22 Aug 2007 07:04:54 -0400
To:	bug-Net-Akismet [...] rt.cpan.org
From:	John Belmonte <john [...] neggie.net>

It seems that Net::Akismet is confusing the user agent making the request to Akismet with the user agent making the comment to the blog. These are two very different things, and both are required by Akismet. The user agent given to LWP::UserAgent->agent should be that of Net::Akismet-- that part is correct. The user agent given in the Akismet request (e.g., along side referrer) must be that which came from the comment posting. Akismet requires this to do its analysis. Unfortunately Net::Akismet is using its own user agent here, which could seriously skew the effects of the check/ham/spam requests. A patched to fix this problem is attached. It also addresses a smaller issue: Akismet's own user agent string should not have a space in it (i.e. "Akismet Perl")-- the HTTP spec says "<word> [/<version>]". LWP::UserAgent->agent has it's own agent and knows to prepend when your string ends with a space. I propose that the final user agent HTTP field look something like this e.g.: SomeBlogEngine/1.2 NetAkismet/0.02 libwww-perl/5.50 I think Akismet's suggestion of "|" as delimiter is incorrect.

Proposed Net::Akismet patch: * check/ham/spam functions take USER_AGENT field. This must be the User-Agent string from the comment HTTP request, and is required by Akismet. (See <http://akismet.com/development/api/>.) * improve Net::Akismet's own user agent string for standard conformance and to include libwww-perl component. --- Akismet.pm.orig 2007-08-18 15:20:56.000000000 -0400 +++ Akismet.pm 2007-08-18 15:21:03.000000000 -0400 @@ -14,9 +14,9 @@ use LWP::UserAgent; use HTTP::Request::Common; -our $VERSION = '0.02'; +our $VERSION = '0.03'; -my $UA_SUFFIX = "Akismet Perl/$VERSION"; +my $UA_SUFFIX = "Net-Akismet/$VERSION"; =head1 SYNOPSIS @@ -27,6 +27,7 @@ my $verdict = $akismet->check( USER_IP => '10.10.10.11', + USER_AGENT => 'Mozilla/5.0', COMMENT_CONTENT => 'Run, Lola, Run, the spam will catch you!', COMMENT_AUTHOR => 'dosser', COMENT_AUTHOR_EMAIL => 'dosser@subway.de', @@ -62,7 +63,7 @@ If supplied the value is prepended to this module's identification string to become something like: - yourkillerapp/0.042 | Akismet Perl/0.01 + your-killer-app/0.042 Net-Akismet/0.01 libwww-perl/5.8 Otherwise just Akismet Perl's user agent string will be sent. @@ -85,9 +86,10 @@ my $key = $self->{KEY} or return undef; my $url = $self->{URL} or return undef; - my $agent = $params{USER_AGENT}? "$params{USER_AGENT} | " : ''; - - $self->{ua}->agent($agent.$UA_SUFFIX); + # NOTE: trailing space leaves LWP::UserAgent agent string in place + my $agent = "$UA_SUFFIX "; + $agent = "$params{USER_AGENT} $agent" if $params{USER_AGENT}; + $self->{ua}->agent($agent); bless $self, $class; @@ -124,7 +126,11 @@ =item USER_IP -The B<only required> item. Represents the IP address of the comment submitter. +B<Required.> Represents the IP address of the comment submitter. + +=item USER_AGENT + +B<Required.> User agent string from the comment submitter's request. =item COMMENT_CONTENT @@ -208,14 +214,14 @@ my $comment = shift; - $comment->{USER_IP} || return undef; + $comment->{USER_IP} && $comment->{USER_AGENT} || return undef; my $response = $self->{ua}->request( POST "http://$self->{KEY}.rest.akismet.com/1.1/$action", [ blog => $self->{URL}, user_ip => $comment->{USER_IP}, - user_agent => $self->{ua}->agent(), + user_agent => $comment->{USER_AGENT}, referrer => $comment->{REFERRER}, permalink => $comment->{PERMALINK}, comment_type => $comment->{COMMENT_TYPE},

Mon Aug 27 03:23:41 2007 nbachiyski [...] developer.bg - Correspondence added

From:

nbachiyski [...] developer.bg

Sorry for the delay, and thank you for the patch. I applied it almost as-is. I just changed the Net::Akismet's user agent portion to Perl-Net-Akismet, it is important to know that it is the perl library. Also I had to rename the user agent key to COMMENT_USER_AGENT, because of POD links ambiguities.

Mon Aug 27 03:23:42 2007 The RT System itself - Status changed from 'new' to 'open'

Mon Aug 27 19:24:16 2007 john [...] neggie.net - Correspondence added

Subject:	Re: [rt.cpan.org #28939] significant bug in Net::Akismet
Date:	Mon, 27 Aug 2007 19:23:14 -0400
To:	bug-Net-Akismet [...] rt.cpan.org
From:	John Belmonte <john [...] neggie.net>

Nikolay Bachiyski via RT wrote: Show quoted text

> Also I had to rename the user agent key to COMMENT_USER_AGENT, > because of POD links ambiguities.

In the synopsis you are still showing my original name of USER_AGENT when calling check()-- that needs to be changed to COMMENT_USER_AGENT now.

Tue Aug 28 01:38:40 2007 nbachiyski [...] developer.bg - Correspondence added

From:

nbachiyski [...] developer.bg

Show quoted text

> In the synopsis you are still showing my original name of USER_AGENT > when calling check()-- that needs to be changed to COMMENT_USER_AGENT now.

Yeah, you are absolutely right. I uploaded the 0.03 quite er... prematurely :-) Also I will allow people to still use USER_AGENT for a key in the comments hash. Now I am attaching a patch for a preview. Thank you again, John.

Index: lib/Net/Akismet.pm =================================================================== --- lib/Net/Akismet.pm (revision 32) +++ lib/Net/Akismet.pm (working copy) @@ -14,7 +14,7 @@ use LWP::UserAgent; use HTTP::Request::Common; -our $VERSION = '0.03'; +our $VERSION = '0.04'; my $UA_SUFFIX = "Perl-Net-Akismet/$VERSION"; @@ -26,8 +26,8 @@ ) or die('Key verification failure!'); my $verdict = $akismet->check( - USER_IP => '10.10.10.11', - USER_AGENT => 'Mozilla/5.0', + USER_IP => '10.10.10.11', + COMMENT_USER_AGENT => 'Mozilla/5.0', COMMENT_CONTENT => 'Run, Lola, Run, the spam will catch you!', COMMENT_AUTHOR => 'dosser', COMENT_AUTHOR_EMAIL => 'dosser@subway.de', @@ -214,8 +214,14 @@ my $comment = shift; - $comment->{USER_IP} && $comment->{COMMENT_USER_AGENT} || return undef; + $comment->{USER_IP} && ($comment->{COMMENT_USER_AGENT} || $comment->{USER_AGENT}) || return undef; + # allow USER_AGENT key for backward compatibility with versions <0.03 + $comment->{COMMENT_USER_AGENT} = $comment->{USER_AGENT} unless $comment->{COMMENT_USER_AGENT}; + + # accomodate common misspelling + $comment->{REFERRER} = $comment->{REFERER} if !$comment->{REFERRER} && $comment->{REFERER}; + my $response = $self->{ua}->request( POST "http://$self->{KEY}.rest.akismet.com/1.1/$action", [

Tue Aug 28 23:15:12 2007 john [...] neggie.net - Correspondence added

Subject:	Re: [rt.cpan.org #28939] significant bug in Net::Akismet
Date:	Tue, 28 Aug 2007 23:11:52 -0400
To:	bug-Net-Akismet [...] rt.cpan.org
From:	John Belmonte <john [...] neggie.net>

Hi Nikolay, Show quoted text

> my $verdict = $akismet->check( > - USER_IP => '10.10.10.11', > - USER_AGENT => 'Mozilla/5.0', > + USER_IP => '10.10.10.11', > + COMMENT_USER_AGENT => 'Mozilla/5.0', > COMMENT_CONTENT => 'Run, Lola, Run, the spam will catch you!', > COMMENT_AUTHOR => 'dosser', > COMENT_AUTHOR_EMAIL => 'dosser@subway.de',

Looks like an extra tab sneaked in on the USER_IP line. I didn't notice before, but COMENT_AUTHOR_EMAIL is misspelled. Show quoted text

> - $comment->{USER_IP} && $comment->{COMMENT_USER_AGENT} || return undef; > + $comment->{USER_IP} && ($comment->{COMMENT_USER_AGENT} || $comment->{USER_AGENT}) || return undef; > > + # allow USER_AGENT key for backward compatibility with versions <0.03 > + $comment->{COMMENT_USER_AGENT} = $comment->{USER_AGENT} unless $comment->{COMMENT_USER_AGENT}; > + > + # accomodate common misspelling > + $comment->{REFERRER} = $comment->{REFERER} if !$comment->{REFERRER} && $comment->{REFERER}; > +

Since the mistake was only in the docs, technically you don't need to support USER_AGENT for backwards compatibility. (If the app was mis-setting the user agent in .03, it will continue to do so in .04-- i.e. no change in behavior.) Generally I think name aliases in API's are not good. If one programmer becomes accustomed to one name, he can get confused when reading some other programmer's code using a different name. To prevent hash key typo's (e.g. REFERER), ideally a module would verify that only recognized keys are present in hash inputs. Regards, --John

Thu Jun 05 15:05:38 2008 nbachiyski [...] developer.bg - Correspondence added

From:

nbachiyski [...] developer.bg

On Tue Aug 28 23:15:12 2007, john@neggie.net wrote: Show quoted text

> Hi Nikolay, >

> > my $verdict = $akismet->check( > > - USER_IP => '10.10.10.11', > > - USER_AGENT => 'Mozilla/5.0', > > + USER_IP => '10.10.10.11', > > + COMMENT_USER_AGENT => 'Mozilla/5.0', > > COMMENT_CONTENT => 'Run, Lola, Run, the spam will catch you!', > > COMMENT_AUTHOR => 'dosser', > > COMENT_AUTHOR_EMAIL => 'dosser@subway.de',

> > Looks like an extra tab sneaked in on the USER_IP line. I didn't > notice > before, but COMENT_AUTHOR_EMAIL is misspelled. >

> > - $comment->{USER_IP} && $comment->{COMMENT_USER_AGENT} || return

> undef;

> > + $comment->{USER_IP} && ($comment->{COMMENT_USER_AGENT} ||

> $comment->{USER_AGENT}) || return undef;

> > > > + # allow USER_AGENT key for backward compatibility with versions

> <0.03

> > + $comment->{COMMENT_USER_AGENT} = $comment->{USER_AGENT} unless

> $comment->{COMMENT_USER_AGENT};

> > + > > + # accomodate common misspelling > > + $comment->{REFERRER} = $comment->{REFERER} if !$comment- > >{REFERRER} && $comment->{REFERER}; > > +

> > Since the mistake was only in the docs, technically you don't need to > support USER_AGENT for backwards compatibility. (If the app was > mis-setting the user agent in .03, it will continue to do so in .04-- > i.e. no change in behavior.) > > Generally I think name aliases in API's are not good. If one > programmer > becomes accustomed to one name, he can get confused when reading some > other programmer's code using a different name. To prevent hash key > typo's (e.g. REFERER), ideally a module would verify that only > recognized keys are present in hash inputs. >

I agree :-) It was fixed in 0.04. Happy hacking, Nikolay.

Thu Jun 05 15:06:18 2008 nbachiyski [...] developer.bg - Correspondence added

Fixed in 0.04.

Thu Jun 05 15:06:23 2008 nbachiyski [...] developer.bg - Status changed from 'open' to 'resolved'