- Status Unconfirmed
- Percent Complete
- Task Type Bug Report
- Category Backend/Core
- Assigned To No-one
- Operating System Windows 7
- Severity High
- Priority Very Low
- Reported Version 1.0 devel (github master)
- Due in Version Undecided
-
Due Date
Undecided
- Votes
- Private
Attached to Project: Flyspray - The bug killer!
Opened by Nikos Baris - 01.02.2017
Last edited by peterdd - 10.03.2017
Opened by Nikos Baris - 01.02.2017
Last edited by peterdd - 10.03.2017
FS#2336 - Captcha validation always fail on registration
Correct or wrong code return false!
The results of Securimage Test Script on my server
This script will test your PHP installation to see if Securimage will run on your server. Session Functionality: Yes! GD Support: Yes! GD Version: bundled (2.1.0 compatible) imageftbbox function: Yes! TTF Support (FreeType): Yes! JPEG Support: Yes! PNG Support: Yes! GIF Read Support: Yes! GIF Create Support: Yes! SQLite Support: Yes! SQLite is available. If you choose to use it, Securimage can support users who do not accept cookies. MySQL Support: Yes! MySQL is available. If you choose to use it, Securimage can support users who do not accept cookies by storing codes in MySQL. PostgreSQL Support: No No PostgreSQL support. LAME MP3 Support: No LAME was not found, audio will work in WAV format, but not MP3. See Securimage HTML5 audio documentation for info. Your server meets the requirements for using Securimage!
on modify.inc.php line:754 got
if( !Post::isAlnum('captcha_code') || !$image->check(Post::val('captcha_code'))) {
if( true == false || false == false ) {
hmmm I Select "Bug Report" on this task and saved as "Information", anyway perhaps on wrongtoken on submit and re-submit again.
So it was just due a session timeout?
captcha_code is stored for a session within $_SESSION , so you can try debug with
for instance to find root of your problem.
See also current https://github.com/Flyspray/flyspray/blob/master/composer.json what I added there to make current securimage 3.6.5 work without forking securimage.
The only session I have (On registration page and after submit) is the following:
Debug added to modify.inc.php
also in /scripts/register.php
My composer.json is also correct
I think the getCaptchaHtml() does not create Session
I think I found it.
(but not tested)
The problem came because I run flyspray on Windows OS. The composer.json file needs to be replaced with another working on windows. (rm it's not recognized on Windows)
Solution: Creating two/more composer files for different OS. for example
1. composer.json.linux
2. composer.json.windows (file included in attachments)
During "setup" of flyspray add the folowing code (perhaps on /setup/copmoserit.php)
How to enable captcha on user registration?
How to enable captcha at all?
In settings I do not find any settings regarding that..
PS. I checked if captcha generation is working on PHP and is..
@Simple Shop
Captcha registration is not available on 1.0-rc4 release. This task is for the development version of Flyspray. Which version you use?
1.0-rc4
Will release 1.0-rc5 soon.
Probably forced to add an option for Google reCaptcha2 for user registration, because securimage seems no obstacle anymore for that damn spambots.
But to address the problem of this task:
Probably best is to let Flyspray deliver what
currently does. So we can fully deny access to vendor/ directory and do not have to fiddle with composer.json to add/remove files in the vendor/ structure.
More spam prevention work needed, like greylisting of new users and/or calculated 'spam score', limiting tasks/comments created per day / IP, noindex for task with high spam score. But thats another topic ..
Will wait for 1.0 RC5..
Google reCaptcha2 solution as option on user registration would be great..
Also consider to add captcha option for new task opening and another option for new comment, so that you can fully control where you want captcha enabled and where not.
Researcher Breaks reCAPTCHA(2) Using Google's Speech Recognition API
So, we can't fully prevent spambots by captcha's. But we could add some spam prevention too, similiar how email spam prevention does, for instance:
Every such spam prevention stuff should be implemented as plugin. Some of the listed may not be allowed by your company/country regulations.
which leads to FS#407 give higher priority and a rethinking.
Putting the prefs setting for securimage into flyspray-install.xml was an urgent exception.
Sorry for delay, I'm a bit disappointed. I took a look at the default generated images of securimage from the viewpoint of a bot, it is IMHO quite easy to reverse the generated image and it is probably easy for a bot programmer to write/(or plug together existing stuff) a script that solves the captcha automatically.
So securimage for Flyspray requires:
Alternatives
Flyspray 1.0-rc7 released.
Please test on Windows and report back if problem is resolved.
Flyspray 1.0-rc7 release has a .tgz with all 3rd party libs included.
(You need a unpacker on windows that supports .tgz files. Sorry, no .zip as it was created on a machine without zip, only tar and gzip)
The source (.zip) is generated by github and contains only sources.
https://github.com/Flyspray/flyspray/releases