[#42777] - [5.1] A simple Captcha, which not every AI can solve
- Closed
- 19 Mar 2024
- Medium
- Build: 5.1-dev
- # 42777
- Diff
- Fedik:captcha-math
- Pending continuous-integration/drone/pr Build is pending Details
User tests: Successful: Unsuccessful:
Summary of Changes
Implementing a simple Math captcha. Independent from external services.
To solve captcha User should do a math (It's a simple addition for now).
Testing Instructions
Go to Exctension => Discovery
Install new plugin, and enable as default captcha (in global config).
Go to password reset (or any other form that use captcha)
Try submit the form without solution, then with valid and invalid values.
Note: for test with "password reset" form need to enable enable Debug in Global configuration.
Actual result BEFORE applying this Pull Request
Nothing
Expected result AFTER applying this Pull Request
Works
Link to documentations
Please select:
- Documentation link for docs.joomla.org:
- No documentation changes for docs.joomla.org needed
- Pull Request link for manual.joomla.org:
- No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | SQL Administration com_admin Postgresql Language & Strings Installation Layout Front End Plugins |
| Labels |
Added:
Feature
Language Change
PR-5.1-dev
|
||
If we can't have something useful like a schema plugin in core how can we have this?
it might be worth doing something similar to that of joomla-hidden-mail
hmhm, yea, some random markup could really be an improvement
how can we have this?
You saying it is not a good thing? thank you very much :)
That a philosophical question, which life throw on us every day :)
For now, we do not have "this" also ;)
It just an idea that I have seen on other sites and thought that it is not that bad for a very basic captcha.
Can probably combine with "honeypot", will see.
@brianteeman are you referring about this one #42710 right ?
in my view remove all captcha from core +
This plugin would be a great benefit for the JED
if our goal is to have a lighter core...
anyway always hard to have a common opinion on this " dark matter" imho
?
Just a suggestion to check the answer by using the onDisplay function, maybe the following is useful?
public function onDisplay($name = null, $id = 'jform_captcha', $class = '')
{
$html = '<input type="text" name="' . htmlspecialchars($name, ENT_QUOTES, 'UTF-8')
. '" id="' . htmlspecialchars($id, ENT_QUOTES, 'UTF-8')
. '" class="form-control validate-number required" autocomplete="off" required>';
return $html;
}
It already in use within display(), to render input.
onDisplay is an old thing, in Joomla 5 we have a new api for Captcha, old onDisplay() changed to display()
https://manual.joomla.org/docs/building-extensions/plugins/captcha-plugin
| Category | SQL Administration com_admin Postgresql Language & Strings Installation Layout Front End Plugins | ⇒ | SQL Administration com_admin Postgresql Language & Strings Installation Layout Libraries Front End Plugins |
I don't understand what the input should be. Should the calculation be to add the two values - minus the value to enter to equal 2?
I left the value blank and I don't get an error message under Forgot your password?.
hmhm, 237+4=241
maybe I need to add a dots 2... when need to enter half of solution?
hmhm, 237+4=241 maybe I need to add a dots
2...when need to enter half of solution?
Maybe 2 _ _? So the solution would be 41 and not 241?
hmhm, I think ... or __ can confuse even more ?
I made with a different text, maybe that a bit better.
I'm trying to test, but I do not see the sum with the input field.
The result is visible in debug mode. This seems undesirable to me.
The result is visible in debug mode
That is fine, who can see your debug on live site? ?
I'm trying to test, but I do not see the sum with the input field.
Did you make it work? I guess something missing while applying the PR patch.
That is fine, who can see your debug on live site? ?
That's something to discuss. But there is a simple solution by adding .secret
Line 151-...
$this->app->getSession()->set($this->sessionKey . '.result.secret', $solution);
$this->app->getSession()->set($this->sessionKey . '.idx.secret', $this->inputIdx);
That is fine, who can see your debug on live site? ?
It happens sometimes, read: Joomla Community Magazine - How my new Joomla 4 website got hacked
In the end (below article):
... that her hacked website also was in debug mode
Maybe, but it just a captcha ?
I will look
I have update the code, now it is hidden in debug bar
Did you make it work? I guess something missing while applying the PR patch.
No ?
Source code: no input field visible
<input type="email" inputmode="email" name="jform[email]" class="form-control validate-email required" id="jform_email" value="" size="30" autocomplete="email" required> </div>
</div>
<div class="control-group">
<div class="control-label"><label id="jform_captcha-lbl" for="jform_captcha" class="required">
Captcha<span class="star" aria-hidden="true"> *</span></label>
</div>
<div class="controls">
</div>
Please check whether the plugin is enabled, maybe you unpublish it by accident.
And whether all PHP plugin files are present:
layouts/plugins/captcha/math/mathcaptcha.php
libraries/src/Captcha/Captcha.php
plugins/captcha/math/math.xml
plugins/captcha/math/services/provider.php
plugins/captcha/math/src/Extension/Math.php
plugins/captcha/math/src/Provider/MathCaptchaProvider.php
Please check whether the plugin is enabled, maybe you unpublish it by accident.
And whether all PHP plugin files are present:
Fixed. The first two files from the list were not present. I have now added this.
608 + 8 = 6 -> 608 + 8 = 616, so 16 is correct appears from the test
608 + 8 = 6 -> 608 + 8 = 616, so 61 is NOT correct appears from the test
I think a lot of people have trouble finding the right answer. If they already understand what exactly the intention is.
I think a lot of people have trouble finding the right answer
Yeah, nowaday it hard to do math without calculator ?
It also a pros, gives a time to think before submit the form ?
And, as you may noticed, it is random. Sometimes User need to enter a full number, and sometime only remaining digits.
Yeah, nowaday it hard to do math without calculator
Completely agree, although this may differ per country.
The following sum can be solved by most, in which one number is a multiple of 10 and the other number is between 0 and 9.
The question is whether such a captcha provides sufficient protection against external digital access by ensuring that only a person with the correct password can open the account?
How larger the range of the number to be entered, how smaller the chance of guessing the number.
The riddle updates on each request, and resets on each submit. There also some other "invisible for human" things happens to confuse a regular bot. I do not think someone will brutforce captcha.
I have tested this item ? unsuccessfully on a006b7a
I entered an invalid value and could nevertheless submit the form.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42777.
You can submit the form with any captcha, but there an error message after that.
I have tested this item ? unsuccessfully on a006b7a
Second Test: captcha not displaying anymore.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42777.
I have tested this item ? unsuccessfully on a006b7a
Class "Joomla\Plugin\Captcha\Math\Extension\Math" not found
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42777.
I have tested this item ✅ successfully on a006b7a
The question is whether the captcha is sufficiently understandable and manageable. See also my previous comment.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42777.
For inspiration, the following reads better for me than the text in brackets.
the following reads better for me than the text in brackets.
Does it equaly good for 73+6= ?
Does it equaly good for 73+6= ?
In that case, this is my preference.
hmhm, I would like to keep 1 "unified" string,
Submitted the password reset form with the captcha blank and got no error message. It redirected to the verification page:
http://localhost/Joomla_5.1.0-alpha4-dev+pr.42777-Development-Full_Package/component/users/reset?layout=confirm&Itemid=101
Every time.
hm, no idea, I cannot reset the PW when solution is empty, unless I totaly disable the captcha.
Something wrong with installation?
@Quy can you please try add dd($code); around here
joomla-cms/plugins/captcha/math/src/Provider/MathCaptchaProvider.php
Lines 166 to 168 in a006b7a
Does you still get redirect, or debug with response?
Here is the response:
array:3 [
0 => ""
1 => ""
2 => ""
]
Okay, thanks, that is correct.
And if you do dd($code, $isOk, $solution, $inputIdx); before return
hmhm It should be false in result.
It is still not working. I will investigate further to see why.
^ array:2 [▼
0 => ""
1 => ""
]
^ false
^ 536
^ 2
Thanks. Interesting.
The result is false that is correct, but why it is ignored.
Ah, I found, the validation for "reset pasword" is ignored when Debug is OFF
It is working now with debug on.
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2024-03-19 13:47:37 |
| Closed_By | ⇒ | Fedik |
Just wrote a mini scraper in Node.js and was easily able to obtain the question and calculate the answer.
Seeing as it's text based, it might be worth doing something similar to that of
<joomla-hidden-mail>.