Flyspray - The bug killer!

  • Status Unconfirmed
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Backend/Core
  • Assigned To No-one
  • Operating System Windows 7
  • Severity High
  • Priority Very Low
  • Reported Version 1.0 devel (github master)
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Flyspray - The bug killer!
Opened by Nikos Baris - 01.02.2017
Last edited by peterdd - 10.03.2017

FS#2336 - Captcha validation always fail on registration

Correct or wrong code return false!

The results of Securimage Test Script on my server

This script will test your PHP installation to see if Securimage will run on your server.

Session Functionality: Yes!
GD Support: Yes!
GD Version: bundled (2.1.0 compatible)
imageftbbox function: Yes!
TTF Support (FreeType): Yes!
JPEG Support: Yes!
PNG Support: Yes!
GIF Read Support: Yes!
GIF Create Support: Yes!
SQLite Support: Yes!
SQLite is available. If you choose to use it, Securimage can support users who do not accept cookies.
MySQL Support: Yes!
MySQL is available. If you choose to use it, Securimage can support users who do not accept cookies by storing codes in MySQL.
PostgreSQL Support: No
No PostgreSQL support.
LAME MP3 Support: No
LAME was not found, audio will work in WAV format, but not MP3. See Securimage HTML5 audio documentation for info.
Your server meets the requirements for using Securimage!

on modify.inc.php line:754 got

if( !Post::isAlnum('captcha_code') || !$image->check(Post::val('captcha_code'))) {
if( true == false || false == false ) {
Nikos Baris commented on 01.02.2017 04:57

hmmm I Select "Bug Report" on this task and saved as "Information", anyway perhaps on wrongtoken on submit and re-submit again.

Project Manager
peterdd commented on 02.02.2017 00:16

So it was just due a session timeout?

captcha_code is stored for a session within $_SESSION , so you can try debug with

print_r($_SESSION);

for instance to find root of your problem.

See also current https://github.com/Flyspray/flyspray/blob/master/composer.json what I added there to make current securimage 3.6.5 work without forking securimage.

Nikos Baris commented on 02.02.2017 07:22

The only session I have (On registration page and after submit) is the following:

Array ( [csrftoken] => 24620 [tasklist] => Array ( [0] => 1 [1] => 2 ) )

Debug added to modify.inc.php

if($fs->prefs['captcha_securimage']){
	print_r($_SESSION); exit;
	$image = new Securimage(); 
	if( !Post::isAlnum('captcha_code') || !$image->check(Post::val('captcha_code'))) {
		# wrong code
		Flyspray::show_error(L('captchaerror') . ' ' . ($image->check($_POST['captcha_code']) ? 'true' : 'false')       );
		break;
	}
}

also in /scripts/register.php

if($fs->prefs['captcha_securimage']){
	$captchaoptions = array(
		'input_name' => 'captcha_code',
		'show_audio_button' => false,
		'disable_flash_fallback' => true
	);
	$captcha_securimage_html=Securimage::getCaptchaHtml($captchaoptions);
	print_r($_SESSION);
	$page->assign('captcha_securimage_html', $captcha_securimage_html);
}

My composer.json is also correct

{
    "name": "flyspray/flyspray",
    "type": "application",
    "description": "The Flyspray bug tracking system.",
    "keywords": ["bug","bugs","tracker","issue","issues", "web"],
    "homepage": "http://flyspray.org",
    "license": "LGPL-2.1",
    "require": {
        "swiftmailer/swiftmailer": "~5.0",
        "adodb/adodb-php": "~5.20",
        "jamiebicknell/Sparkline": "1.*",
        "ezyang/htmlpurifier": "~4.8.0",
        "dapphp/securimage": "3.6.5",
        "league/oauth2-client": "~0.3|~0.12" 
    },
    "repositories": [
        {
            "type": "vcs",
            "url": "https://github.com/jamiebicknell/Sparkline"
        }
    ],
    "scripts": {
        "post-update-cmd": [
                "rm -rf vendor/dapphp/securimage/captcha.html vendor/dapphp/securimage/example_form.php vendor/dapphp/securimage/example_form.ajax.php vendor/dapphp/securimage/securimage_play.swf vendor/dapphp/securimage/examples/",
                "echo '<?php return array(\"session_name\"=>\"flyspray\"); ?>' > vendor/dapphp/securimage/config.inc.php"
        ]
    },
    "autoload": {
        "classmap": ["includes"],
        "files": ["includes/utf8.inc.php"],
        "psr-4": {
            "Flyspray\\": "src/"
        }
    }
}

I think the getCaptchaHtml() does not create Session

Nikos Baris commented on 02.02.2017 22:30

I think I found it.

(but not tested)

The problem came because I run flyspray on Windows OS. The composer.json file needs to be replaced with another working on windows. (rm it's not recognized on Windows)

Solution: Creating two/more composer files for different OS. for example
1. composer.json.linux
2. composer.json.windows (file included in attachments)

During "setup" of flyspray add the folowing code (perhaps on /setup/copmoserit.php)

if ( strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' && is_writable('composer.json.windows') )
{
    rename('composer.json.windows', 'composer.json');
}
else 
{
    exit('copmoser.json is not writable');
}
Simple Shop commented on 07.03.2017 18:43

How to enable captcha on user registration?
How to enable captcha at all?

In settings I do not find any settings regarding that..

Simple Shop commented on 07.03.2017 18:50

PS. I checked if captcha generation is working on PHP and is..

Nikos Baris commented on 08.03.2017 06:44

@Simple Shop

Captcha registration is not available on 1.0-rc4 release. This task is for the development version of Flyspray. Which version you use?

Simple Shop commented on 08.03.2017 07:03

1.0-rc4

Project Manager
peterdd commented on 08.03.2017 21:57

Will release 1.0-rc5 soon.

Probably forced to add an option for Google reCaptcha2 for user registration, because securimage seems no obstacle anymore for that damn spambots.

But to address the problem of this task:
Probably best is to let Flyspray deliver what

vendor/dapphp/securimage/securimage_show.php 

currently does. So we can fully deny access to vendor/ directory and do not have to fiddle with composer.json to add/remove files in the vendor/ structure.

More spam prevention work needed, like greylisting of new users and/or calculated 'spam score', limiting tasks/comments created per day / IP, noindex for task with high spam score. But thats another topic ..

Simple Shop commented on 09.03.2017 15:06

Will wait for 1.0 RC5..

Google reCaptcha2 solution as option on user registration would be great..

Also consider to add captcha option for new task opening and another option for new comment, so that you can fully control where you want captcha enabled and where not.

Project Manager
peterdd commented on 09.03.2017 23:20

Researcher Breaks reCAPTCHA(2) Using Google's Speech Recognition API

So, we can't fully prevent spambots by captcha's. But we could add some spam prevention too, similiar how email spam prevention does, for instance:

  • limit amount of task/comments a new user can add (in a time range)
  • limit registration amount from IP/IPrange within a time frame (well, doesn't help against distributed spambots)
  • greylisting new tasks before they are visible for everybody/users/search engines.
  • calculate a spam score based (not only) on (quality/ bad word counter) task title/description
  • set 'noindex' for detected/marked as spam, so search engines do not add them to their search index. (e.g. when you close a task and mark them as WTF??? or SPAM, mark that close reason with a 'noindex')- when you cannot/allowed to delete directly from database by regulations.

Every such spam prevention stuff should be implemented as plugin. Some of the listed may not be allowed by your company/country regulations.

which leads to FS#407 give higher priority and a rethinking.

Putting the prefs setting for securimage into flyspray-install.xml was an urgent exception.

;-) https://www.youtube.com/watch?v=fsF7enQY8uI

Project Manager
peterdd commented on 20.03.2017 20:59

Sorry for delay, I'm a bit disappointed. I took a look at the default generated images of securimage from the viewpoint of a bot, it is IMHO quite easy to reverse the generated image and it is probably easy for a bot programmer to write/(or plug together existing stuff) a script that solves the captcha automatically.

So securimage for Flyspray requires:

  1. Writing a class (FSSecurimage ?= that inherits securimage and rewrite the _construct() function.
  2. Tweek a bunch of parameters that makes it harder for image analyzing algorithms.

Alternatives

  1. write own captcha generator. That only buys time until they get broken, maybe not even that. (I think of neural networks, even trained by users like recaptcha is. Nice perv twist, isn't it?)
  2. add mitigation to the harm a bad user(bot) can do. (see comment above)

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing