On 10.11.2016 11:44, Xavier Combelle wrote: > looks like a byte/unicode problem
This is likely, yes. > I have little idea for the truncation but for the TypeError, looks like > safe_str_equal seems the buggy one is > a lot too much overkill, as it is very unlikely that someone would want > to make a timing attack on captcha. > > So I would suggest as a quick fix to replace safe_str_equal by a classic == > > A long term improvement would be to log the full stack trace on all > exceptions The truncation appears to be the result of this method: http://hg.moinmo.in/moin/1.9/file/561b7a9c2bd9/MoinMoin/security/textcha.py#l175 which blindly removes characters from the question in combination with this bug: http://hg.moinmo.in/moin/1.9/diff/561b7a9c2bd9/MoinMoin/security/textcha.py (hmac.new() defaults to MD5, but the ._extract_form_values() method removes data based on the length of an SHA1 hash) I guess it would be better to use a regexp for splitting off the hash and timestamp. I'll apply the fix for the hmac.new() manually now. > Le 10/11/2016 à 10:42, M.-A. Lemburg a écrit : >> I checked the logs. They are full of entries like these: >> >> [Thu Nov 10 08:06:36 2016] [error] 2016-11-10 08:06:36,257 INFO >> MoinMoin.security.textcha:159 TextCha: failure (u='x.x.x.x', a='van', >> re='[Never match for cheaters]', q='What is van Rossum's fir', >> rsn='TypeError during signature check') >> >> Here's the associated code: >> >> http://hg.moinmo.in/moin/1.9/file/561b7a9c2bd9/MoinMoin/security/textcha.py#l129 >> >> What's strange is the truncated question and the TypeError. >> >> I've put Thomas Waldmann on CC. Perhaps he can add some more >> insights. >> >> Thomas: I have upgraded the moin installation to 1.9.9 and >> we're getting lots of textcha errors since then. Questions >> get truncated and TypeErrors appear to prevent any textcha >> from succeeding, it seems. >> >> Any ideas ? >> >> Thanks, > > > _______________________________________________ > pydotorg-www mailing list > pydotorg-www@python.org > https://mail.python.org/mailman/listinfo/pydotorg-www > -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Experts (#1, Nov 10 2016) >>> Python Projects, Coaching and Consulting ... http://www.egenix.com/ >>> Python Database Interfaces ... http://products.egenix.com/ >>> Plone/Zope Database Interfaces ... http://zope.egenix.com/ ________________________________________________________________________ ::: We implement business ideas - efficiently in both time and costs ::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ http://www.malemburg.com/ _______________________________________________ pydotorg-www mailing list pydotorg-www@python.org https://mail.python.org/mailman/listinfo/pydotorg-www
