Use reCAPTCHA 2, bump version to 1.16.5

Author: epandurski

.env

@@ -28,8 +28,8 @@ CMBARTER_SHOW_CAPTCHA_ON_REPETITIVE_LOGIN_FAILURE=True
 # five unsuccessful attempts to log-in. If you have not altered the
 # default behavior, you should obtain your own public/private key pair
 # from www.google.com/recaptcha, and put it here:
-CMBARTER_RECAPTCHA_PUBLIC_KEY=6Ledx7wSAAAAAICFw8vB-2ghpDjzGogPRi6-3FCr
-CMBARTER_RECAPTCHA_PIVATE_KEY=6Ledx7wSAAAAAEskQ7Mbi-oqneHDSFVUkxGitn_y
+CMBARTER_RECAPTCHA_PUBLIC_KEY=6Lc902MUAAAAAJL22lcbpY3fvg3j4LSERDDQYe37
+CMBARTER_RECAPTCHA_PIVATE_KEY=6Lc902MUAAAAAN--r4vUr8Vr7MU1PF16D9k2Ds9Q
 
 # If a non-empty string is set as registration secret, CMB will
 # require a registration key for users to sign up. In this case

CHANGES

@@ -1,3 +1,6 @@
+July 12th, 2018
+v1.16.5 -- Use reCAPTCHA 2
+
 July 12th, 2017
 v1.16.4 -- Fixed CSS styling for input tags.
 

INSTALL

@@ -34,11 +34,11 @@ source code in your */usr/local/share/* directory::
 
   # cd /usr/local/share/
   # wget http://sourceforge.net/projects/cmb/files/tarballs/\
-  cmbarter-1.16.4.tar.gz/download -O cmbarter-1.16.4.tar.gz
+  cmbarter-1.16.5.tar.gz/download -O cmbarter-1.16.5.tar.gz
   ...
 
-  # tar -xzf cmbarter-1.16.4.tar.gz
-  # mv cmbarter-1.16.4 cmbarter
+  # tar -xzf cmbarter-1.16.5.tar.gz
+  # mv cmbarter-1.16.5 cmbarter
 
 Also, make sure a *Python 2.7* interpreter is installed on your
 server.
@@ -300,11 +300,11 @@ Here are the installation steps that you should perform:
 
      $ cd ~
      $ wget http://sourceforge.net/projects/cmb/files/tarballs/\
-     cmbarter-1.16.4.tar.gz/download -O cmbarter-1.16.4.tar.gz
+     cmbarter-1.16.5.tar.gz/download -O cmbarter-1.16.5.tar.gz
      ...
 
-     $ tar -xzf cmbarter-1.16.4.tar.gz
-     $ mv cmbarter-1.16.4 cmbarter
+     $ tar -xzf cmbarter-1.16.5.tar.gz
+     $ mv cmbarter-1.16.5 cmbarter
 
 3. Restrict access to those source files that may contain sensitive
    information::

cmbarter/modules/captcha.py

@@ -1,7 +1,7 @@
-import urllib2, urllib
+import urllib2, urllib, json
 
-API_SSL_SERVER="https://www.google.com/recaptcha/api"
-API_SERVER="http://www.google.com/recaptcha/api"
+API_SSL_SERVER="https://www.google.com/recaptcha/api.js"
+API_SERVER="http://www.google.com/recaptcha/api.js"
 VERIFY_SERVER="www.google.com"
 
 class RecaptchaResponse(object):
@@ -18,27 +18,18 @@ def displayhtml (public_key,
     use_ssl -- Should the request be sent over ssl?
     error -- An error message to display (from RecaptchaResponse.error_code)"""
 
-    error_param = ''
-    if error:
-        error_param = '&error=%s' % error
-
     if use_ssl:
         server = API_SSL_SERVER
     else:
         server = API_SERVER
 
-    return """<script type="text/javascript" src="%(ApiServer)s/challenge?k=%(PublicKey)s%(ErrorParam)s"></script>
-
-<noscript>
-  <iframe src="%(ApiServer)s/noscript?k=%(PublicKey)s%(ErrorParam)s" height="300" width="500" frameborder="0"></iframe><br />
-  <textarea name="recaptcha_challenge_field" rows="3" cols="40"></textarea>
-  <input type='hidden' name='recaptcha_response_field' value='manual_challenge' />
-</noscript>
-""" % {
-        'ApiServer' : server,
-        'PublicKey' : public_key,
-        'ErrorParam' : error_param,
-        }
+    return """<script src="%(ApiServer)s" async defer></script>
+    <br>
+    <div class="g-recaptcha" data-sitekey="%(PublicKey)s"></div>
+    """ % {
+        'ApiServer': server,
+        'PublicKey': public_key,
+    }
 
 
 def submit (recaptcha_challenge_field,
@@ -66,14 +57,13 @@ def encode_if_necessary(s):
         return s
 
     params = urllib.urlencode ({
-            'privatekey': encode_if_necessary(private_key),
-            'remoteip' :  encode_if_necessary(remoteip),
-            'challenge':  encode_if_necessary(recaptcha_challenge_field),
+            'secret': encode_if_necessary(private_key),
             'response' :  encode_if_necessary(recaptcha_response_field),
+            'remoteip' :  encode_if_necessary(remoteip),
             }).encode('ascii')
 
     request = urllib2.Request (
-        url = "http://%s/recaptcha/api/verify" % VERIFY_SERVER,
+        url = "https://%s/recaptcha/api/siteverify" % VERIFY_SERVER,
         data = params,
         headers = {
             "Content-type": "application/x-www-form-urlencoded",
@@ -83,12 +73,10 @@ def encode_if_necessary(s):
 
     httpresp = urllib2.urlopen (request)
 
-    return_values = httpresp.read ().splitlines ();
-    httpresp.close();
-
-    return_code = return_values [0]
+    return_object = json.loads(httpresp.read())
+    httpresp.close()
 
-    if (return_code == b"true"):
+    if (return_object["success"]):
         return RecaptchaResponse (is_valid=True)
     else:
-        return RecaptchaResponse (is_valid=False, error_code = return_values[1].decode('utf-8'))
+        return RecaptchaResponse (is_valid=False, error_code="incorrect-captcha-sol")

cmbarter/users/views.py

@@ -152,8 +152,8 @@ def login_captcha(request, tmpl='login_captcha.html'):
 
     if request.method == 'POST':
         captcha_response = captcha.submit(
-            request.POST.get('recaptcha_challenge_field'),
-            request.POST.get('recaptcha_response_field'),
+            'g-recaptcha-challenge',
+            request.POST.get('g-recaptcha-response'),
             settings.CMBARTER_RECAPTCHA_PIVATE_KEY,
             request.META['REMOTE_ADDR'])
         captcha_error = captcha_response.error_code
@@ -315,8 +315,8 @@ def signup(request, tmpl='signup.html'):
     if request.method == 'POST':
         if settings.CMBARTER_SHOW_CAPTCHA_ON_SIGNUP:
             captcha_response = captcha.submit(
-                request.POST.get('recaptcha_challenge_field'),
-                request.POST.get('recaptcha_response_field'),
+                'g-recaptcha-challenge',
+                request.POST.get('g-recaptcha-response'),
                 settings.CMBARTER_RECAPTCHA_PIVATE_KEY,
                 request.META['REMOTE_ADDR'])
             captcha_error = captcha_response.error_code

doc/cmb-install.pdf

@@ -2,7 +2,7 @@ version: '3.1'
 
 services:
   web:
-    image: epandurski/cmbarter:1.16.4-web
+    image: epandurski/cmbarter:1.16.5-web
     build:
       context: .
       dockerfile: docker/Dockerfile-web
@@ -17,7 +17,7 @@ services:
     env_file: .env
 
   db:
-    image: epandurski/cmbarter:1.16.4-db
+    image: epandurski/cmbarter:1.16.5-db
     build:
       context: .
       dockerfile: docker/Dockerfile-db
@@ -27,7 +27,7 @@ services:
       mode: global
 
   tasks:
-    image: epandurski/cmbarter:1.16.4-tasks
+    image: epandurski/cmbarter:1.16.5-tasks
     build:
       context: .
       dockerfile: docker/Dockerfile-tasks
@@ -42,7 +42,7 @@ services:
     # /run/secrets/cert.pem and /run/secrets/key.pem.  If they are not
     # found there, it falls back to a self-signed certificate.
 
-    image: epandurski/cmbarter:1.16.4-proxy
+    image: epandurski/cmbarter:1.16.5-proxy
     build:
       context: .
       dockerfile: docker/Dockerfile-proxy