[moin-devel] TextCha not working because of wrong signature
Jasper Olbrich
jasper.olbrich at posteo.de
Mon Aug 6 15:29:02 EDT 2018
Hello,
I configured TextCha some time ago because bots seem to have found my
account creation page.
Now I'm unable to create new users or edit pages, because the answer to
the TextCha is always considered wrong. This is because the
reconstruction of the question from the form data fails. It all seems to
boil down to a wrong digest method:
In security/textcha.py:
----------------------
[...]
SHA1_LEN = 40
[...]
def _compute_signature(self, question, timestamp):
signature = u"%s%d" % (question, timestamp)
return hmac.new(self.secret, signature.encode('utf 8')).hexdigest()
----------------------
But hmac.new uses md5 per default with a length of 32 hex digits:
>>> import hashlib
>>> import hmac
>>> len(hmac.new("key", "msg").hexdigest())
32
>>> len(hmac.new("key", "msg", hashlib.sha1).hexdigest())
40
I couldn't find any information on this yet and I'm asking what the
right fix to this would be?
1) Explicitly use hashlib.sha1?
2) Use an universal DIGEST_LEN=len(hmac.new("key", "").hexdigest())?
3) ???
And of course I'm curious why this hasn't bitten anybody else so far.
--
Best,
Jasper
More information about the moin-devel
mailing list