Commit eec2e2d2 authored by klidifia's avatar klidifia Committed by elachlan

Issue #2896957 by klidifia, blacklabel_tom, arunkumark: Change "CAPTCHA...

Issue #2896957 by klidifia, blacklabel_tom, arunkumark: Change "CAPTCHA session reuse attack detected" message into watchdog/logger
parent 1c2632a7
......@@ -403,11 +403,22 @@ function _captcha_get_posted_captcha_info(array $element, FormStateInterface $fo
->execute()
->fetchField();
if ($expected_captcha_token !== $posted_captcha_token) {
if (empty($input['captcha_cacheable'])) {
drupal_set_message(t('CAPTCHA session reuse attack detected.'), 'error');
// If we do have a CAPTCHA token mismatch then log it.
try {
if (($expected_captcha_token !== $posted_captcha_token) && empty($input['captcha_cacheable'])) {
throw new \UnexpectedValueException('CAPTCHA session reuse attack detected.');
}
// Invalidate the CAPTCHA session.
}
catch (\Exception $e) {
\Drupal::logger('captcha')->debug(
'CAPTCHA session reuse attack detected on @form_id <br/>Posted CAPTCHA token: @posted_captcha_token <br/>Expected captcha token: @expected_captcha_token',
[
'@form_id' => $this_form_id,
'@expected_captcha_token' => var_export($expected_captcha_token, TRUE),
'@posted_captcha_token' => var_export($posted_captcha_token, TRUE),
]
);
$posted_captcha_sid = NULL;
}
// Invalidate CAPTCHA token to avoid reuse.
......
......@@ -35,11 +35,6 @@ abstract class CaptchaBaseWebTestCase extends WebTestBase {
*/
const CAPTCHA_WRONG_RESPONSE_ERROR_MESSAGE = 'The answer you entered for the CAPTCHA was not correct.';
/**
* Session reuse attack error message.
*/
const CAPTCHA_SESSION_REUSE_ATTACK_ERROR_MESSAGE = 'CAPTCHA session reuse attack detected.';
/**
* Unknown CSID error message.
*/
......@@ -138,11 +133,6 @@ abstract class CaptchaBaseWebTestCase extends WebTestBase {
'CAPTCHA response should be accepted (known CSID).',
'CAPTCHA'
);
// There should be no error message about CSID reuse attack.
$this->assertNoText(self::CAPTCHA_SESSION_REUSE_ATTACK_ERROR_MESSAGE,
'CAPTCHA response should be accepted (no CAPTCHA session reuse attack detection).',
'CAPTCHA'
);
// There should be no error message about wrong response.
$this->assertNoText(self::CAPTCHA_WRONG_RESPONSE_ERROR_MESSAGE,
'CAPTCHA response should be accepted (correct response).',
......
......@@ -13,10 +13,6 @@ class CaptchaSessionReuseAttackTestCase extends CaptchaBaseWebTestCase {
* Assert that the CAPTCHA session ID reuse attack was detected.
*/
protected function assertCaptchaSessionIdReuseAttackDetection() {
$this->assertText(self::CAPTCHA_SESSION_REUSE_ATTACK_ERROR_MESSAGE,
'CAPTCHA session ID reuse attack should be detected.',
'CAPTCHA'
);
// There should be an error message about wrong response.
$this->assertText(self::CAPTCHA_WRONG_RESPONSE_ERROR_MESSAGE,
'CAPTCHA response should flagged as wrong.',
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment