[dokuwiki] Re: Plugin captcha -

From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
To: DokuWiki Mailinglist <dokuwiki@xxxxxxxxxxxxx>
Date: Thu, 2 Feb 2017 16:33:39 +0100

Unfortunately it doesn't solve the problem. Here one entry from the log:

did those calls create spam?

The difference what I see is that the POST returns now with code 302 (and
empty size).

which is probably good. I guess the captcha stopped the submit and
returned the user to the page.

But with the following (last) GET the content will be loaded

(IMHO). I think the root cause is with the "GET
/lib/plugins/captcha/img.php?secret=...". This creates a valid captca(code)
which can be used.

I know. But this is not a problem. Yes the secret tells the image
processor what image to create, but the new algorithm makes sure that
a captcha is only valid when a server side cookie for it exists.

There is no check for the
cookie - and can't be as the helper.php is not called.

This is a server side cookie. There is no request made by the browser for it.

The question is: did above log entries create spam?

Andi

--
splitbrain.org
--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist

Follow-Ups:
- [dokuwiki] Re: Plugin captcha -
  - From: K. Peter

References:
- [dokuwiki] Plugin captcha -
  - From: K. Peter
- [dokuwiki] Re: Plugin captcha -
  - From: Andreas Gohr
- [dokuwiki] Re: Plugin captcha -
  - From: K. Peter
- [dokuwiki] Re: Plugin captcha -
  - From: Andreas Gohr
- [dokuwiki] Re: Plugin captcha -
  - From: Andreas Gohr
- [dokuwiki] Re: Plugin captcha -
  - From: K. Peter
- [dokuwiki] Re: Plugin captcha -
  - From: K. Peter

[dokuwiki] Re: Plugin captcha -

Other related posts: