Skip to content
Permalink
Browse files

Merge pull request #857 from fedora-infra/feature/captcha-reuse

Disallow re-use of solved captchas.
  • Loading branch information...
lmacken committed Jul 6, 2016
2 parents 5f931f6 + 621bdd3 commit 8abdaa4b226742ffd6a63a13270bbd728a88fed3
Showing with 16 additions and 0 deletions.
  1. +1 −0 bodhi/captcha.py
  2. +15 −0 bodhi/validators.py
@@ -93,6 +93,7 @@ def generate_captcha(context, request):
plainkey, value = math_generator(plainkey=None, settings=settings)
cipherkey = encrypt(plainkey, settings)
url = request.route_url('captcha_image', cipherkey=cipherkey)
request.session['captcha'] = cipherkey # Remember this to stop replay.
return cipherkey, url


@@ -889,12 +889,27 @@ def validate_captcha(request):
request.errors.status = HTTPBadRequest.code
return

if 'captcha' not in request.session:
request.errors.add('session', 'captcha',
'Captcha cipher not in the session (replay).')
request.errors.status = HTTPBadRequest.code
return

if request.session['captcha'] != key:
request.errors.add('session', 'captcha',
'No captcha session cipher match (replay). %r %r' % (request.session['captcha'], key))
request.errors.status = HTTPBadRequest.code
return

if not captcha.validate(request, key, value):
request.errors.add('body', 'captcha_value',
'Incorrect response to the captcha.')
request.errors.status = HTTPBadRequest.code
return

# Nuke this to stop replay attacks. Once valid, never again.
del request.session['captcha']


def validate_stack(request):
"""Make sure this singular stack exists"""

0 comments on commit 8abdaa4

Please sign in to comment.
You can’t perform that action at this time.