• Status Unconfirmed
  • Percent Complete
  • Task Type Bug Report
  • Category Backend/Core
  • Assigned To No-one
  • Operating System Windows 7
  • Severity Low
  • Priority Very Low
  • Reported Version 1.0 devel (github master)
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Flyspray
Opened by nikos - 01.02.2017
Last edited by peterdd - 15.03.2021

FS#2336 - Captcha validation always fail on registration

Correct or wrong code return false!

The results of Securimage Test Script on my server

This script will test your PHP installation to see if Securimage will run on your server.

Session Functionality: Yes!
GD Support: Yes!
GD Version: bundled (2.1.0 compatible)
imageftbbox function: Yes!
TTF Support (FreeType): Yes!
JPEG Support: Yes!
PNG Support: Yes!
GIF Read Support: Yes!
GIF Create Support: Yes!
SQLite Support: Yes!
SQLite is available. If you choose to use it, Securimage can support users who do not accept cookies.
MySQL Support: Yes!
MySQL is available. If you choose to use it, Securimage can support users who do not accept cookies by storing codes in MySQL.
PostgreSQL Support: No
No PostgreSQL support.
LAME MP3 Support: No
LAME was not found, audio will work in WAV format, but not MP3. See Securimage HTML5 audio documentation for info.
Your server meets the requirements for using Securimage!

on line:754 got

if( !Post::isAlnum('captcha_code') || !$image->check(Post::val('captcha_code'))) {
if( true == false || false == false ) {

Edit 2021-03-15: Only effects Flyspray source releases on Windows where running composer is required. Releases with included dependencies are not effected!

nikos commented on 01.02.2017 04:57

hmmm I Select "Bug Report" on this task and saved as "Information", anyway perhaps on wrongtoken on submit and re-submit again.

Project Manager

So it was just due a session timeout?

captcha_code is stored for a session within $_SESSION , so you can try debug with


for instance to find root of your problem.

See also current what I added there to make current securimage 3.6.5 work without forking securimage.

nikos commented on 02.02.2017 07:22

The only session I have (On registration page and after submit) is the following:

Array ( [csrftoken] => 24620 [tasklist] => Array ( [0] => 1 [1] => 2 ) )

Debug added to

	print_r($_SESSION); exit;
	$image = new Securimage(); 
	if( !Post::isAlnum('captcha_code') || !$image->check(Post::val('captcha_code'))) {
		# wrong code
		Flyspray::show_error(L('captchaerror') . ' ' . ($image->check($_POST['captcha_code']) ? 'true' : 'false')       );

also in /scripts/register.php

	$captchaoptions = array(
		'input_name' => 'captcha_code',
		'show_audio_button' => false,
		'disable_flash_fallback' => true
	$page->assign('captcha_securimage_html', $captcha_securimage_html);

My composer.json is also correct

    "name": "flyspray/flyspray",
    "type": "application",
    "description": "The Flyspray bug tracking system.",
    "keywords": ["bug","bugs","tracker","issue","issues", "web"],
    "homepage": "",
    "license": "LGPL-2.1",
    "require": {
        "swiftmailer/swiftmailer": "~5.0",
        "adodb/adodb-php": "~5.20",
        "jamiebicknell/Sparkline": "1.*",
        "ezyang/htmlpurifier": "~4.8.0",
        "dapphp/securimage": "3.6.5",
        "league/oauth2-client": "~0.3|~0.12" 
    "repositories": [
            "type": "vcs",
            "url": ""
    "scripts": {
        "post-update-cmd": [
                "rm -rf vendor/dapphp/securimage/captcha.html vendor/dapphp/securimage/example_form.php vendor/dapphp/securimage/example_form.ajax.php vendor/dapphp/securimage/securimage_play.swf vendor/dapphp/securimage/examples/",
                "echo '<?php return array(\"session_name\"=>\"flyspray\"); ?>' > vendor/dapphp/securimage/"
    "autoload": {
        "classmap": ["includes"],
        "files": ["includes/"],
        "psr-4": {
            "Flyspray\\": "src/"

I think the getCaptchaHtml() does not create Session

nikos commented on 02.02.2017 22:30

I think I found it.

(but not tested)

The problem came because I run flyspray on Windows OS. The composer.json file needs to be replaced with another working on windows. (rm it's not recognized on Windows)

Solution: Creating two/more composer files for different OS. for example
1. composer.json.linux
2. (file included in attachments)

During "setup" of flyspray add the folowing code (perhaps on /setup/copmoserit.php)

if ( strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' && is_writable('') )
    rename('', 'composer.json');
    exit('copmoser.json is not writable');

How to enable captcha on user registration?
How to enable captcha at all?

In settings I do not find any settings regarding that..

PS. I checked if captcha generation is working on PHP and is..

nikos commented on 08.03.2017 06:44

@Simple Shop

Captcha registration is not available on 1.0-rc4 release. This task is for the development version of Flyspray. Which version you use?


Project Manager

Will release 1.0-rc5 soon.

Probably forced to add an option for Google reCaptcha2 for user registration, because securimage seems no obstacle anymore for that damn spambots.

But to address the problem of this task:
Probably best is to let Flyspray deliver what


currently does. So we can fully deny access to vendor/ directory and do not have to fiddle with composer.json to add/remove files in the vendor/ structure.

More spam prevention work needed, like greylisting of new users and/or calculated 'spam score', limiting tasks/comments created per day / IP, noindex for task with high spam score. But thats another topic ..

Will wait for 1.0 RC5..

Google reCaptcha2 solution as option on user registration would be great..

Also consider to add captcha option for new task opening and another option for new comment, so that you can fully control where you want captcha enabled and where not.

Project Manager

Researcher Breaks reCAPTCHA(2) Using Google's Speech Recognition API

So, we can't fully prevent spambots by captcha's. But we could add some spam prevention too, similiar how email spam prevention does, for instance:

  • limit amount of task/comments a new user can add (in a time range)
  • limit registration amount from IP/IPrange within a time frame (well, doesn't help against distributed spambots)
  • greylisting new tasks before they are visible for everybody/users/search engines.
  • calculate a spam score based (not only) on (quality/ bad word counter) task title/description
  • set 'noindex' for detected/marked as spam, so search engines do not add them to their search index. (e.g. when you close a task and mark them as WTF??? or SPAM, mark that close reason with a 'noindex')- when you cannot/allowed to delete directly from database by regulations.

Every such spam prevention stuff should be implemented as plugin. Some of the listed may not be allowed by your company/country regulations.

which leads to FS#407 give higher priority and a rethinking.

Putting the prefs setting for securimage into flyspray-install.xml was an urgent exception.


Project Manager

Sorry for delay, I'm a bit disappointed. I took a look at the default generated images of securimage from the viewpoint of a bot, it is IMHO quite easy to reverse the generated image and it is probably easy for a bot programmer to write/(or plug together existing stuff) a script that solves the captcha automatically.

So securimage for Flyspray requires:

  1. Writing a class (FSSecurimage ?= that inherits securimage and rewrite the _construct() function.
  2. Tweek a bunch of parameters that makes it harder for image analyzing algorithms.


  1. write own captcha generator. That only buys time until they get broken, maybe not even that. (I think of neural networks, even trained by users like recaptcha is. Nice perv twist, isn't it?)
  2. add mitigation to the harm a bad user(bot) can do. (see comment above)
Project Manager

Flyspray 1.0-rc7 released.

Please test on Windows and report back if problem is resolved.

Flyspray 1.0-rc7 release has a .tgz with all 3rd party libs included.
(You need a unpacker on windows that supports .tgz files. Sorry, no .zip as it was created on a machine without zip, only tar and gzip)

The source (.zip) is generated by github and contains only sources.

Project Manager

@nikos Probably better approach is to call a script file in "post-update-cmd".

That (php?)script then checks at which environment it runs (unixlike or windows) and uses the correct DIRECTORY_SEPARATOR and the correct commands (rm or del/rd) or php native functions to do the cleanup tasks.

This way there is no need for 2 different composer.json files.


Available keyboard shortcuts


Task Details

Task Editing