rucaptcha 1.0.1 → 1.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -0
- data/README.md +14 -0
- data/lib/rucaptcha/configuration.rb +1 -1
- data/lib/rucaptcha/controller_helpers.rb +12 -39
- data/lib/rucaptcha/engine.rb +9 -0
- data/lib/rucaptcha/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0a21e9918f323f2e1d72df0dec2186b77ca163f6
|
4
|
+
data.tar.gz: f061a697f5ba7dc28fc6e01ff31e19b402fa436e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 646cbe8bbf5f2b9a6187cf3793d167085c5059099f118c84589abc097fe8160a56ad03dd83f34ad1c23eec252ccab9ee08a448b7aea30e22781a7dc45d6b3cd8
|
7
|
+
data.tar.gz: 43d06670a614bfb467537c6cb3af87686eacdb72d9ff9c518da1d53e7b956bef16c3c4ff4b74b9441d9828d35ab1a92e27d29d9afc4d0ba8240869fc3fef70b8
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,9 @@
|
|
1
|
+
1.0.2
|
2
|
+
|
3
|
+
- Revert 1.0.1 changes, still store code in Session, `Rails.cache` not a not place in difference environments.
|
4
|
+
for exampe: Not enable cache, File cache will have bug.
|
5
|
+
- Give a warning when user use CookieStore.
|
6
|
+
|
1
7
|
1.0.1
|
2
8
|
-----
|
3
9
|
|
@@ -5,6 +11,7 @@
|
|
5
11
|
|
6
12
|
- Fix Session replay secure issue that when Rails application use CookieStore.
|
7
13
|
|
14
|
+
|
8
15
|
1.0.0
|
9
16
|
-----
|
10
17
|
|
data/README.md
CHANGED
@@ -45,6 +45,20 @@ brew install imagemagick ghostscript
|
|
45
45
|
|
46
46
|
## Usage
|
47
47
|
|
48
|
+
**Security Notice!**
|
49
|
+
|
50
|
+
You need change your application Session store from `CookieStore` (Rails default) to backend store location.
|
51
|
+
|
52
|
+
- [:active_session_store](https://github.com/rails/activerecord-session_store)
|
53
|
+
- [:memcached_store](http://api.rubyonrails.org/classes/ActionDispatch/Session/MemCacheStore.html)
|
54
|
+
- [:redis_session_store](https://github.com/roidrage/redis-session-store)
|
55
|
+
|
56
|
+
config/initializers/session_store.rb
|
57
|
+
|
58
|
+
```rb
|
59
|
+
Rails.application.config.session_store :redis_session_store, { ... }
|
60
|
+
```
|
61
|
+
|
48
62
|
Put rucaptcha in your `Gemfile`:
|
49
63
|
|
50
64
|
```
|
@@ -11,7 +11,7 @@ module RuCaptcha
|
|
11
11
|
attr_accessor :cache_limit
|
12
12
|
# Color style, default: :colorful, allows: [:colorful, :black_white]
|
13
13
|
attr_accessor :style
|
14
|
-
#
|
14
|
+
# session[:_rucaptcha] expire time, default 2 minutes
|
15
15
|
attr_accessor :expires_in
|
16
16
|
end
|
17
17
|
end
|
@@ -6,55 +6,28 @@ module RuCaptcha
|
|
6
6
|
helper_method :verify_rucaptcha?
|
7
7
|
end
|
8
8
|
|
9
|
-
def rucaptcha_sesion_key_key
|
10
|
-
['rucaptcha-session', session.id].join(':')
|
11
|
-
end
|
12
|
-
|
13
9
|
def generate_rucaptcha
|
14
|
-
|
15
|
-
|
16
|
-
code: code,
|
17
|
-
time: Time.now.to_i
|
18
|
-
})
|
10
|
+
session[:_rucaptcha] = RuCaptcha::Captcha.random_chars
|
11
|
+
session[:_rucaptcha_at] = Time.now.to_i
|
19
12
|
|
20
|
-
RuCaptcha::Captcha.create(
|
13
|
+
RuCaptcha::Captcha.create(session[:_rucaptcha])
|
21
14
|
end
|
22
15
|
|
23
16
|
def verify_rucaptcha?(resource = nil)
|
24
|
-
|
25
|
-
# make sure move used key
|
26
|
-
Rails.cache.delete(rucaptcha_sesion_key_key)
|
27
|
-
|
28
|
-
# Make sure session exist
|
29
|
-
if store_info.blank?
|
30
|
-
return add_rucaptcha_validation_error
|
31
|
-
end
|
32
|
-
|
33
|
-
# Make sure not expire
|
34
|
-
if (Time.now.to_i - store_info[:time]) > RuCaptcha.config.expires_in
|
35
|
-
return add_rucaptcha_validation_error
|
36
|
-
end
|
37
|
-
|
38
|
-
# Make sure parama have captcha
|
17
|
+
rucaptcha_at = session[:_rucaptcha_at].to_i
|
39
18
|
captcha = (params[:_rucaptcha] || '').downcase.strip
|
40
|
-
if captcha.blank?
|
41
|
-
return add_rucaptcha_validation_error
|
42
|
-
end
|
43
19
|
|
44
|
-
|
45
|
-
|
20
|
+
# Captcha chars in Session expire in 2 minutes
|
21
|
+
valid = false
|
22
|
+
if (Time.now.to_i - rucaptcha_at) <= RuCaptcha.config.expires_in
|
23
|
+
valid = captcha.present? && captcha == session.delete(:_rucaptcha)
|
46
24
|
end
|
47
25
|
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
private
|
52
|
-
|
53
|
-
def add_rucaptcha_validation_error
|
54
|
-
if defined?(resource) && resource && resource.respond_to?(:errors)
|
55
|
-
resource.errors.add(:base, t('rucaptcha.invalid'))
|
26
|
+
if resource && resource.respond_to?(:errors)
|
27
|
+
resource.errors.add(:base, t('rucaptcha.invalid')) unless valid
|
56
28
|
end
|
57
|
-
|
29
|
+
|
30
|
+
valid
|
58
31
|
end
|
59
32
|
end
|
60
33
|
end
|
data/lib/rucaptcha/engine.rb
CHANGED
@@ -7,6 +7,15 @@ module RuCaptcha
|
|
7
7
|
if RuCaptcha.config.cache_limit >= 1
|
8
8
|
RuCaptcha::Captcha.send(:prepend, RuCaptcha::Cache)
|
9
9
|
end
|
10
|
+
|
11
|
+
if Rails.application.config.session_store.name.match(/CookieStore/)
|
12
|
+
puts %(
|
13
|
+
[RuCaptcha] Your application session has use #{Rails.application.config.session_store}
|
14
|
+
this may have Session [Replay Attacks] secure issue in RuCaptcha case.
|
15
|
+
We suggest you change it to backend [:active_record_store, :redis_session_store]
|
16
|
+
http://guides.rubyonrails.org/security.html#replay-attacks-for-cookiestore-sessions)
|
17
|
+
puts ""
|
18
|
+
end
|
10
19
|
end
|
11
20
|
end
|
12
21
|
end
|
data/lib/rucaptcha/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rucaptcha
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0.
|
4
|
+
version: 1.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jason Lee
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-10-
|
11
|
+
date: 2016-10-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: railties
|