[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [bridgedb/master] Use SSL when requesting CAPCHAs from reCaptcha.

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [bridgedb/master] Use SSL when requesting CAPCHAs from reCaptcha.
From: isis@xxxxxxxxxxxxxx
Date: Sun, 16 Mar 2014 19:04:57 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 16 Mar 2014 15:06:35 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: Isis Lovecruft <isis@xxxxxxxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>

commit ffbc3bd846ab8e4bf3229b89096775d8b2db0f34
Author: Isis Lovecruft <isis@xxxxxxxxxxxxxx>
Date:   Sat Mar 1 03:18:01 2014 +0000

    Use SSL when requesting CAPCHAs from reCaptcha.
    
    This sounds bad. It is. What's worse: this only fixes half the
    problem. The recaptcha.client.captcha.submit() function in the reCaptcha
    API [0] is hardcoded to submit the server's (in this case, BridgeDB's)
    private API key, the client's IP address (BridgeDB sends a faked one),
    and the client's solution to the CAPTCHA, all over HTTP, in glorious
    plaintext. Hooray.
    
    [0]: https://recaptcha.googlecode.com/svn/trunk/recaptcha-plugins/python/recaptcha/client/captcha.py
---
 lib/bridgedb/captcha.py |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/bridgedb/captcha.py b/lib/bridgedb/captcha.py
index fea4b44..07b06d4 100644
--- a/lib/bridgedb/captcha.py
+++ b/lib/bridgedb/captcha.py
@@ -84,7 +84,7 @@ class ReCaptcha(Captcha):
         """
         if (self.pubkey == '') or (self.privkey == ''):
             raise ReCaptchaKeyError
-        urlbase = recaptcha.API_SERVER
+        urlbase = recaptcha.API_SSL_SERVER
         form = "/noscript?k=%s" % self.pubkey
 
         # extract and store image from captcha



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [bridgedb/master] Import entire bridgedb.captcha module in bridgedb.HTTPServer.
Next by Author: [tor-commits] [bridgedb/master] Pep8; move ReCaptchaKeyError to the beginning of captcha.py.
Previous by thread: [tor-commits] [bridgedb/master] Import entire bridgedb.captcha module in bridgedb.HTTPServer.
Next by thread: [tor-commits] [bridgedb/master] Pep8; move ReCaptchaKeyError to the beginning of captcha.py.
Index(es):
- Author
- Thread