On 10.11.2016 13:07, M.-A. Lemburg wrote: > On 10.11.2016 11:44, Xavier Combelle wrote: >> looks like a byte/unicode problem > > This is likely, yes. > >> I have little idea for the truncation but for the TypeError, looks like >> safe_str_equal seems the buggy one is >> a lot too much overkill, as it is very unlikely that someone would want >> to make a timing attack on captcha. >> >> So I would suggest as a quick fix to replace safe_str_equal by a classic == >> >> A long term improvement would be to log the full stack trace on all >> exceptions > > The truncation appears to be the result of this method: > > http://hg.moinmo.in/moin/1.9/file/561b7a9c2bd9/MoinMoin/security/textcha.py#l175 > > which blindly removes characters from the question in combination > with this bug: > > http://hg.moinmo.in/moin/1.9/diff/561b7a9c2bd9/MoinMoin/security/textcha.py > > (hmac.new() defaults to MD5, but the ._extract_form_values() method > removes data based on the length of an SHA1 hash) > > I guess it would be better to use a regexp for splitting off > the hash and timestamp. > > I'll apply the fix for the hmac.new() manually now.
After applying the patch, the problem with the truncation appears to have gone. I was also able to successfully edit pages. Could you please also try and check ? Thanks. >> Le 10/11/2016 à 10:42, M.-A. Lemburg a écrit : >>> I checked the logs. They are full of entries like these: >>> >>> [Thu Nov 10 08:06:36 2016] [error] 2016-11-10 08:06:36,257 INFO >>> MoinMoin.security.textcha:159 TextCha: failure (u='x.x.x.x', a='van', >>> re='[Never match for cheaters]', q='What is van Rossum's fir', >>> rsn='TypeError during signature check') >>> >>> Here's the associated code: >>> >>> http://hg.moinmo.in/moin/1.9/file/561b7a9c2bd9/MoinMoin/security/textcha.py#l129 >>> >>> What's strange is the truncated question and the TypeError. >>> >>> I've put Thomas Waldmann on CC. Perhaps he can add some more >>> insights. >>> >>> Thomas: I have upgraded the moin installation to 1.9.9 and >>> we're getting lots of textcha errors since then. Questions >>> get truncated and TypeErrors appear to prevent any textcha >>> from succeeding, it seems. >>> >>> Any ideas ? >>> >>> Thanks, >> >> >> _______________________________________________ >> pydotorg-www mailing list >> pydotorg-www@python.org >> https://mail.python.org/mailman/listinfo/pydotorg-www >> > -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Experts (#1, Nov 10 2016) >>> Python Projects, Coaching and Consulting ... http://www.egenix.com/ >>> Python Database Interfaces ... http://products.egenix.com/ >>> Plone/Zope Database Interfaces ... http://zope.egenix.com/ ________________________________________________________________________ ::: We implement business ideas - efficiently in both time and costs ::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ http://www.malemburg.com/ _______________________________________________ pydotorg-www mailing list pydotorg-www@python.org https://mail.python.org/mailman/listinfo/pydotorg-www
