RubyGems - rucaptcha - Versions diffs - 1.0.1 → 1.0.2 - Mend

rucaptcha 1.0.1 → 1.0.2

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +7 -0
data/README.md +14 -0
data/lib/rucaptcha/configuration.rb +1 -1
data/lib/rucaptcha/controller_helpers.rb +12 -39
data/lib/rucaptcha/engine.rb +9 -0
data/lib/rucaptcha/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4eeac0b904fbb23ad981f2a15be405045dd3ab36
-  data.tar.gz: 509df17c96e7b4c5e9a16d780a0140a57496c342
+  metadata.gz: 0a21e9918f323f2e1d72df0dec2186b77ca163f6
+  data.tar.gz: f061a697f5ba7dc28fc6e01ff31e19b402fa436e
 SHA512:
-  metadata.gz: ee75335b1a9494f3180976808f7f6bf15722c4d3fac3bf1ccccc58f519f81fac797cc3460a034ae58dc8c0dd5a825a4b86346c1f1802407a031ecd6187d201f4
-  data.tar.gz: 01dc3cf718968f2823f168f368bff69e2df8c056d5de7d285de44bd7284f449d191c98582425c9e550d8837cc3b58b53b9e1b7a6dc088659b65c1a1f8883c36e
+  metadata.gz: 646cbe8bbf5f2b9a6187cf3793d167085c5059099f118c84589abc097fe8160a56ad03dd83f34ad1c23eec252ccab9ee08a448b7aea30e22781a7dc45d6b3cd8
+  data.tar.gz: 43d06670a614bfb467537c6cb3af87686eacdb72d9ff9c518da1d53e7b956bef16c3c4ff4b74b9441d9828d35ab1a92e27d29d9afc4d0ba8240869fc3fef70b8

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,9 @@
+1.0.2
+- Revert 1.0.1 changes, still store code in Session, `Rails.cache` not a not place in difference environments.
+  for exampe: Not enable cache, File cache will have bug.
+- Give a warning when user use CookieStore.
 1.0.1
 -----
@@ -5,6 +11,7 @@
 - Fix Session replay secure issue that when Rails application use CookieStore.
 1.0.0
 -----

data/README.md CHANGED Viewed

@@ -45,6 +45,20 @@ brew install imagemagick ghostscript
 ## Usage
+**Security Notice!**
+You need change your application Session store from `CookieStore` (Rails default) to backend store location.
+- [:active_session_store](https://github.com/rails/activerecord-session_store)
+- [:memcached_store](http://api.rubyonrails.org/classes/ActionDispatch/Session/MemCacheStore.html)
+- [:redis_session_store](https://github.com/roidrage/redis-session-store)
+config/initializers/session_store.rb
+```rb
+Rails.application.config.session_store :redis_session_store, { ... }
+```
 Put rucaptcha in your `Gemfile`:
 ```

data/lib/rucaptcha/configuration.rb CHANGED Viewed

@@ -11,7 +11,7 @@ module RuCaptcha
     attr_accessor :cache_limit
     # Color style, default: :colorful, allows: [:colorful, :black_white]
     attr_accessor :style
-    # rucaptcha expire time, default 2 minutes
+    # session[:_rucaptcha] expire time, default 2 minutes
     attr_accessor :expires_in
   end
 end

data/lib/rucaptcha/controller_helpers.rb CHANGED Viewed

@@ -6,55 +6,28 @@ module RuCaptcha
       helper_method :verify_rucaptcha?
     end
-    def rucaptcha_sesion_key_key
-      ['rucaptcha-session', session.id].join(':')
-    end
     def generate_rucaptcha
-      code = RuCaptcha::Captcha.random_chars
-      Rails.cache.write(rucaptcha_sesion_key_key, {
-        code: code,
-        time: Time.now.to_i
-      })
+      session[:_rucaptcha]    = RuCaptcha::Captcha.random_chars
+      session[:_rucaptcha_at] = Time.now.to_i
-      RuCaptcha::Captcha.create(code)
+      RuCaptcha::Captcha.create(session[:_rucaptcha])
     end
     def verify_rucaptcha?(resource = nil)
-      store_info = Rails.cache.read(rucaptcha_sesion_key_key)
-      # make sure move used key
-      Rails.cache.delete(rucaptcha_sesion_key_key)
-      # Make sure session exist
-      if store_info.blank?
-        return add_rucaptcha_validation_error
-      end
-      # Make sure not expire
-      if (Time.now.to_i - store_info[:time]) > RuCaptcha.config.expires_in
-        return add_rucaptcha_validation_error
-      end
-      # Make sure parama have captcha
+      rucaptcha_at = session[:_rucaptcha_at].to_i
       captcha = (params[:_rucaptcha] || '').downcase.strip
-      if captcha.blank?
-        return add_rucaptcha_validation_error
-      end
-      if captcha != store_info[:code]
-        return add_rucaptcha_validation_error
+      # Captcha chars in Session expire in 2 minutes
+      valid = false
+      if (Time.now.to_i - rucaptcha_at) <= RuCaptcha.config.expires_in
+        valid = captcha.present? && captcha == session.delete(:_rucaptcha)
       end
-      true
-    end
-    private
-    def add_rucaptcha_validation_error
-      if defined?(resource) && resource && resource.respond_to?(:errors)
-        resource.errors.add(:base, t('rucaptcha.invalid'))
+      if resource && resource.respond_to?(:errors)
+        resource.errors.add(:base, t('rucaptcha.invalid')) unless valid
       end
-      false
+      valid
     end
   end
 end

data/lib/rucaptcha/engine.rb CHANGED Viewed

@@ -7,6 +7,15 @@ module RuCaptcha
       if RuCaptcha.config.cache_limit >= 1
         RuCaptcha::Captcha.send(:prepend, RuCaptcha::Cache)
       end
+      if Rails.application.config.session_store.name.match(/CookieStore/)
+        puts %(
+[RuCaptcha] Your application session has use #{Rails.application.config.session_store}
+this may have Session [Replay Attacks] secure issue in RuCaptcha case.
+We suggest you change it to backend [:active_record_store, :redis_session_store]
+http://guides.rubyonrails.org/security.html#replay-attacks-for-cookiestore-sessions)
+        puts ""
+      end
     end
   end
 end

data/lib/rucaptcha/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module RuCaptcha
-  VERSION = '1.0.1'
+  VERSION = '1.0.2'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rucaptcha
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
 platform: ruby
 authors:
 - Jason Lee
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-10-14 00:00:00.000000000 Z
+date: 2016-10-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties