From patchwork Sat Oct 5 18:23:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lukas Fleischer X-Patchwork-Id: 1249 Return-Path: Delivered-To: patchwork@archlinux.org Received: from apollo.archlinux.org (localhost [127.0.0.1]) by apollo.archlinux.org (Postfix) with ESMTP id C5028143D02EA for ; Sat, 5 Oct 2019 18:23:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on apollo X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1, MAILING_LIST_MULTI=-1,RCVD_IN_DNSWL_MED=-2.3,SPF_HELO_NONE=0.001, T_DMARC_POLICY_NONE=0.01,WEIRD_QUOTING=0.001 autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-BL-Results: [127.0.9.2] Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70]) by apollo.archlinux.org (Postfix) with ESMTPS for ; Sat, 5 Oct 2019 18:23:47 +0000 (UTC) Received: from orion.archlinux.org (localhost [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id A5F8315A4130B4; Sat, 5 Oct 2019 18:23:46 +0000 (UTC) Received: from luna.archlinux.org (luna.archlinux.org [5.9.250.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by orion.archlinux.org (Postfix) with ESMTPS; Sat, 5 Oct 2019 18:23:46 +0000 (UTC) Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id 6F7822BD4D; Sat, 5 Oct 2019 18:23:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=luna2; t=1570299826; bh=uuVliV40G7gIWbOqmLnnt4imnf8Xl9NIBBD6VXDelho=; h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=r7ZppDUxjGDKuyuJFOJh1Z7gTHKHnQ15oMf9LeqfnYAa4LG+OWxhH4sYbXQlQVZAW 60lF8PFs2IvZPuiKVnAxwBZ1TETvgmgpNeZgBbDu4t44Xr7L3VE6+Z+Rxk0QHOHEnb e8DY65Hfmz1YaiW5GZdTW8yJbvGvWwjrg6mol9mmz+HBLJEAWWLjAadgenRX5Uikiy ifrHnp8487xZjkeT35Hvb42oKrqeU9zE/mtvAFXbwgLLdUYwbPptYOmfe12hhDhGUu fHaKEcplm37obCE8ATmyG2+J6tGs+tzcwZziMlXmvcXimoLX+Zd8kNfj+iQFkDK4cD HmYx+3EeWT5CuDsDL71OwNhTmPX3wUZw7w32vEMmKoJERoQ6oo9b1Nbdx7SIsQ1QDR BsLZ2RJtEn0dH+RMR18SfrLKAd2aMfMYbBL8Y6gV3GqWURXx4XvVkrqGBG8GzBhhcd o6wLf8yimNjBlHYj7HL4zjZmnWgEuN/G/Qckta8Gk9QQ2boxP8L33R2RXFr3APYS4y NJem8Znbmql2yGksKU6XqrGSUdsW1cG/PF04cCImNIOFqOILuGjqsIn9UTJAZ+RSMe FZKnpZfBB6yZuyLrMm/PQLJ19CLSHWlilWu4YC5PQ/CM/7rDzKv94sBrZGUGp6+OsM C4u93a8LmFhwD9WdNVkanqME= Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id 16E8B2BD49 for ; Sat, 5 Oct 2019 18:23:44 +0000 (UTC) Received: from orion.archlinux.org (orion.archlinux.org [IPv6:2a01:4f8:160:6087::1]) by luna.archlinux.org (Postfix) with ESMTPS for ; Sat, 5 Oct 2019 18:23:44 +0000 (UTC) Received: from orion.archlinux.org (localhost [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id 4B52915A4130AE for ; Sat, 5 Oct 2019 18:23:39 +0000 (UTC) Received: from localhost (unknown [72.138.14.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: lfleischer) by orion.archlinux.org (Postfix) with ESMTPSA id D233415A4130AD for ; Sat, 5 Oct 2019 18:23:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=orion; t=1570299819; bh=uuVliV40G7gIWbOqmLnnt4imnf8Xl9NIBBD6VXDelho=; h=From:To:Subject:Date; b=Dh5nCMxJAFHB4PQi50M6H8HKVoUhksL3Yr9RuF/pYLN113ficwidjeXbNP5oCDxJG kQOplQfsMy1hos4WV+b5w04tVmjv65GuORJ3XjrpLgb2CmjX+w2QQIRh/VJvmRya7L 3P5BHUUtMaT8TLS4FV85iGToTkq3DorpiCCzCye5jvJdfFf1aj0XsTI7ZCH6NOxV3L +bAmtZrwlJUPByu6Pzpkp4tBbr5hL/a3jneT0k67qx4Ll83nWgtzvx5lY3or2xtTab rNuxtdIgG+VMsOeeRwAsaLVRcsvgw6siSJ2NLCxQdB4YXE8kGt5M/5Lj0n0X3jpdmG 4VkU5FVf1HV0N8qIEzsW8bw/Su8QCWNpWBbyPSH4UWeEmkSz+lSxGzty997vclSSwk Oyel65HzEjgZcqyhoPlfu77QhoT5hc9jE3daxm6rU+k3HWo3WQ+pkXHVfbUhLyZrVB i451/Ae+jcUMnSrb10+/hnsmH5LKm/e+NTkKXVDvhmDDqE+cPsdQKqGjNES6z8V4HQ fik0qeZzwuerrnYiQkP2r6lDT4m5cf05VrDWlG3tX7P9aniBbH/2WZFnI8R+CjrKJG 2HHEmCQUrR+wX1/kp3E7Tmq+nhiLqGiELuWlwpVzwPiabJidkrNyBLAjiseSCtrxes ed1ukb+Vcy20x3JFNi8oQt8E= From: Lukas Fleischer To: aur-dev@archlinux.org Subject: [PATCH] Make CAPTCHA salt invalidation more robust Date: Sat, 5 Oct 2019 14:23:57 -0400 Message-Id: <20191005182357.60011-1-lfleischer@archlinux.org> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 X-BeenThere: aur-dev@archlinux.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Arch User Repository \(AUR\) Development" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: aur-dev-bounces@archlinux.org Sender: "aur-dev" With the previous implementation, unlucky users could have their CAPTCHA be invalidated by a single account creation while filling out their account registration form. Make this more robust by allowing up to five account registrations before rejecting a CAPTCHA salt. Signed-off-by: Lukas Fleischer --- web/lib/acctfuncs.inc.php | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index f9378fe..e754989 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -75,8 +75,8 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R="" $TZ = config_get("options", "default_timezone"); } - if ($captcha_salt != get_captcha_salt()) { - $captcha_salt = get_captcha_salt(); + if (!in_array($captcha_salt, get_captcha_salts())) { + $captcha_salt = get_captcha_salts()[0]; $captcha = ""; } $captcha_challenge = get_captcha_challenge($captcha_salt); @@ -283,7 +283,7 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="" $error = __("The CAPTCHA is missing."); } - if (!$error && $TYPE == "new" && $captcha_salt != get_captcha_salt()) { + if (!$error && $TYPE == "new" && !in_array($captcha_salt, get_captcha_salts())) { $error = __("This CAPTCHA has expired. Please try again."); } @@ -1469,17 +1469,31 @@ function account_comments_count($uid) { } /* - * Compute the CAPTCHA salt. The salt changes based on the number of registered - * users. This ensures that new users always use a different salt. - * - * @return string The current salt. + * Compute the list of active CAPTCHA salts. The salt changes based on the + * number of registered users. This ensures that new users always use a + * different salt and protects against hardcoding the CAPTCHA response. + * + * The first CAPTCHA in the list is the most recent one and should be used for + * new CAPTCHA challenges. The other ones are slightly outdated but may still + * be valid for recent challenges that were created before the number of users + * increased. The current implementation ensures that we can still use our + * CAPTCHA salt, even if five new users registered since the CAPTCHA challenge + * was created. + * + * @return string The list of active salts, the first being the most recent + * one. */ -function get_captcha_salt() { +function get_captcha_salts() { $dbh = DB::connect(); $q = "SELECT count(*) FROM Users"; $result = $dbh->query($q); $user_count = $result->fetchColumn(); - return 'aurweb-' . floor($user_count / 3); + + $ret = array(); + for ($i = 0; $i <= 5; $i++) { + array_push($ret, 'aurweb-' . ($user_count - $i)); + } + return $ret; } /*