Skip to content

Commit 4c0965b

Browse files
samsonasiksamsonasik
authored
Merge pull request #36 from mkrasselt1/2.18.x
Fix: prevent forbidden characters in captcha id and double use of captcha
2 parents 84df304 + 30c51f3 commit 4c0965b

File tree

2 files changed

+23
-1
lines changed

2 files changed

+23
-1
lines changed

src/AbstractWord.php

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@
1010
use function count;
1111
use function is_array;
1212
use function md5;
13+
use function preg_match;
1314
use function random_bytes;
1415
use function random_int;
1516
use function strlen;
@@ -394,7 +395,7 @@ public function isValid($value, $context = null)
394395
$input = strtolower($value['input']);
395396
$this->setValue($input);
396397

397-
if (! isset($value['id'])) {
398+
if (! isset($value['id']) || ! preg_match('/^[a-f0-9][a-f0-9_\\\\]+$/i', (string) $value['id'])) {
398399
$this->error(self::MISSING_ID);
399400
return false;
400401
}
@@ -404,6 +405,8 @@ public function isValid($value, $context = null)
404405
$this->error(self::BAD_CAPTCHA);
405406
return false;
406407
}
408+
//Invalidate the captcha by generating a new word after successful use
409+
$this->setWord($this->generateWord());
407410

408411
return true;
409412
}

test/ImageTest.php

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@
2121
use function mkdir;
2222
use function sleep;
2323
use function strlen;
24+
use function substr;
2425
use function sys_get_temp_dir;
2526
use function unlink;
2627

@@ -226,6 +227,24 @@ public function testMissingNotValid(): void
226227
$this->assertFalse($this->captcha->isValid($input));
227228
}
228229

230+
public function testDoubleSubmitNotValidates(): void
231+
{
232+
$this->captcha->generate();
233+
$input = ["id" => $this->captcha->getId(), "input" => $this->captcha->getWord()];
234+
$this->assertTrue($this->captcha->isValid($input));
235+
$this->assertFalse($this->captcha->isValid($input));
236+
}
237+
238+
public function testInvalidIDCharactersSubmittedNotValidates(): void
239+
{
240+
$this->captcha->generate();
241+
$id = $this->captcha->getId();
242+
$input = ["id" => substr($id, 0, strlen($id) - 1) . "+", "input" => $this->captcha->getWord()];
243+
$this->assertFalse($this->captcha->isValid($input));
244+
$input = ["id" => substr($id, 0, strlen($id) - 1) . "-", "input" => $this->captcha->getWord()];
245+
$this->assertFalse($this->captcha->isValid($input));
246+
}
247+
229248
public function testWrongWordNotValid(): void
230249
{
231250
$this->captcha->generate();

0 commit comments

Comments
 (0)