# HG changeset patch # User Dan # Date 1202344063 18000 # Node ID d907601ccad25c630e10bf3e1b7ad404297f5072 # Parent 6ae6e387a0e398e4196763abe9c3dbd523444262 Fixed some captcha bugs and made all captcha fields case-insensitive diff -r 6ae6e387a0e3 -r d907601ccad2 includes/comment.php --- a/includes/comment.php Wed Feb 06 18:41:47 2008 -0500 +++ b/includes/comment.php Wed Feb 06 19:27:43 2008 -0500 @@ -262,7 +262,7 @@ if ( getConfig('comments_need_login') == '1' && !$session->user_logged_in ) { $real_code = $session->get_captcha($data['captcha_id']); - if ( $real_code != $data['captcha_code'] ) + if ( strtolower($real_code) != strtolower($data['captcha_code']) ) $errors[] = 'The confirmation code you entered was incorrect.'; $session->kill_captcha(); } diff -r 6ae6e387a0e3 -r d907601ccad2 includes/pageutils.php --- a/includes/pageutils.php Wed Feb 06 18:41:47 2008 -0500 +++ b/includes/pageutils.php Wed Feb 06 19:27:43 2008 -0500 @@ -699,7 +699,7 @@ { if(!$captcha_code || !$captcha_id) _die('BUG: PageUtils::addcomment: no CAPTCHA data passed to method'); $result = $session->get_captcha($captcha_id); - if($captcha_code != $result) _die('The confirmation code you entered was incorrect.'); + if(strtolower($captcha_code) != strtolower($result)) _die('The confirmation code you entered was incorrect.'); } $text = RenderMan::preprocess_text($text); $name = $session->user_logged_in ? RenderMan::preprocess_text($session->username) : RenderMan::preprocess_text($name); diff -r 6ae6e387a0e3 -r d907601ccad2 includes/sessions.php --- a/includes/sessions.php Wed Feb 06 18:41:47 2008 -0500 +++ b/includes/sessions.php Wed Feb 06 19:27:43 2008 -0500 @@ -2738,21 +2738,24 @@ /** * Makes a CAPTCHA code and caches the code in the database * @param int $len The length of the code, in bytes + * @param string Optional, the hash to reuse * @return string A unique identifier assigned to the code. This hash should be passed to sessionManager::getCaptcha() to retrieve the code. */ - function make_captcha($len = 7) + function make_captcha($len = 7, $hash = '') { global $db, $session, $paths, $template, $plugins; // Common objects $code = $this->generate_captcha_code($len); - $hash = md5(microtime() . mt_rand()); + if ( !preg_match('/^[a-f0-9]{32}([a-z0-9]{8})?$/', $hash) ) + $hash = md5(microtime() . mt_rand()); $session_data = $db->escape(serialize(array())); // sanity check if ( !is_valid_ip(@$_SERVER['REMOTE_ADDR']) || !is_int($this->user_id) ) return false; - $this->sql('INSERT INTO '.table_prefix.'captcha(session_id, code, session_data, source_ip, user_id)' . " VALUES('$hash', '$code', '$session_data', '{$_SERVER['REMOTE_ADDR']}', {$this->user_id});"); + $this->sql('DELETE FROM ' . table_prefix . "captcha WHERE session_id = '$hash';"); + $this->sql('INSERT INTO ' . table_prefix . 'captcha(session_id, code, session_data, source_ip, user_id)' . " VALUES('$hash', '$code', '$session_data', '{$_SERVER['REMOTE_ADDR']}', {$this->user_id});"); return $hash; } @@ -2829,7 +2832,11 @@ return false; } - $q = $this->sql('SELECT code_id, code FROM ' . table_prefix . "captcha WHERE session_id = '$hash';"); + // sanity check + if ( !is_valid_ip(@$_SERVER['REMOTE_ADDR']) || !is_int($this->user_id) ) + return false; + + $q = $this->sql('SELECT code_id, code FROM ' . table_prefix . "captcha WHERE session_id = '$hash' AND source_ip = '{$_SERVER['REMOTE_ADDR']};"); if ( $db->numrows() < 1 ) return false; diff -r 6ae6e387a0e3 -r d907601ccad2 plugins/SpecialUserFuncs.php --- a/plugins/SpecialUserFuncs.php Wed Feb 06 18:41:47 2008 -0500 +++ b/plugins/SpecialUserFuncs.php Wed Feb 06 19:27:43 2008 -0500 @@ -1323,7 +1323,8 @@ { $paths->main_page(); } - + + $session->make_captcha(7, $hash); $code = $session->generate_captcha_code(); $q = $db->sql_query('UPDATE ' . table_prefix . "captcha SET code = '$code' WHERE session_id = '$hash';"); if ( !$q )