diff --git a/world/default/en/html.textdb b/world/default/en/html.textdb
index 15519f1..11d9dc1 100644
--- a/world/default/en/html.textdb
+++ b/world/default/en/html.textdb
@@ -1005,6 +1005,22 @@ _PAGES_error
|
|{_HTML_tail}
+_PAGES_group_challenge
+|
challenge for [_nick_place]@{_VAR_host}
+|
+|{_HTML_head}
+|
+|
[_challenge]
+|
+|## action="/@[_nick_place]" doesn't make it better
+|
+|
+|
+|{_HTML_tail}
+
_PAGES_group_scratchpad
|scratchpad for [_nick_place]@{_VAR_host}
|
diff --git a/world/net/include/place.gen b/world/net/include/place.gen
index 6376a81..0331277 100644
--- a/world/net/include/place.gen
+++ b/world/net/include/place.gen
@@ -614,25 +614,32 @@ htget(prot, query, headers, qs) {
#include
htget(prot, query, headers, qs, data, noprocess) {
- if (query["challenge"] == "complete")
+ // could use a hash of the password instead
+ if (stringp(headers["cookie"]) && regmatch(headers["cookie"],
+ "challenge=complete&answer=" CHALLENGE_MATCH))
return ::htget(prot, query, headers, qs, data, noprocess);
string item = headers[item] || "/@"+ MYNICK;
- if (query["challenge"] == "given" &&
-# if __EFUN_DEFINED__(regmatch)
- stringp(query["answer"]) &&
- regmatch(lower_case(query["answer"]), CHALLENGE_MATCH, RE_MATCH_SUBS)
-# else
- query["answer"] == CHALLENGE_MATCH
-# endif
- ) {
- htredirect(prot, item, "Reload, please", 0, "Set-Cookie: psyced=\"challenge=complete\"; path="+ item +";\n");
+ if (stringp(query["answer"]) &&
+ regmatch(headers["cookie"], "challenge=given") &&
+ regmatch(lower_case(query["answer"]), CHALLENGE_MATCH,
+ RE_MATCH_SUBS)) {
+ // lazy me could have used referer here ;)
+ string nu = stringp(query["parameters"]) &&
+ strlen(query["parameters"]) ?
+ item +"?"+ query["parameters"] : item;
+ htredirect(prot, nu, "Reload, please", 0, "Set-Cookie: psycplace=\"challenge=complete&answer=" CHALLENGE_MATCH "\"; path="+ item +";\n");
return 1;
}
sTextPath(query["layout"], query["lang"], "html");
+ // using a non-psyced cookie here so that you can't construct a
+ // url that allows other people to bypass the challenge.
// could add a timeout here...
- htok3(prot, 0, "Set-Cookie: psyced=\"challenge=given\"; path="+ item +";\n");
+ htok3(prot, 0, "Set-Cookie: psycplace=\"challenge=given\"; path="+ item +";\n");
w("_PAGES_group_challenge", 0,
([ "_challenge" : htquote(CHALLENGE_QUESTION),
+ // if the user failed the challenge,
+ // we maintain the original qs for next attempt:
+ "_parameters" : query["parameters"] || qs,
"_nick_place" : MYNICK ]) );
printf("%O (%O) in %O\n", query, qs, headers);
return 1;