From 8ce851382d76c909a24b51c24d6a67d5db179465 Mon Sep 17 00:00:00 2001 From: Evgeni Pandurski Date: Thu, 12 Jul 2018 16:14:32 +0300 Subject: [PATCH] Use reCAPTCHA 2, bump version to 1.16.5 --- .env | 4 ++-- CHANGES | 3 +++ INSTALL | 12 +++++----- cmbarter/modules/captcha.py | 46 +++++++++++++----------------------- cmbarter/users/views.py | 8 +++---- doc/cmb-install.pdf | Bin 67299 -> 67281 bytes docker-compose.yml | 8 +++---- 7 files changed, 36 insertions(+), 45 deletions(-) diff --git a/.env b/.env index ebea9b2..9efb1d5 100644 --- a/.env +++ b/.env @@ -28,8 +28,8 @@ CMBARTER_SHOW_CAPTCHA_ON_REPETITIVE_LOGIN_FAILURE=True # five unsuccessful attempts to log-in. If you have not altered the # default behavior, you should obtain your own public/private key pair # from www.google.com/recaptcha, and put it here: -CMBARTER_RECAPTCHA_PUBLIC_KEY=6Ledx7wSAAAAAICFw8vB-2ghpDjzGogPRi6-3FCr -CMBARTER_RECAPTCHA_PIVATE_KEY=6Ledx7wSAAAAAEskQ7Mbi-oqneHDSFVUkxGitn_y +CMBARTER_RECAPTCHA_PUBLIC_KEY=6Lc902MUAAAAAJL22lcbpY3fvg3j4LSERDDQYe37 +CMBARTER_RECAPTCHA_PIVATE_KEY=6Lc902MUAAAAAN--r4vUr8Vr7MU1PF16D9k2Ds9Q # If a non-empty string is set as registration secret, CMB will # require a registration key for users to sign up. In this case diff --git a/CHANGES b/CHANGES index ccd832a..1c70ec9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +July 12th, 2018 +v1.16.5 -- Use reCAPTCHA 2 + July 12th, 2017 v1.16.4 -- Fixed CSS styling for input tags. diff --git a/INSTALL b/INSTALL index c76fdae..80966c2 100644 --- a/INSTALL +++ b/INSTALL @@ -34,11 +34,11 @@ source code in your */usr/local/share/* directory:: # cd /usr/local/share/ # wget http://sourceforge.net/projects/cmb/files/tarballs/\ - cmbarter-1.16.4.tar.gz/download -O cmbarter-1.16.4.tar.gz + cmbarter-1.16.5.tar.gz/download -O cmbarter-1.16.5.tar.gz ... - # tar -xzf cmbarter-1.16.4.tar.gz - # mv cmbarter-1.16.4 cmbarter + # tar -xzf cmbarter-1.16.5.tar.gz + # mv cmbarter-1.16.5 cmbarter Also, make sure a *Python 2.7* interpreter is installed on your server. @@ -300,11 +300,11 @@ Here are the installation steps that you should perform: $ cd ~ $ wget http://sourceforge.net/projects/cmb/files/tarballs/\ - cmbarter-1.16.4.tar.gz/download -O cmbarter-1.16.4.tar.gz + cmbarter-1.16.5.tar.gz/download -O cmbarter-1.16.5.tar.gz ... - $ tar -xzf cmbarter-1.16.4.tar.gz - $ mv cmbarter-1.16.4 cmbarter + $ tar -xzf cmbarter-1.16.5.tar.gz + $ mv cmbarter-1.16.5 cmbarter 3. Restrict access to those source files that may contain sensitive information:: diff --git a/cmbarter/modules/captcha.py b/cmbarter/modules/captcha.py index c6f8cc8..4a0a083 100644 --- a/cmbarter/modules/captcha.py +++ b/cmbarter/modules/captcha.py @@ -1,7 +1,7 @@ -import urllib2, urllib +import urllib2, urllib, json -API_SSL_SERVER="https://www.google.com/recaptcha/api" -API_SERVER="http://www.google.com/recaptcha/api" +API_SSL_SERVER="https://www.google.com/recaptcha/api.js" +API_SERVER="http://www.google.com/recaptcha/api.js" VERIFY_SERVER="www.google.com" class RecaptchaResponse(object): @@ -18,27 +18,18 @@ def displayhtml (public_key, use_ssl -- Should the request be sent over ssl? error -- An error message to display (from RecaptchaResponse.error_code)""" - error_param = '' - if error: - error_param = '&error=%s' % error - if use_ssl: server = API_SSL_SERVER else: server = API_SERVER - return """ - - -""" % { - 'ApiServer' : server, - 'PublicKey' : public_key, - 'ErrorParam' : error_param, - } + return """ +
+
+ """ % { + 'ApiServer': server, + 'PublicKey': public_key, + } def submit (recaptcha_challenge_field, @@ -66,14 +57,13 @@ def encode_if_necessary(s): return s params = urllib.urlencode ({ - 'privatekey': encode_if_necessary(private_key), - 'remoteip' : encode_if_necessary(remoteip), - 'challenge': encode_if_necessary(recaptcha_challenge_field), + 'secret': encode_if_necessary(private_key), 'response' : encode_if_necessary(recaptcha_response_field), + 'remoteip' : encode_if_necessary(remoteip), }).encode('ascii') request = urllib2.Request ( - url = "http://%s/recaptcha/api/verify" % VERIFY_SERVER, + url = "https://%s/recaptcha/api/siteverify" % VERIFY_SERVER, data = params, headers = { "Content-type": "application/x-www-form-urlencoded", @@ -83,12 +73,10 @@ def encode_if_necessary(s): httpresp = urllib2.urlopen (request) - return_values = httpresp.read ().splitlines (); - httpresp.close(); - - return_code = return_values [0] + return_object = json.loads(httpresp.read()) + httpresp.close() - if (return_code == b"true"): + if (return_object["success"]): return RecaptchaResponse (is_valid=True) else: - return RecaptchaResponse (is_valid=False, error_code = return_values[1].decode('utf-8')) + return RecaptchaResponse (is_valid=False, error_code="incorrect-captcha-sol") diff --git a/cmbarter/users/views.py b/cmbarter/users/views.py index 83d263d..9b9736d 100644 --- a/cmbarter/users/views.py +++ b/cmbarter/users/views.py @@ -152,8 +152,8 @@ def login_captcha(request, tmpl='login_captcha.html'): if request.method == 'POST': captcha_response = captcha.submit( - request.POST.get('recaptcha_challenge_field'), - request.POST.get('recaptcha_response_field'), + 'g-recaptcha-challenge', + request.POST.get('g-recaptcha-response'), settings.CMBARTER_RECAPTCHA_PIVATE_KEY, request.META['REMOTE_ADDR']) captcha_error = captcha_response.error_code @@ -315,8 +315,8 @@ def signup(request, tmpl='signup.html'): if request.method == 'POST': if settings.CMBARTER_SHOW_CAPTCHA_ON_SIGNUP: captcha_response = captcha.submit( - request.POST.get('recaptcha_challenge_field'), - request.POST.get('recaptcha_response_field'), + 'g-recaptcha-challenge', + request.POST.get('g-recaptcha-response'), settings.CMBARTER_RECAPTCHA_PIVATE_KEY, request.META['REMOTE_ADDR']) captcha_error = captcha_response.error_code diff --git a/doc/cmb-install.pdf b/doc/cmb-install.pdf index 3d16648ab04cefad8105376cb5c5c13947dd5c54..28ee1067a0b793dd6e512a820623b9aa91175472 100644 GIT binary patch delta 170 zcmaFd%W|=oWy4o3ZVLl*LnA|DLqk*3N!kv`+|AzF%hec7C;vX61SI7SDoi#Dk_55> zf|P+|%|VsTGlG)xkQ7(~*%1eUlACJ|o_BF9$%-*HHHa}XF;3HuF*Y#pu*e8@t%xx& VG>C{XGB(sy&>)~<`aCv9R{%eNG{yh` delta 188 zcmccE%ksFFWy4o3ZgT^3LqkJLV+%urN!kv`+|AzF%hec7CjUO51SI7SDoi#Dk_55> zf|P+|%|VsTGlG)xkQ7(~*%1eUlACJ|o_7h3F)}faF*Y@?@QpDtFpV)bH_M7KFfa{> cjWIShj4?1W1qu7=RcI<`5UX^04;!N^0Q+7z$^ZZW diff --git a/docker-compose.yml b/docker-compose.yml index a4597f1..10bb1f6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,7 +2,7 @@ version: '3.1' services: web: - image: epandurski/cmbarter:1.16.4-web + image: epandurski/cmbarter:1.16.5-web build: context: . dockerfile: docker/Dockerfile-web @@ -17,7 +17,7 @@ services: env_file: .env db: - image: epandurski/cmbarter:1.16.4-db + image: epandurski/cmbarter:1.16.5-db build: context: . dockerfile: docker/Dockerfile-db @@ -27,7 +27,7 @@ services: mode: global tasks: - image: epandurski/cmbarter:1.16.4-tasks + image: epandurski/cmbarter:1.16.5-tasks build: context: . dockerfile: docker/Dockerfile-tasks @@ -42,7 +42,7 @@ services: # /run/secrets/cert.pem and /run/secrets/key.pem. If they are not # found there, it falls back to a self-signed certificate. - image: epandurski/cmbarter:1.16.4-proxy + image: epandurski/cmbarter:1.16.5-proxy build: context: . dockerfile: docker/Dockerfile-proxy