Problem with tgcaptchab
Fred C
Hello Patrick,
There is a big problem with tgcaptcha. It is very easy to bypass
tgcaptcha just by crafting a call to the method /send without the
captcha information.
This call gives you an error 'Incorrect value' which is normal.
But this one works without a problem. The tgcaptcha.validator is never
called.
http://127.0.0.1:8080/send?name=dddd
I don't have enough knowledge of turbogears widget yet, to understand
how to fix this.
-fred-
Here is the sample code I used:
from turbogears import (controllers, expose, flash, validate,
error_handler, exception_handler)
from turbogears import widgets, validators
from tgcaptcha import CaptchaField
class TestForm(widgets.WidgetsList):
name = widgets.TextField(
validator=validators.NotEmpty(),
label="Name:")
captcha = CaptchaField(
label=' ',
help_text=_("Enter the text shown in the image"))
form = widgets.TableForm(fields=TestForm(), method="GET",
action="/send", submit_text=_("Send"),)
class Root(controllers.RootController):
@expose(template="jojo.templates.welcome")
def index(self, **kw):
print '-' * 78
print kw
return dict(form=form)
@expose()
@validate(form=form)
@error_handler(index)
def send(self, **kw):
return kw
Patrick Lewis
> Hello Patrick,
>
> There is a big problem with tgcaptcha. It is very easy to bypass
> tgcaptcha just by crafting a call to the method /send without the
> captcha information.
>
> This call gives you an error 'Incorrect value' which is normal.
>
it is specific to TGCapcha or not. For Instance, take this
controller:
http://paste.turbogears.org/paste/1776
It pretty much replicates what you are seeing. These work as expected
(first one passes, and the others raise validation errors)
http://localhost:8080/save?mywidget.hidden=1&mywidget.number=2
http://localhost:8080/save?mywidget.hidden=&mywidget.number=2
http://localhost:8080/save?mywidget.hidden=1&mywidget.number=foo
But this one doesn't raise any errors, and goes right to save.
http://localhost:8080/save
I don't know the answer to what is going on here. I'm afraid I'm going
to have to ask on the main TurboGears list and see if someone knows
what is going on.
Fred C
On Nov 23, 2007, at 7:28 AM, Patrick Lewis wrote:
>
> Yep, I can confirm that this is a problem, although I don't know that
> it is specific to TGCapcha or not. For Instance, take this
> controller:
>
> http://paste.turbogears.org/paste/1776
>
> It pretty much replicates what you are seeing. These work as expected
> (first one passes, and the others raise validation errors)
>
> http://localhost:8080/save?mywidget.hidden=1&mywidget.number=2
> http://localhost:8080/save?mywidget.hidden=&mywidget.number=2
> http://localhost:8080/save?mywidget.hidden=1&mywidget.number=foo
>
> But this one doesn't raise any errors, and goes right to save.
>
> http://localhost:8080/save
>
> I don't know the answer to what is going on here. I'm afraid I'm going
> to have to ask on the main TurboGears list and see if someone knows
> what is going on.
Yes I did some experiments and I came to the same conclusion. The
problem seems to be with CompoundFormFields. These fields are
validated only if a reference to that widget is present in the URL.
I have posted a messages on the TG mailing list but I never got any
answer. Maybe because the mail subject was TGCaptcha...
-fred-
FredC
TG.
http://blogmag.net/blog/read/31/Problem_with_TGCaptcha
Patrick Lewis
> Here is the description for a work around while waiting for a fix in
> TG.
>
> http://blogmag.net/blog/read/31/Problem_with_TGCaptcha
>
explicitly list your captcha widget (as a dict, None doesn't seem to
make a difference) in the method signature, then everything appears to
work properly. For instance:
def send(self, Captcha={}, **kw):
return kw
Until we get some resolution on the TurboGears side (and it may not
even be classified as a bug), I'm going to update the documentation
with this update.