Fix captcha part 2: don't store captcha answer in session cookie

2025-04-19 10:26:44 +00:00 · 2019-02-03 09:01:21 -05:00 · 2019-02-03 09:01:21 -05:00 · 204b82b71f
commit 204b82b71f
parent e8965497d4
4 changed files with 10 additions and 2 deletions
--- a/api.py
+++ b/api.py
@ -1,6 +1,7 @@
 import json
 import os
 from threading import Lock
 from uuid import uuid4
 from flask import request, abort, Response, send_file, session
@ -254,7 +255,9 @@ def setup_api(app):
    @app.route("/cap", methods=["GET"])
    def cap():
        word = captcha.make_captcha()
-        session["cap"] = word
+        cap_id = uuid4()
        session["cap"] = cap_id
        oddb.sessionStore[cap_id] = word
        return send_file(captcha.get_path(word), cache_timeout=0)
--- a/app.py
+++ b/app.py
@ -9,6 +9,7 @@ app = Flask(__name__)
 app.secret_key = config.FLASK_SECRET
 template_filters.setup_template_filters(app)
 views.setup_views(app)
 api.setup_api(app)
--- a/captcha.py
+++ b/captcha.py
@ -5,6 +5,7 @@ from PIL import Image, ImageDraw, ImageFont
 from flask import request, session
 import config
 import common as oddb
 def get_code():
@ -35,7 +36,7 @@ def verify():
        request.args.get("cap") if "cap" in request.args else ""
    )
-    if "cap" in session and session["cap"] == attempt:
+    if "cap" in session and session["cap"] in oddb.sessionStore and oddb.sessionStore[session["cap"]] == attempt:
        session["cap_remaining"] = config.CAPTCHA_EVERY
        return True
    return False
--- a/common.py
+++ b/common.py
@ -26,6 +26,9 @@ searchEngine = ElasticSearchEngine("od-database")
 searchEngine.start_stats_scheduler()
 db = Database("db.sqlite3")
 # temporary hotfix...
 sessionStore = dict()
 def require_role(role: str):