[dokuwiki] Re: Plugin captcha -
- From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
- To: DokuWiki Mailinglist <dokuwiki@xxxxxxxxxxxxx>
- Date: Thu, 2 Feb 2017 16:33:39 +0100
Unfortunately it doesn't solve the problem. Here one entry from the log:
did those calls create spam?
The difference what I see is that the POST returns now with code 302 (and
empty size).
which is probably good. I guess the captcha stopped the submit and
returned the user to the page.
But with the following (last) GET the content will be loaded
(IMHO). I think the root cause is with the "GET
/lib/plugins/captcha/img.php?secret=...". This creates a valid captca(code)
which can be used.
I know. But this is not a problem. Yes the secret tells the image
processor what image to create, but the new algorithm makes sure that
a captcha is only valid when a server side cookie for it exists.
There is no check for the
cookie - and can't be as the helper.php is not called.
This is a server side cookie. There is no request made by the browser for it.
The question is: did above log entries create spam?
Andi
--
splitbrain.org
--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist
Other related posts: