Commit eec2e2d2 authored by klidifia's avatar klidifia Committed by elachlan

Issue #2896957 by klidifia, blacklabel_tom, arunkumark: Change "CAPTCHA...

Issue #2896957 by klidifia, blacklabel_tom, arunkumark: Change "CAPTCHA session reuse attack detected" message into watchdog/logger
parent 1c2632a7
...@@ -403,11 +403,22 @@ function _captcha_get_posted_captcha_info(array $element, FormStateInterface $fo ...@@ -403,11 +403,22 @@ function _captcha_get_posted_captcha_info(array $element, FormStateInterface $fo
->execute() ->execute()
->fetchField(); ->fetchField();
if ($expected_captcha_token !== $posted_captcha_token) { // If we do have a CAPTCHA token mismatch then log it.
if (empty($input['captcha_cacheable'])) { try {
drupal_set_message(t('CAPTCHA session reuse attack detected.'), 'error'); if (($expected_captcha_token !== $posted_captcha_token) && empty($input['captcha_cacheable'])) {
throw new \UnexpectedValueException('CAPTCHA session reuse attack detected.');
} }
// Invalidate the CAPTCHA session. }
catch (\Exception $e) {
\Drupal::logger('captcha')->debug(
'CAPTCHA session reuse attack detected on @form_id <br/>Posted CAPTCHA token: @posted_captcha_token <br/>Expected captcha token: @expected_captcha_token',
[
'@form_id' => $this_form_id,
'@expected_captcha_token' => var_export($expected_captcha_token, TRUE),
'@posted_captcha_token' => var_export($posted_captcha_token, TRUE),
]
);
$posted_captcha_sid = NULL; $posted_captcha_sid = NULL;
} }
// Invalidate CAPTCHA token to avoid reuse. // Invalidate CAPTCHA token to avoid reuse.
......
...@@ -35,11 +35,6 @@ abstract class CaptchaBaseWebTestCase extends WebTestBase { ...@@ -35,11 +35,6 @@ abstract class CaptchaBaseWebTestCase extends WebTestBase {
*/ */
const CAPTCHA_WRONG_RESPONSE_ERROR_MESSAGE = 'The answer you entered for the CAPTCHA was not correct.'; const CAPTCHA_WRONG_RESPONSE_ERROR_MESSAGE = 'The answer you entered for the CAPTCHA was not correct.';
/**
* Session reuse attack error message.
*/
const CAPTCHA_SESSION_REUSE_ATTACK_ERROR_MESSAGE = 'CAPTCHA session reuse attack detected.';
/** /**
* Unknown CSID error message. * Unknown CSID error message.
*/ */
...@@ -138,11 +133,6 @@ abstract class CaptchaBaseWebTestCase extends WebTestBase { ...@@ -138,11 +133,6 @@ abstract class CaptchaBaseWebTestCase extends WebTestBase {
'CAPTCHA response should be accepted (known CSID).', 'CAPTCHA response should be accepted (known CSID).',
'CAPTCHA' 'CAPTCHA'
); );
// There should be no error message about CSID reuse attack.
$this->assertNoText(self::CAPTCHA_SESSION_REUSE_ATTACK_ERROR_MESSAGE,
'CAPTCHA response should be accepted (no CAPTCHA session reuse attack detection).',
'CAPTCHA'
);
// There should be no error message about wrong response. // There should be no error message about wrong response.
$this->assertNoText(self::CAPTCHA_WRONG_RESPONSE_ERROR_MESSAGE, $this->assertNoText(self::CAPTCHA_WRONG_RESPONSE_ERROR_MESSAGE,
'CAPTCHA response should be accepted (correct response).', 'CAPTCHA response should be accepted (correct response).',
......
...@@ -13,10 +13,6 @@ class CaptchaSessionReuseAttackTestCase extends CaptchaBaseWebTestCase { ...@@ -13,10 +13,6 @@ class CaptchaSessionReuseAttackTestCase extends CaptchaBaseWebTestCase {
* Assert that the CAPTCHA session ID reuse attack was detected. * Assert that the CAPTCHA session ID reuse attack was detected.
*/ */
protected function assertCaptchaSessionIdReuseAttackDetection() { protected function assertCaptchaSessionIdReuseAttackDetection() {
$this->assertText(self::CAPTCHA_SESSION_REUSE_ATTACK_ERROR_MESSAGE,
'CAPTCHA session ID reuse attack should be detected.',
'CAPTCHA'
);
// There should be an error message about wrong response. // There should be an error message about wrong response.
$this->assertText(self::CAPTCHA_WRONG_RESPONSE_ERROR_MESSAGE, $this->assertText(self::CAPTCHA_WRONG_RESPONSE_ERROR_MESSAGE,
'CAPTCHA response should flagged as wrong.', 'CAPTCHA response should flagged as wrong.',
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment