commit ffbc3bd846ab8e4bf3229b89096775d8b2db0f34 Author: Isis Lovecruft isis@torproject.org Date: Sat Mar 1 03:18:01 2014 +0000
Use SSL when requesting CAPCHAs from reCaptcha.
This sounds bad. It is. What's worse: this only fixes half the problem. The recaptcha.client.captcha.submit() function in the reCaptcha API [0] is hardcoded to submit the server's (in this case, BridgeDB's) private API key, the client's IP address (BridgeDB sends a faked one), and the client's solution to the CAPTCHA, all over HTTP, in glorious plaintext. Hooray.
[0]: https://recaptcha.googlecode.com/svn/trunk/recaptcha-plugins/python/recaptch... --- lib/bridgedb/captcha.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bridgedb/captcha.py b/lib/bridgedb/captcha.py index fea4b44..07b06d4 100644 --- a/lib/bridgedb/captcha.py +++ b/lib/bridgedb/captcha.py @@ -84,7 +84,7 @@ class ReCaptcha(Captcha): """ if (self.pubkey == '') or (self.privkey == ''): raise ReCaptchaKeyError - urlbase = recaptcha.API_SERVER + urlbase = recaptcha.API_SSL_SERVER form = "/noscript?k=%s" % self.pubkey
# extract and store image from captcha