spam? should send any HTTP_ parameters except COOKIE to akismet

[ehoch]

Please do a little code review, but this will send along any HTTP_* headers (except COOKIE) to Akismet. In my support tickets with them they said these additional data points are extremely useful.

> So just to be clear I can pass in any CGI header as a parameter? As in:
>
> &HTTP_ACCEPT=text%2Fhtml%2Capplication%2Fxhtml%2Bxml%2Capplication%2Fxml%3Bq%3D0.9%2C*%2F*%3Bq%3D0.8
>
> If so, do you have a complete list of HTTP_ headers you use? Sorry, the
> HTTP protocol is far from my programming strongpoint.

Yes, you can send any header like that.  There's no fixed list, you can just send anything starting with HTTP_ - some spambots and proxies add arbitrary headers, so that ensures we can see everything.

Oh, you should filter out HTTP_COOKIE and anything related to authentication - obviously there's a security risk in sending that to us.

[joshfrench]

Thanks for these patches! Sorry it's been taking me so long to review, I managed to break my collarbone since the last time we spoke :grimacing:

I merged the permalink patch but I'm going to think about this one for a bit. There are probably other auth headers that should be excluded by default and I'd like to expose the list somehow so that people can tailor it to their own applications.

[ehoch]

Ouch, sorry to hear that.

We can make a headers_blacklist config option that defaults to HTTP_COOKIE? Not sure what syntax you'd want.

Did you want me to take a stab at it or will you be able to helm?

[ehoch]

@joshfrench Just checking in to see where you're at with this? Hate to bother you with your recent injury but this spam is getting scary for me..

[joshfrench]

Ack, sorry man. Tell you what: rather than make you wait for me, I just gave you commit access :)

If I were going to implement this, I'd probably do it as a blacklist that took either an array or a proc and defaulted to at least ['HTTP_COOKIE']. Probably set it in config.exclude_headers or the like. Up to you, though!

[ehoch]

@joshfrench Okay thanks man. I will go ahead and rework it to be a customizable array and do the PR myself. Definitely appreciate the trust on this one..

[joshfrench]

No worries! Happy to have someone with the time & motivation to work on it.

[ehoch]

Done with the configurable excluded headers. I'm actually testing this one out in the wild using one of my sites. Once Akismet gives me the thumbs up we'll merge it in (and hopefully you can do a new gem for me).