Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Optionally require a CAPTCHA (controlled by Admin/Access) when a user who is not logged in tries to edit wiki, or a ticket, or an attachment. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA1: |
82b8587a502f32e9e4a76a3312c55057 |
| User & Date: | drh 2012-11-21 00:51:01.903 |
Context
|
2012-11-21
| ||
| 01:08 | Improvements to comments on recently added CAPTCHA code. ... (check-in: 64231a679d user: drh tags: trunk) | |
| 00:51 | Optionally require a CAPTCHA (controlled by Admin/Access) when a user who is not logged in tries to edit wiki, or a ticket, or an attachment. ... (check-in: 82b8587a50 user: drh tags: trunk) | |
|
2012-11-20
| ||
| 22:28 | Centralize escaping of reserved HTML characters in the captcha output. ... (check-in: a460326337 user: mistachkin tags: trunk) | |
Changes
Changes to src/attach.c.
| ︙ | ︙ | |||
234 235 236 237 238 239 240 241 242 243 244 245 246 247 |
const char *zTkt = P("tkt");
const char *zFrom = P("from");
const char *aContent = P("f");
const char *zName = PD("f:filename","unknown");
const char *zTarget;
const char *zTargetType;
int szContent = atoi(PD("f:bytes","0"));
if( P("cancel") ) cgi_redirect(zFrom);
if( zPage && zTkt ) fossil_redirect_home();
if( zPage==0 && zTkt==0 ) fossil_redirect_home();
login_check_credentials();
if( zPage ){
if( g.perm.ApndWiki==0 || g.perm.Attach==0 ) login_needed();
| > | 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 |
const char *zTkt = P("tkt");
const char *zFrom = P("from");
const char *aContent = P("f");
const char *zName = PD("f:filename","unknown");
const char *zTarget;
const char *zTargetType;
int szContent = atoi(PD("f:bytes","0"));
int goodCaptcha = 1;
if( P("cancel") ) cgi_redirect(zFrom);
if( zPage && zTkt ) fossil_redirect_home();
if( zPage==0 && zTkt==0 ) fossil_redirect_home();
login_check_credentials();
if( zPage ){
if( g.perm.ApndWiki==0 || g.perm.Attach==0 ) login_needed();
|
| ︙ | ︙ | |||
262 263 264 265 266 267 268 |
zTargetType = mprintf("Ticket <a href=\"%s/tktview/%S\">%S</a>",
g.zTop, zTkt, zTkt);
}
if( zFrom==0 ) zFrom = mprintf("%s/home", g.zTop);
if( P("cancel") ){
cgi_redirect(zFrom);
}
| | | 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 |
zTargetType = mprintf("Ticket <a href=\"%s/tktview/%S\">%S</a>",
g.zTop, zTkt, zTkt);
}
if( zFrom==0 ) zFrom = mprintf("%s/home", g.zTop);
if( P("cancel") ){
cgi_redirect(zFrom);
}
if( P("ok") && szContent>0 && (goodCaptcha = captcha_is_correct()) ){
Blob content;
Blob manifest;
Blob cksum;
char *zUUID;
const char *zComment;
char *zDate;
int rid;
|
| ︙ | ︙ | |||
315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 |
blob_appendf(&manifest, "Z %b\n", &cksum);
attach_put(&manifest, rid, needModerator);
assert( blob_is_reset(&manifest) );
db_end_transaction(0);
cgi_redirect(zFrom);
}
style_header("Add Attachment");
@ <h2>Add Attachment To %s(zTargetType)</h2>
form_begin("enctype='multipart/form-data'", "%R/attachadd");
@ <div>
@ File to Attach:
@ <input type="file" name="f" size="60" /><br />
@ Description:<br />
@ <textarea name="comment" cols="80" rows="5" wrap="virtual"></textarea><br />
if( zTkt ){
@ <input type="hidden" name="tkt" value="%h(zTkt)" />
}else{
@ <input type="hidden" name="page" value="%h(zPage)" />
}
@ <input type="hidden" name="from" value="%h(zFrom)" />
@ <input type="submit" name="ok" value="Add Attachment" />
@ <input type="submit" name="cancel" value="Cancel" />
| > > > | > > | 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 |
blob_appendf(&manifest, "Z %b\n", &cksum);
attach_put(&manifest, rid, needModerator);
assert( blob_is_reset(&manifest) );
db_end_transaction(0);
cgi_redirect(zFrom);
}
style_header("Add Attachment");
if( !goodCaptcha ){
@ <p class="generalError">Error: Incorrect security code.</p>
}
@ <h2>Add Attachment To %s(zTargetType)</h2>
form_begin("enctype='multipart/form-data'", "%R/attachadd");
@ <div>
@ File to Attach:
@ <input type="file" name="f" size="60" /><br />
@ Description:<br />
@ <textarea name="comment" cols="80" rows="5" wrap="virtual"></textarea><br />
if( zTkt ){
@ <input type="hidden" name="tkt" value="%h(zTkt)" />
}else{
@ <input type="hidden" name="page" value="%h(zPage)" />
}
@ <input type="hidden" name="from" value="%h(zFrom)" />
@ <input type="submit" name="ok" value="Add Attachment" />
@ <input type="submit" name="cancel" value="Cancel" />
@ </div>
captcha_generate();
@ </form>
style_footer();
}
/*
** WEBPAGE: ainfo
** URL: /ainfo?name=ARTIFACTID
**
|
| ︙ | ︙ |
Changes to src/captcha.c.
| ︙ | ︙ | |||
436 437 438 439 440 441 442 | blob_appendf(&b, "%s-%x", zSecret, seed); sha1sum_blob(&b, &b); z = blob_buffer(&b); memcpy(zRes, z, 8); zRes[8] = 0; return zRes; } | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 |
blob_appendf(&b, "%s-%x", zSecret, seed);
sha1sum_blob(&b, &b);
z = blob_buffer(&b);
memcpy(zRes, z, 8);
zRes[8] = 0;
return zRes;
}
/*
** Return true if a CAPTCHA is required.
*/
int captcha_needed(void){
if( g.zLogin!=0 ) return 0;
return db_get_boolean("require-captcha", 1);
}
/*
** If a captcha is required but the correct captcha code is not supplied
** in the query parameters, then return false (0).
**
** If no captcha is required or if the correct captcha is supplied, return
** true (non-zero).
*/
int captcha_is_correct(void){
const char *zSeed;
const char *zEntered;
const char *zDecode;
if( !captcha_needed() ){
return 1; /* No captcha needed */
}
zSeed = P("captchaseed");
if( zSeed==0 ) return 0;
zEntered = P("captcha");
if( zEntered==0 || strlen(zEntered)!=8 ) return 0;
zDecode = captcha_decode((unsigned int)atoi(zSeed));
if( strcmp(zDecode,zEntered)!=0 ) return 0;
return 1;
}
/*
** Generate a new CAPTCHA seed. Write it as a hidden variable named
** "captchaseed". Then return the rendered captcha text.
*/
void captcha_generate(void){
unsigned int uSeed;
const char *zDecoded;
char *zCaptcha;
if( !captcha_needed() ) return;
uSeed = captcha_seed();
zDecoded = captcha_decode(uSeed);
zCaptcha = captcha_render(zDecoded);
@ <div class="captcha"><table class="captcha"><tr><td><pre>
@ %h(zCaptcha)
@ </pre>
@ Enter security code shown above:
@ <input type="hidden" name="captchaseed" value="%u(uSeed)" />
@ <input type="text" name="captcha" size=8 />
@ </td></tr></table></div>
}
|
Changes to src/setup.c.
| ︙ | ︙ | |||
932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 |
@
@ <p>You do not normally want a bot to walk your entire repository because
@ if it does, your server will end up computing diffs and annotations for
@ every historical version of every file and creating ZIPs and tarballs of
@ every historical check-in, which can use a lot of CPU and bandwidth
@ even for relatively small projects.</p>
@ <hr />
entry_attribute("Public pages", 30, "public-pages",
"pubpage", "");
@ <p>A comma-separated list of glob patterns for pages that are accessible
@ without needing a login and using the privileges given by the
@ "Default privileges" setting below. Example use case: Set this field
@ to "/doc/trunk/www/*" to give anonymous users read-only permission to the
@ latest version of the embedded documentation in the www/ folder without
@ allowing them to see the rest of the source code.
@ </p>
| > > > > > > > < | 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 |
@
@ <p>You do not normally want a bot to walk your entire repository because
@ if it does, your server will end up computing diffs and annotations for
@ every historical version of every file and creating ZIPs and tarballs of
@ every historical check-in, which can use a lot of CPU and bandwidth
@ even for relatively small projects.</p>
@ <hr />
onoff_attribute("Require a CAPTCHA if not logged in",
"require-captcha", "reqcapt", 1);
@ <p>Require a CAPTCHA for edit operations (appending, creating, or
@ editing wiki or tickets or adding attachments to wiki or tickets)
@ for users who are not logged in.</p>
@ <hr />
entry_attribute("Public pages", 30, "public-pages",
"pubpage", "");
@ <p>A comma-separated list of glob patterns for pages that are accessible
@ without needing a login and using the privileges given by the
@ "Default privileges" setting below. Example use case: Set this field
@ to "/doc/trunk/www/*" to give anonymous users read-only permission to the
@ latest version of the embedded documentation in the www/ folder without
@ allowing them to see the rest of the source code.
@ </p>
@ <hr />
onoff_attribute("Allow users to register themselves",
"self-register", "selfregister", 0);
@ <p>Allow users to register themselves through the HTTP UI.
@ The registration form always requires filling in a CAPTCHA
@ (<em>auto-captcha</em> setting is ignored). Still, bear in mind that anyone
|
| ︙ | ︙ |
Changes to src/style.c.
| ︙ | ︙ | |||
710 711 712 713 714 715 716 717 718 719 720 721 722 723 |
@ margin-right: 10px;
@ margin-left: 10px;
@ margin-top: 10px;
},
{ "div.captcha",
"captcha display options",
@ text-align: center;
},
{ "table.captcha",
"format for the layout table, used for the captcha display",
@ margin: auto;
@ padding: 10px;
@ border-width: 4px;
@ border-style: double;
| > | 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 |
@ margin-right: 10px;
@ margin-left: 10px;
@ margin-top: 10px;
},
{ "div.captcha",
"captcha display options",
@ text-align: center;
@ padding: 1ex;
},
{ "table.captcha",
"format for the layout table, used for the captcha display",
@ margin: auto;
@ padding: 10px;
@ border-width: 4px;
@ border-style: double;
|
| ︙ | ︙ |
Changes to src/tkt.c.
| ︙ | ︙ | |||
428 429 430 431 432 433 434 435 436 437 438 439 440 441 |
char *zDate;
const char *zUuid;
int i;
int nJ = 0;
Blob tktchng, cksum;
login_verify_csrf_secret();
zUuid = (const char *)pUuid;
blob_zero(&tktchng);
zDate = date_in_standard_format("now");
blob_appendf(&tktchng, "D %s\n", zDate);
free(zDate);
for(i=0; i<nField; i++){
if( azAppend[i] ){
| > > > > | 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 |
char *zDate;
const char *zUuid;
int i;
int nJ = 0;
Blob tktchng, cksum;
login_verify_csrf_secret();
if( !captcha_is_correct() ){
@ <p class="generalError">Error: Incorrect security code.</p>
return TH_OK;
}
zUuid = (const char *)pUuid;
blob_zero(&tktchng);
zDate = date_in_standard_format("now");
blob_appendf(&tktchng, "D %s\n", zDate);
free(zDate);
for(i=0; i<nField; i++){
if( azAppend[i] ){
|
| ︙ | ︙ | |||
527 528 529 530 531 532 533 |
form_begin(0, "%R/%s", g.zPath);
login_insert_csrf_secret();
if( P("date_override") && g.perm.Setup ){
@ <input type="hidden" name="date_override" value="%h(P("date_override"))">
}
@ </p>
zScript = ticket_newpage_code();
| | > | 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 |
form_begin(0, "%R/%s", g.zPath);
login_insert_csrf_secret();
if( P("date_override") && g.perm.Setup ){
@ <input type="hidden" name="date_override" value="%h(P("date_override"))">
}
@ </p>
zScript = ticket_newpage_code();
Th_Store("login", g.zLogin ? g.zLogin : "nobody");
Th_Store("date", db_text(0, "SELECT datetime('now')"));
Th_CreateCommand(g.interp, "submit_ticket", submitTicketCmd,
(void*)&zNewUuid, 0);
if( g.thTrace ) Th_Trace("BEGIN_TKTNEW_SCRIPT<br />\n", -1);
if( Th_Render(zScript)==TH_RETURN && !g.thTrace && zNewUuid ){
cgi_redirect(mprintf("%s/tktview/%s", g.zTop, zNewUuid));
return;
}
captcha_generate();
@ </form>
if( g.thTrace ) Th_Trace("END_TKTVIEW<br />\n", -1);
style_footer();
}
/*
** WEBPAGE: tktedit
|
| ︙ | ︙ | |||
594 595 596 597 598 599 600 | initializeVariablesFromCGI(); initializeVariablesFromDb(); form_begin(0, "%R/%s", g.zPath); @ <input type="hidden" name="name" value="%s(zName)" /> login_insert_csrf_secret(); @ </p> zScript = ticket_editpage_code(); | | > | 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 |
initializeVariablesFromCGI();
initializeVariablesFromDb();
form_begin(0, "%R/%s", g.zPath);
@ <input type="hidden" name="name" value="%s(zName)" />
login_insert_csrf_secret();
@ </p>
zScript = ticket_editpage_code();
Th_Store("login", g.zLogin ? g.zLogin : "nobody");
Th_Store("date", db_text(0, "SELECT datetime('now')"));
Th_CreateCommand(g.interp, "append_field", appendRemarkCmd, 0, 0);
Th_CreateCommand(g.interp, "submit_ticket", submitTicketCmd, (void*)&zName,0);
if( g.thTrace ) Th_Trace("BEGIN_TKTEDIT_SCRIPT<br />\n", -1);
if( Th_Render(zScript)==TH_RETURN && !g.thTrace && zName ){
cgi_redirect(mprintf("%s/tktview/%s", g.zTop, zName));
return;
}
captcha_generate();
@ </form>
if( g.thTrace ) Th_Trace("BEGIN_TKTEDIT<br />\n", -1);
style_footer();
}
/*
** Check the ticket table schema in zSchema to see if it appears to
|
| ︙ | ︙ |
Changes to src/wiki.c.
| ︙ | ︙ | |||
261 262 263 264 265 266 267 268 269 270 271 272 273 274 |
Blob wiki;
Manifest *pWiki = 0;
const char *zPageName;
int n;
const char *z;
char *zBody = (char*)P("w");
int isWysiwyg = P("wysiwyg")!=0;
if( P("edit-wysiwyg")!=0 ){ isWysiwyg = 1; zBody = 0; }
if( P("edit-markup")!=0 ){ isWysiwyg = 0; zBody = 0; }
if( zBody ){
if( isWysiwyg ){
Blob body;
blob_zero(&body);
| > | 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 |
Blob wiki;
Manifest *pWiki = 0;
const char *zPageName;
int n;
const char *z;
char *zBody = (char*)P("w");
int isWysiwyg = P("wysiwyg")!=0;
int goodCaptcha = 1;
if( P("edit-wysiwyg")!=0 ){ isWysiwyg = 1; zBody = 0; }
if( P("edit-markup")!=0 ){ isWysiwyg = 0; zBody = 0; }
if( zBody ){
if( isWysiwyg ){
Blob body;
blob_zero(&body);
|
| ︙ | ︙ | |||
302 303 304 305 306 307 308 |
login_needed();
return;
}
if( zBody==0 && (pWiki = manifest_get(rid, CFTYPE_WIKI))!=0 ){
zBody = pWiki->zWiki;
}
}
| | > > | 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 |
login_needed();
return;
}
if( zBody==0 && (pWiki = manifest_get(rid, CFTYPE_WIKI))!=0 ){
zBody = pWiki->zWiki;
}
}
if( P("submit")!=0 && zBody!=0
&& (goodCaptcha = captcha_is_correct())
){
char *zDate;
Blob cksum;
blob_zero(&wiki);
db_begin_transaction();
if( isSandbox ){
db_set("sandbox",zBody,0);
}else{
|
| ︙ | ︙ | |||
341 342 343 344 345 346 347 348 349 350 351 352 353 354 |
return;
}
if( zBody==0 ){
zBody = mprintf("<i>Empty Page</i>");
}
style_set_current_page("%s?name=%T", g.zPath, zPageName);
style_header("Edit: %s", zPageName);
blob_zero(&wiki);
blob_append(&wiki, zBody, -1);
if( P("preview")!=0 ){
@ Preview:<hr />
wiki_convert(&wiki, 0, 0);
@ <hr />
blob_reset(&wiki);
| > > > | 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 |
return;
}
if( zBody==0 ){
zBody = mprintf("<i>Empty Page</i>");
}
style_set_current_page("%s?name=%T", g.zPath, zPageName);
style_header("Edit: %s", zPageName);
if( !goodCaptcha ){
@ <p class="generalError">Error: Incorrect security code.</p>
}
blob_zero(&wiki);
blob_append(&wiki, zBody, -1);
if( P("preview")!=0 ){
@ Preview:<hr />
wiki_convert(&wiki, 0, 0);
@ <hr />
blob_reset(&wiki);
|
| ︙ | ︙ | |||
383 384 385 386 387 388 389 |
blob_reset(&temp);
wysiwygEditor("w", blob_str(&html), 60, n);
blob_reset(&html);
@ <br />
@ <input type="submit" name="edit-markup" value="Markup Editor"
@ onclick='return confirm("Switching to markup-mode\nwill erase your WYSIWYG\nedits. Continue?")' />
}
| < > | > > | 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 |
blob_reset(&temp);
wysiwygEditor("w", blob_str(&html), 60, n);
blob_reset(&html);
@ <br />
@ <input type="submit" name="edit-markup" value="Markup Editor"
@ onclick='return confirm("Switching to markup-mode\nwill erase your WYSIWYG\nedits. Continue?")' />
}
login_insert_csrf_secret();
@ <input type="submit" name="submit" value="Apply These Changes" />
@ <input type="hidden" name="name" value="%h(zPageName)" />
@ <input type="submit" name="cancel" value="Cancel"
@ onclick='confirm("Abandon your changes?")' />
@ </div>
captcha_generate();
@ </form>
manifest_destroy(pWiki);
blob_reset(&wiki);
style_footer();
}
/*
** WEBPAGE: wikinew
|
| ︙ | ︙ | |||
464 465 466 467 468 469 470 471 472 473 474 475 476 477 |
*/
void wikiappend_page(void){
char *zTag;
int rid = 0;
int isSandbox;
const char *zPageName;
const char *zUser;
login_check_credentials();
zPageName = PD("name","");
if( check_name(zPageName) ) return;
isSandbox = is_sandbox(zPageName);
if( !isSandbox ){
zTag = mprintf("wiki-%s", zPageName);
| > | 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 |
*/
void wikiappend_page(void){
char *zTag;
int rid = 0;
int isSandbox;
const char *zPageName;
const char *zUser;
int goodCaptcha = 1;
login_check_credentials();
zPageName = PD("name","");
if( check_name(zPageName) ) return;
isSandbox = is_sandbox(zPageName);
if( !isSandbox ){
zTag = mprintf("wiki-%s", zPageName);
|
| ︙ | ︙ | |||
486 487 488 489 490 491 492 |
return;
}
}
if( !g.perm.ApndWiki ){
login_needed();
return;
}
| | > > | 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 |
return;
}
}
if( !g.perm.ApndWiki ){
login_needed();
return;
}
if( P("submit")!=0 && P("r")!=0 && P("u")!=0
&& (goodCaptcha = captcha_is_correct())
){
char *zDate;
Blob cksum;
Blob body;
Blob wiki;
Manifest *pWiki = 0;
blob_zero(&body);
|
| ︙ | ︙ | |||
534 535 536 537 538 539 540 541 542 543 544 545 546 547 |
}
if( P("cancel")!=0 ){
cgi_redirectf("wiki?name=%T", zPageName);
return;
}
style_set_current_page("%s?name=%T", g.zPath, zPageName);
style_header("Append Comment To: %s", zPageName);
if( P("preview")!=0 ){
Blob preview;
blob_zero(&preview);
appendRemark(&preview);
@ Preview:<hr>
wiki_convert(&preview, 0, 0);
@ <hr>
| > > > | 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 |
}
if( P("cancel")!=0 ){
cgi_redirectf("wiki?name=%T", zPageName);
return;
}
style_set_current_page("%s?name=%T", g.zPath, zPageName);
style_header("Append Comment To: %s", zPageName);
if( !goodCaptcha ){
@ <p class="generalError">Error: Incorrect security code.</p>
}
if( P("preview")!=0 ){
Blob preview;
blob_zero(&preview);
appendRemark(&preview);
@ Preview:<hr>
wiki_convert(&preview, 0, 0);
@ <hr>
|
| ︙ | ︙ | |||
556 557 558 559 560 561 562 563 564 565 566 567 568 569 |
@ Comment to append:<br />
@ <textarea name="r" class="wikiedit" cols="80"
@ rows="10" wrap="virtual">%h(PD("r",""))</textarea>
@ <br />
@ <input type="submit" name="preview" value="Preview Your Comment" />
@ <input type="submit" name="submit" value="Append Your Changes" />
@ <input type="submit" name="cancel" value="Cancel" />
@ </form>
style_footer();
}
/*
** Name of the wiki history page being generated
*/
| > | 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 |
@ Comment to append:<br />
@ <textarea name="r" class="wikiedit" cols="80"
@ rows="10" wrap="virtual">%h(PD("r",""))</textarea>
@ <br />
@ <input type="submit" name="preview" value="Preview Your Comment" />
@ <input type="submit" name="submit" value="Append Your Changes" />
@ <input type="submit" name="cancel" value="Cancel" />
captcha_generate();
@ </form>
style_footer();
}
/*
** Name of the wiki history page being generated
*/
|
| ︙ | ︙ |