Contrib.social

Captcha request replay

Open on Drupal.org β†’
Created on 24 February 2022, about 3 years ago
Updated 14 April 2023, about 2 years ago

Problem/Motivation

Trying to avoid request replay on node submit forms

Steps to reproduce

- Add a Math Captcha to an node form let's say the article content type
- Fill out the form including the captcha_response
- Submit the form and grab the payload ( I am using firefox to grab and resend the requests)
- Resend the same payload from step before
- Node is added

Proposed resolution

Shouldn't captcha prevent the request replay or is this the expected behavior ?
I noticed that when resending the payload (outside the form ) the captcha is not validated.

πŸ’¬ Support request
Status

Postponed: needs info

Version

2.0

Component

Tests

Created by

πŸ‡§πŸ‡·Brazil phc.maia

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 2 years ago β†’
    πŸ‡§πŸ‡·Brazil phc.maia

    hey @Anybody sorry I missed your messages
    I am running Drupal 9 and Captcha version 1.10 , I have selected "Always add a challenge." in Settings page and still I can replay the requests , node gets created once more.

  • Comment 4 months ago β†’
    jErry_jakcson

    murat_kekic β†’ made their first commit to this issue’s fork.

  • Merge request !106Draft: Issue #3266305: Captcha request replay β†’ (Closed) created by Unnamed author
  • Comment 4 months ago β†’
    jErry_jakcson

    I'm encountering this issue with a webform that uses a confirmation step and one of my custom forms. In both cases, after submission, the CAPTCHA element is not being rebuilt --either because it’s no longer included in the form or because $form_state->setRebuild() is not being called.

    This causes the issue because the solution is updated in preRenderProcess. If the element is not rebuilt/rerendered, the solution remains unchanged, allowing the same solution to be reused as many times as possible.

    In my opinion, @anybody's approach was correct but incomplete. The CAPTCHA status also needs to be updated to 'unsolved' whenever the solution is updated.

    I have updated the _captcha_update_captcha_session function to always set 'status' to 'unsolved'

    From captcha.inc:

    function _captcha_update_captcha_session($captcha_sid, $solution) {
  \Drupal::database()->update('captcha_sessions')
    ->condition('csid', $captcha_sid)
    ->fields([
      'timestamp' => \Drupal::time()->getRequestTime(),
      'solution' => $solution,
      'status' => CaptchaConstants::CAPTCHA_STATUS_UNSOLVED,
    ])
    ->execute();
}
  • Comment 4 months ago β†’
    jErry_jakcson

    I'll try to add a test case for this soon.

    For now, this patch is working for me.

  • Comment 4 months ago β†’
    jErry_jakcson
  • Comment 4 months ago β†’
    πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica

    @murat_kekic thank you very very much, this sounds promising. Having a test for this is most important. Very much looking forward.

  • Comment 4 months ago β†’
    πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica
  • Comment 4 months ago β†’
    System Message
  • Merge request !107Resolve #3266305 "Captcha request replay" β†’ (Open) created by Unnamed author
  • Pipeline finished with Failed
    4 months ago
    Total: 456s
    #375899
  • Comment 4 months ago β†’
    jErry_jakcson

    I was going to add some tests. While doing that, I noticed there's already a test very similar to the one I wrote. I checked why that test was passing and found out the helper function getCaptchaTokenFromForm wasn't working properly. It was assuming the CAPTCHA token to be an integer, which is not true. This caused some of the tests in CaptchaSessionReuseAttackTestCase to pass even though they should've failed.

    I fixed the getCaptchaTokenFromForm function so it works as expected now. After fixing it, the tests actually failed without the initial changes. Then I applied the changes, and the tests passed. So there were some broken tests that went unnoticed before.

  • Pipeline finished with Failed
    4 months ago
    Total: 405s
    #375906
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024