From 5d9cf2aa41c61dd35114223006c5e16c104c5a2b Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Fri, 19 Jun 2009 12:31:28 +0000 Subject: [PATCH] Make captchas stricter by oly having one entry per session; fix a bug in ucp_register that caused three captcha instances to be generated. Non-MySQL databases and garbage collecting needs extensive testing. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9626 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/develop/create_schema_files.php | 1 + .../captcha/plugins/captcha_abstract.php | 53 ++++++++++--------- phpBB/includes/ucp/ucp_register.php | 14 ++--- phpBB/install/database_update.php | 5 ++ 4 files changed, 42 insertions(+), 31 deletions(-) diff --git a/phpBB/develop/create_schema_files.php b/phpBB/develop/create_schema_files.php index 05f1b217a4..e605d60a88 100644 --- a/phpBB/develop/create_schema_files.php +++ b/phpBB/develop/create_schema_files.php @@ -983,6 +983,7 @@ function get_schema_struct() 'confirm_type' => array('TINT:3', 0), 'code' => array('VCHAR:8', ''), 'seed' => array('UINT:10', 0), + 'attempts' => array('UINT', 0), ), 'PRIMARY_KEY' => array('session_id', 'confirm_id'), 'KEYS' => array( diff --git a/phpBB/includes/captcha/plugins/captcha_abstract.php b/phpBB/includes/captcha/plugins/captcha_abstract.php index 1682293c02..6962100945 100644 --- a/phpBB/includes/captcha/plugins/captcha_abstract.php +++ b/phpBB/includes/captcha/plugins/captcha_abstract.php @@ -28,6 +28,7 @@ class phpbb_default_captcha var $confirm_code; var $code; var $seed; + var $attempts = 0; var $type; var $solved = false; var $captcha_vars = false; @@ -43,7 +44,7 @@ class phpbb_default_captcha $this->type = (int) $type; - if (!strlen($this->confirm_id)) + if (!strlen($this->confirm_id) || !$this->load_code()) { // we have no confirm ID, better get ready to display something $this->generate_code(); @@ -183,7 +184,6 @@ class phpbb_default_captcha global $config, $db, $user; $error = ''; - $this->confirm_code = request_var('confirm_code', ''); if (!$this->confirm_id) { $error = $user->lang['CONFIRM_CODE_WRONG']; @@ -204,7 +204,7 @@ class phpbb_default_captcha if (strlen($error)) { // okay, incorrect answer. Let's ask a new question. - $this->generate_code(); + $this->new_attempt(); return $error; } else @@ -259,6 +259,29 @@ class phpbb_default_captcha $db->sql_query($sql); } + /** + * New Question, if desired. + */ + function new_attempt() + { + global $db, $user; + + $this->code = gen_rand_string(mt_rand(CAPTCHA_MIN_CHARS, CAPTCHA_MAX_CHARS)); + $this->seed = hexdec(substr(unique_id(), 4, 10)); + $this->solved = false; + // compute $seed % 0x7fffffff + $this->seed -= 0x7fffffff * floor($this->seed / 0x7fffffff); + + $sql = 'UPDATE ' . CONFIRM_TABLE . ' SET ' . $db->sql_build_array('UPDATE', array( + 'code' => (string) $this->code, + 'seed' => (int) $this->seed)) . ' + , attempts = attempts + 1 + WHERE + confirm_id = \'' . $db->sql_escape($this->confirm_id) . '\' AND + session_id = \'' . $db->sql_escape($user->session_id) . '\''; + $db->sql_query($sql); + } + /** * Look up everything we need for painting&checking. */ @@ -266,7 +289,7 @@ class phpbb_default_captcha { global $db, $user; - $sql = 'SELECT code, seed + $sql = 'SELECT code, seed, attempts FROM ' . CONFIRM_TABLE . " WHERE confirm_id = '" . $db->sql_escape($this->confirm_id) . "' AND session_id = '" . $db->sql_escape($user->session_id) . "' @@ -279,6 +302,7 @@ class phpbb_default_captcha { $this->code = $row['code']; $this->seed = $row['seed']; + $this->attempts = $row['attempts']; return true; } @@ -287,15 +311,6 @@ class phpbb_default_captcha function check_code() { - global $db; - - if (empty($this->code)) - { - if (!$this->load_code()) - { - return false; - } - } return (strcasecmp($this->code, $this->confirm_code) === 0); } @@ -312,17 +327,7 @@ class phpbb_default_captcha function get_attempt_count() { - global $db, $user; - - $sql = 'SELECT COUNT(session_id) AS attempts - FROM ' . CONFIRM_TABLE . " - WHERE session_id = '" . $db->sql_escape($user->session_id) . "' - AND confirm_type = " . $this->type; - $result = $db->sql_query($sql); - $attempts = (int) $db->sql_fetchfield('attempts'); - $db->sql_freeresult($result); - - return $attempts; + return $this->attempts; } function reset() diff --git a/phpBB/includes/ucp/ucp_register.php b/phpBB/includes/ucp/ucp_register.php index 4815329643..e1a924ae58 100644 --- a/phpBB/includes/ucp/ucp_register.php +++ b/phpBB/includes/ucp/ucp_register.php @@ -52,13 +52,6 @@ class ucp_register add_form_key('ucp_register_terms'); } - $captcha_solved = false; - if ($config['enable_confirm']) - { - include($phpbb_root_path . 'includes/captcha/captcha_factory.' . $phpEx); - $captcha =& phpbb_captcha_factory::get_instance($config['captcha_plugin']); - $captcha->init(CONFIRM_REG); - } if ($change_lang || $user_lang != $config['default_lang']) { @@ -150,6 +143,13 @@ class ucp_register return; } + $captcha_solved = false; + if ($config['enable_confirm']) + { + include($phpbb_root_path . 'includes/captcha/captcha_factory.' . $phpEx); + $captcha =& phpbb_captcha_factory::get_instance($config['captcha_plugin']); + $captcha->init(CONFIRM_REG); + } // Try to manually determine the timezone and adjust the dst if the server date/time complies with the default setting +/- 1 $timezone = date('Z') / 3600; diff --git a/phpBB/install/database_update.php b/phpBB/install/database_update.php index 6f7216f82b..150ef20ca1 100644 --- a/phpBB/install/database_update.php +++ b/phpBB/install/database_update.php @@ -683,6 +683,11 @@ function database_update_info() // Changes from 3.0.5 '3.0.5' => array( + 'add_columns' => array( + CONFIRM_TABLE => array( + 'attempts' => array('UINT', 0), + ), + ), 'add_index' => array( LOG_TABLE => array( 'log_time' => array('log_time'),