non trivially hackable challenge ;)

2017-07-12 17:34:26 +02:00 · 2017-07-12 17:34:26 +02:00 · 79d7ed3549
parent b0b3d375a3
commit 79d7ed3549
2 changed files with 34 additions and 11 deletions
--- a/world/default/en/html.textdb
+++ b/world/default/en/html.textdb
@ -1005,6 +1005,22 @@ _PAGES_error
 |
 |{_HTML_tail}

+_PAGES_group_challenge
+|<title>challenge for [_nick_place]@{_VAR_host}</title>
+|
+|{_HTML_head}
+|<div align="center">
+|<h1>[_challenge]</h1>
+|
+|## action="/@[_nick_place]" doesn't make it better
+|<form method="GET">
+|<input type="string" name="answer">
+|<input type="hidden" name="parameters" value="[_parameters]">
+|</form>
+|
+|</div>
+|{_HTML_tail}
+
 _PAGES_group_scratchpad
 |<title>scratchpad for [_nick_place]@{_VAR_host}</title>
 |
--- a/world/net/include/place.gen
+++ b/world/net/include/place.gen
@ -614,25 +614,32 @@ htget(prot, query, headers, qs) {
 #include <sys/regexp.h>

 htget(prot, query, headers, qs, data, noprocess) {
-	if (query["challenge"] == "complete")
+	// could use a hash of the password instead
+	if (stringp(headers["cookie"]) && regmatch(headers["cookie"],
+		 "challenge=complete&answer=" CHALLENGE_MATCH))
 	    return ::htget(prot, query, headers, qs, data, noprocess);
 	string item = headers[item] || "/@"+ MYNICK;
-	if (query["challenge"] == "given" &&
-# if __EFUN_DEFINED__(regmatch)
-	    stringp(query["answer"]) &&
-	    regmatch(lower_case(query["answer"]), CHALLENGE_MATCH, RE_MATCH_SUBS)
-# else
-	    query["answer"] == CHALLENGE_MATCH
-# endif
-	) {
-		htredirect(prot, item, "Reload, please", 0, "Set-Cookie: psyced=\"challenge=complete\"; path="+ item +";\n");
+	if (stringp(query["answer"]) &&
+	    regmatch(headers["cookie"], "challenge=given") &&
+	    regmatch(lower_case(query["answer"]), CHALLENGE_MATCH,
+		     RE_MATCH_SUBS)) {
+		// lazy me could have used referer here ;)
+		string nu = stringp(query["parameters"]) &&
+			     strlen(query["parameters"]) ?
+			 item +"?"+ query["parameters"] : item;
+		htredirect(prot, nu, "Reload, please", 0, "Set-Cookie: psycplace=\"challenge=complete&answer=" CHALLENGE_MATCH "\"; path="+ item +";\n");
 		return 1;
 	}
 	sTextPath(query["layout"], query["lang"], "html");
+	// using a non-psyced cookie here so that you can't construct a 
+	// url that allows other people to bypass the challenge.
 	// could add a timeout here...
-	htok3(prot, 0, "Set-Cookie: psyced=\"challenge=given\"; path="+ item +";\n");
+	htok3(prot, 0, "Set-Cookie: psycplace=\"challenge=given\"; path="+ item +";\n");
 	w("_PAGES_group_challenge", 0,
 	    ([ "_challenge" : htquote(CHALLENGE_QUESTION),
+		    // if the user failed the challenge,
+		    // we maintain the original qs for next attempt:
+	       "_parameters" : query["parameters"] || qs,
 	       "_nick_place" : MYNICK ]) );
 	printf("%O (%O) in %O\n", query, qs, headers);
 	return 1;