Description
I configured TextCha in wikiconfig.py. Then I tried to sign up for new user, but passing proper TextCha always gives me an error. Looking into logs shows
2018-07-10 22:29:03,673 WARNING MoinMoin.security.textcha:108 TextCha: Non-existing question 'MY_QUESTION_TRUNCATED'. User 'XXX.XXX.XXX.XXX' trying to cheat? 2018-07-10 22:29:03,673 INFO MoinMoin.security.textcha:159 TextCha: failure (u='XXX.XXX.XXX.XXX', a='MY_ANSWER', re='[Never match for cheaters]', q='MY_QUESTION_TRUNCATED', rsn='TypeError during signature check')
Where MY_QUESTION_TRUNCATED is a truncated version of my real textcha-question. In the webform the question is shown properly and also looking inside the webform's html-source shows the right question in the hidden input-field.
Steps to reproduce
See above
Component selection
It seems that commit http://hg.moinmo.in/moin/1.9/rev/500f68d3e2fd (remove our own usage of python_compatibility module) introduced the bug, as Python 2.7 by default uses MD5 when no digest is given to hmac.new(), but SHA-1 is expected to be used, resulting in different hash-digest-length. The problem seems to be in MoinMoin/security/textcha.py, as applying following patch fixes the error for me:
--- lib/python2.7/site-packages/MoinMoin/security/textcha.py.orig 2018-07-10 23:34:30.982247336 +0200
+++ lib/python2.7/site-packages/MoinMoin/security/textcha.py 2018-07-10 23:27:21.617144274 +0200
@@ -20,6 +20,7 @@
@license: GNU GPL, see COPYING for details.
"""
import hmac
+import hashlib
import re
import random
@@ -84,7 +85,7 @@
def _compute_signature(self, question, timestamp):
signature = u"%s%d" % (question, timestamp)
- return hmac.new(self.secret, signature.encode('utf-8')).hexdigest()
+ return hmac.new(self.secret, signature.encode('utf-8'), digestmod=hashlib.sha1).hexdigest()
def _init_qa(self, question=None):
""" Initialize the question / answer.
Details
MoinMoin Version |
1.9.9 |
OS and Version |
Ubuntu 14.04.5 |
Python Version |
2.7.6 |
Server Setup |
uwsgi and python virtual-environment |
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
en |
Workaround
Discussion
Plan
- Priority:
- Assigned to:
Status: bug fixed in git now. bug has been already patched since long, quote from the MoinMoinDownload page:
Download: MoinMoin 1.9.9 tar.gz (gpg signature) You also need to apply this bugfix patch, sorry: https://bitbucket.org/thomaswaldmann/moin-1.9/commits/561b7a9c2bd91b61d26cd8a5f39aa36bf5c6159e