[tor-commits] [bridgedb/develop] Use SSL when requesting CAPCHAs from reCaptcha.

isis at torproject.org isis at torproject.org
Sun Mar 16 16:38:45 UTC 2014


commit ffbc3bd846ab8e4bf3229b89096775d8b2db0f34
Author: Isis Lovecruft <isis at torproject.org>
Date:   Sat Mar 1 03:18:01 2014 +0000

    Use SSL when requesting CAPCHAs from reCaptcha.
    
    This sounds bad. It is. What's worse: this only fixes half the
    problem. The recaptcha.client.captcha.submit() function in the reCaptcha
    API [0] is hardcoded to submit the server's (in this case, BridgeDB's)
    private API key, the client's IP address (BridgeDB sends a faked one),
    and the client's solution to the CAPTCHA, all over HTTP, in glorious
    plaintext. Hooray.
    
    [0]: https://recaptcha.googlecode.com/svn/trunk/recaptcha-plugins/python/recaptcha/client/captcha.py
---
 lib/bridgedb/captcha.py |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/bridgedb/captcha.py b/lib/bridgedb/captcha.py
index fea4b44..07b06d4 100644
--- a/lib/bridgedb/captcha.py
+++ b/lib/bridgedb/captcha.py
@@ -84,7 +84,7 @@ class ReCaptcha(Captcha):
         """
         if (self.pubkey == '') or (self.privkey == ''):
             raise ReCaptchaKeyError
-        urlbase = recaptcha.API_SERVER
+        urlbase = recaptcha.API_SSL_SERVER
         form = "/noscript?k=%s" % self.pubkey
 
         # extract and store image from captcha





More information about the tor-commits mailing list