Skip to content
Snippets Groups Projects
Closed Add timestamp/expiry to HMAC verification code in BridgeDB's local CAPTCHAs
  • View options

    • Add timestamp/expiry to HMAC verification code in BridgeDB's local CAPTCHAs

  • View options
    • Closed Issue created by Isis Lovecruft

    The CAPTCHAs created in legacy/trac#10809 (moved) are in the form:

    HMACFn := HMAC(HMAC_KEY, REQUEST_IP_ADDR)
CAPTCHA_VERIFICATION := HMACFn(RSA_ENC(CAPTCHA_ANSWER))

    When they really should be more like:

    HMACFn := HMAC(HMAC_KEY, REQUEST_IP_ADDR)
CAPTCHA_VERIFICATION := HMACFn(TIMESTAMP, RSA_ENC(CAPTCHA_ANSWER))

    See this commit message from the original branch. After adding the timestamp to the CAPTCHA_VERIFICATION creation in bridgedb.captcha.GimpCaptcha.createChallenge(), said timestamp should obviously be checked that it is not expired (according to some easily configurable expiration period) in bridgedb.captcha.GimpCaptcha.checkSolution().

    Linked items ... 0

    • Activity

    • All activity
    • Comments only
    • History only
    • Newest first
    • Oldest first
    Loading Loading Loading Loading Loading Loading Loading Loading Loading Loading