working captcha

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

working captcha

maxelcat
Dear All

I have spent quite a few hours playing with the captcha trying to get it to
work. There were some useful posts on the new group, but none of them was a
complete solution.

The below has worked for me... hopefully it will prove useful to someone
else.

This code is taken from a fairly old xwiki that my client didn't want to
upgrade. It is based around registerinline.vm, which had previously been
edited to add a lot more fields. I am not an expert on OOP but got it to
work with a selection of conditional statements.

First declare the plugin - you have to make sure its enabled - but
apparently it is by default. "if ($reg)..." will evaluate to true/false and
if the value is negative its an error. You test the state of the captcha
using $captchaPlugin.verifyCaptcha("edit")  where edit is the name - set
much later on.

One of the problems was that the form would come back with the correct
messages eg it would tell you if the captcha filled in wrong, but the new
user would still be regsitered (assuming all the other fields filled in
correctly). By playing I found that <input type="hidden" name="register"
value="1"/> was the key  - if value="1" then registration occurs, if ="0"
then it doesn't. So put this in a conditional - which seems to only depend
on the captcha being ture/flase - which was odd, because I would ahve
thought you'd want to test with $reg as well. However, I couldn't get it to
work with $reg at this stage - reg=$reg usually prints out the nunber - but
at this point it just printed out ref=$reg...

Don't forget to put "verifyCaptcha" into the action of the form tag.

call the displayCaptcha pass the class name as "register_captcha" which
should map to the css classname to render the image with
$captchaPlugin.displayCaptcha("edit","register_captcha")
pass the name as edit
go to
http://<host>:<port>/xwiki/bin/edit/XWiki/XWikiPreferences?editor=object&
find XWiki.XWikiPreferences[0]: XWiki.DefaultSkin select the values for
Anonymous: and Registered: as image or text - text gives you a simple sum to
fill in. There were 3 sets of each on mine, I set them all to imgae or all
to text


Anyway, back to work...




## declare the plugin

#set($captchaPlugin = $xwiki.jcaptcha)

#if(!$reg||$reg<0 )
    <p>Welcome .....</p>
  #end

#*
  if reg is true (ie form filled), but less than zero OR the captcha is
wrong
*#

  #if(  ($reg && $reg<=0) || !$captchaPlugin.verifyCaptcha("edit") )
    #if($reg==-2)
      #error("$msg.get('core.register.passwordMismatch')")
    #elseif($reg==-3)
      #error("$msg.get('core.register.userAlreadyExists')")
    #elseif($reg==-4)
      #error("$msg.get('core.register.invalidUsername')")
    #elseif($reg==-8)
      #error("$msg.get('core.register.userAlreadyExists')")
    #else
      ##error("$msg.get('core.register.registerFailed', [$reg])")
#error("The captcha field was filled in wrongly.")

    #end
  #elseif($reg && $captchaPlugin.verifyCaptcha("edit"))
    #set($xwname = "XWiki.${request.xwikiname}")
    #info("$msg.get('core.register.successful',
[$xwiki.getUserName($xwname), $request.xwikiname])")
  #end

##form appears if reg is not true or its -ve or capatcha is wrong


  #if(!$reg||$reg<0 || !$captchaPlugin.verifyCaptcha("edit") )
    <form id="register" action="verifyCaptcha" method="post">
      <div>
<input type="hidden" name="template" value="XWiki.XWikiUserTemplate" />

##this is a key statement

#if ($captchaPlugin.verifyCaptcha("edit"))
##set it to 1
<input type="hidden" name="register" value="1"/>
#else
##set it to 0
<input type="hidden" name="register" value="0"/>
#end

         #set($class = $xwiki.getClass("XWiki.XWikiUsers"))
        #set($obj = $class.newObject())
        #set($serverobj = $class.newObject())
        #set($discard = $doc.use("XWiki.XWikiUsers"))
        #if($request.register_first_name)
          $doc.set("first_name", $request.register_first_name)
        #end
        #if($request.register_last_name)
          $doc.set("last_name", $request.register_last_name)
        #end
        <dl>

##username
          <dt>$msg.get("core.register.username")</dt>
          <dd><input name="xwikiname" type="text" size="20" onfocus="
prepareName(document.forms.register);" /></dd>


... lots more fields


#if ($captchaPlugin)
  $captchaPlugin.displayCaptcha("edit","register_captcha")
#end


 <span class="buttonwrapper"><input type="submit"
value="$msg.get("core.register.submit")"/></span></div>



    </form>
  #end
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: working captcha

AjdinBrandic
Edward

Correct me if I'm wrong but as I mentioned in my first reply to your
post a hacker can use GET method to post registration request in the
URL.
The hacker can set the value of register to 1 and this will pass your
check and register.  As you already know having incorrect captcher
doesn't matter, new user still gets registered.  Try GET method
yourself!!!  I hope I'm wrong :-(

Ajdin
 

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf
Of Edward Laptop
Sent: 09 July 2009 15:22
To: XWiki Users
Subject: [xwiki-users] working captcha

Dear All

I have spent quite a few hours playing with the captcha trying to get it
to work. There were some useful posts on the new group, but none of them
was a complete solution.

The below has worked for me... hopefully it will prove useful to someone
else.

This code is taken from a fairly old xwiki that my client didn't want to
upgrade. It is based around registerinline.vm, which had previously been
edited to add a lot more fields. I am not an expert on OOP but got it to
work with a selection of conditional statements.

First declare the plugin - you have to make sure its enabled - but
apparently it is by default. "if ($reg)..." will evaluate to true/false
and if the value is negative its an error. You test the state of the
captcha using $captchaPlugin.verifyCaptcha("edit")  where edit is the
name - set much later on.

One of the problems was that the form would come back with the correct
messages eg it would tell you if the captcha filled in wrong, but the
new user would still be regsitered (assuming all the other fields filled
in correctly). By playing I found that <input type="hidden"
name="register"
value="1"/> was the key  - if value="1" then registration occurs, if
="0"
then it doesn't. So put this in a conditional - which seems to only
depend on the captcha being ture/flase - which was odd, because I would
ahve thought you'd want to test with $reg as well. However, I couldn't
get it to work with $reg at this stage - reg=$reg usually prints out the
nunber - but at this point it just printed out ref=$reg...

Don't forget to put "verifyCaptcha" into the action of the form tag.

call the displayCaptcha pass the class name as "register_captcha" which
should map to the css classname to render the image with
$captchaPlugin.displayCaptcha("edit","register_captcha")
pass the name as edit
go to
http://<host>:<port>/xwiki/bin/edit/XWiki/XWikiPreferences?editor=object
&
find XWiki.XWikiPreferences[0]: XWiki.DefaultSkin select the values for
Anonymous: and Registered: as image or text - text gives you a simple
sum to fill in. There were 3 sets of each on mine, I set them all to
imgae or all to text


Anyway, back to work...




## declare the plugin

#set($captchaPlugin = $xwiki.jcaptcha)

#if(!$reg||$reg<0 )
    <p>Welcome .....</p>
  #end

#*
  if reg is true (ie form filled), but less than zero OR the captcha is
wrong *#

  #if(  ($reg && $reg<=0) || !$captchaPlugin.verifyCaptcha("edit") )
    #if($reg==-2)
      #error("$msg.get('core.register.passwordMismatch')")
    #elseif($reg==-3)
      #error("$msg.get('core.register.userAlreadyExists')")
    #elseif($reg==-4)
      #error("$msg.get('core.register.invalidUsername')")
    #elseif($reg==-8)
      #error("$msg.get('core.register.userAlreadyExists')")
    #else
      ##error("$msg.get('core.register.registerFailed', [$reg])")
#error("The captcha field was filled in wrongly.")

    #end
  #elseif($reg && $captchaPlugin.verifyCaptcha("edit"))
    #set($xwname = "XWiki.${request.xwikiname}")
    #info("$msg.get('core.register.successful',
[$xwiki.getUserName($xwname), $request.xwikiname])")
  #end

##form appears if reg is not true or its -ve or capatcha is wrong


  #if(!$reg||$reg<0 || !$captchaPlugin.verifyCaptcha("edit") )
    <form id="register" action="verifyCaptcha" method="post">
      <div>
<input type="hidden" name="template" value="XWiki.XWikiUserTemplate" />

##this is a key statement

#if ($captchaPlugin.verifyCaptcha("edit"))
##set it to 1
<input type="hidden" name="register" value="1"/> #else ##set it to 0
<input type="hidden" name="register" value="0"/> #end

         #set($class = $xwiki.getClass("XWiki.XWikiUsers"))
        #set($obj = $class.newObject())
        #set($serverobj = $class.newObject())
        #set($discard = $doc.use("XWiki.XWikiUsers"))
        #if($request.register_first_name)
          $doc.set("first_name", $request.register_first_name)
        #end
        #if($request.register_last_name)
          $doc.set("last_name", $request.register_last_name)
        #end
        <dl>

##username
          <dt>$msg.get("core.register.username")</dt>
          <dd><input name="xwikiname" type="text" size="20" onfocus="
prepareName(document.forms.register);" /></dd>


... lots more fields


#if ($captchaPlugin)
  $captchaPlugin.displayCaptcha("edit","register_captcha")
#end


 <span class="buttonwrapper"><input type="submit"
value="$msg.get("core.register.submit")"/></span></div>



    </form>
  #end
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
 
 
--------------------------------------------------------

NOTICE

This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee.

Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University.
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users