From 1eab7acadba03debf346f7a20f70b2a3c57a42fd Mon Sep 17 00:00:00 2001 From: Damien Regad Date: Fri, 2 Jan 2015 01:32:41 +0100 Subject: [PATCH] Fix captcha validation Following 7bb78e4581ff1092c811ea96582fe602624cdcdd, it was no longer possible to validate the captcha, because the PHP session is destroyed as part of the logout performed in signup.php. We now retrieve the captcha key from the session before logging out. Fixes #17993 --- core/session_api.php | 1 + signup.php | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/core/session_api.php b/core/session_api.php index ff1230a835..9f2ab4df7f 100644 --- a/core/session_api.php +++ b/core/session_api.php @@ -171,6 +171,7 @@ function destroy() { } unset( $_SESSION[ $this->key ] ); + session_write_close(); } } diff --git a/signup.php b/signup.php index 37f3f2725f..af5324f033 100644 --- a/signup.php +++ b/signup.php @@ -37,6 +37,9 @@ $f_email = email_append_domain( trim( $f_email ) ); $f_captcha = utf8_strtolower( trim( $f_captcha ) ); + # Retrieve captcha key now, as session might get cleared by logout + $t_form_key = session_get_int( CAPTCHA_KEY, null ); + # force logout on the current user if already authenticated if( auth_is_user_authenticated() ) { auth_logout(); @@ -50,8 +53,6 @@ if( ON == config_get( 'signup_use_captcha' ) && get_gd_version() > 0 && helper_call_custom_function( 'auth_can_change_password', array() ) ) { - $t_form_key = session_get( CAPTCHA_KEY ); - # captcha image requires GD library and related option to ON $t_key = utf8_strtolower( utf8_substr( md5( config_get( 'password_confirm_hash_magic_string' ) . $t_form_key ), 1, 5) );