diff options
| author | Mark Sapiro <mark@msapiro.net> | 2019-06-19 16:56:49 -0700 |
|---|---|---|
| committer | Mark Sapiro <mark@msapiro.net> | 2019-06-19 16:56:49 -0700 |
| commit | 1799a87556e18776e64df28ff2ac4fee190f2dc1 (patch) | |
| tree | 670eea11f001d2273da50af94c9f949b85ded058 /Mailman/Cgi | |
| parent | 56188e427f80ed350b6608ce47124402c90b9d40 (diff) | |
| parent | 91203be694e4ca836b862b7921e119b2f55a8307 (diff) | |
| download | mailman2-1799a87556e18776e64df28ff2ac4fee190f2dc1.tar.gz mailman2-1799a87556e18776e64df28ff2ac4fee190f2dc1.tar.xz mailman2-1799a87556e18776e64df28ff2ac4fee190f2dc1.zip | |
Implement Ralf Jung's captcha feature for the subscribe form.
Diffstat (limited to 'Mailman/Cgi')
| -rw-r--r-- | Mailman/Cgi/listinfo.py | 22 | ||||
| -rw-r--r-- | Mailman/Cgi/subscribe.py | 13 |
2 files changed, 31 insertions, 4 deletions
diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py index f1b455da..81ff7f48 100644 --- a/Mailman/Cgi/listinfo.py +++ b/Mailman/Cgi/listinfo.py @@ -216,10 +216,28 @@ def list_listinfo(mlist, lang): # drop one : resulting in an invalid format, but it's only # for our hash so it doesn't matter. remote = remote.rsplit(':', 1)[0] + # render CAPTCHA, if configured + if isinstance(mm_cfg.CAPTCHAS, dict) and 'en' in mm_cfg.CAPTCHAS: + (captcha_question, captcha_box, captcha_idx) = \ + Utils.captcha_display(mlist, lang, mm_cfg.CAPTCHAS) + pre_question = _( + """Please answer the following question to prove that + you are not a bot:""" + ) + replacements['<mm-captcha-ui>'] = ( + """<tr><td BGCOLOR="#dddddd">%s<br>%s</td><td>%s</td></tr>""" + % (pre_question, captcha_question, captcha_box)) + else: + # just to have something to include in the hash below + captcha_idx = '' + # fill form replacements['<mm-subscribe-form-start>'] += ( - '<input type="hidden" name="sub_form_token" value="%s:%s">\n' - % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" + + '<input type="hidden" name="sub_form_token"' + ' value="%s:%s:%s">\n' + % (now, captcha_idx, + Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" + now + ":" + + captcha_idx + ":" + mlist.internal_name() + ":" + remote ).hexdigest() diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py index b6527a2a..ce7940f9 100644 --- a/Mailman/Cgi/subscribe.py +++ b/Mailman/Cgi/subscribe.py @@ -168,13 +168,15 @@ def process_form(mlist, doc, cgidata, lang): # for our hash so it doesn't matter. remote1 = remote.rsplit(':', 1)[0] try: - ftime, fhash = cgidata.getfirst('sub_form_token', '').split(':') + ftime, fcaptcha_idx, fhash = cgidata.getfirst( + 'sub_form_token', '').split(':') then = int(ftime) except ValueError: - ftime = fhash = '' + ftime = fcaptcha_idx = fhash = '' then = 0 token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" + ftime + ":" + + fcaptcha_idx + ":" + mlist.internal_name() + ":" + remote1).hexdigest() if ftime and now - then > mm_cfg.FORM_LIFETIME: @@ -189,6 +191,13 @@ def process_form(mlist, doc, cgidata, lang): results.append( _('There was no hidden token in your submission or it was corrupted.')) results.append(_('You must GET the form before submitting it.')) + # Check captcha + if isinstance(mm_cfg.CAPTCHAS, dict): + captcha_answer = cgidata.getvalue('captcha_answer', '') + if not Utils.captcha_verify( + fcaptcha_idx, captcha_answer, mm_cfg.CAPTCHAS): + results.append(_( + 'This was not the right answer to the CAPTCHA question.')) # Was an attempt made to subscribe the list to itself? if email == mlist.GetListEmail(): syslog('mischief', 'Attempt to self subscribe %s: %s', email, remote) |