1
0
Fork 0
mirror of git://git.psyced.org/git/psyced synced 2024-08-15 03:25:10 +00:00

non trivially hackable challenge ;)

This commit is contained in:
psyc://loupsycedyglgamf.onion/~lynX 2017-07-12 17:34:26 +02:00
parent b0b3d375a3
commit 79d7ed3549
2 changed files with 34 additions and 11 deletions

View file

@ -1005,6 +1005,22 @@ _PAGES_error
| |
|{_HTML_tail} |{_HTML_tail}
_PAGES_group_challenge
|<title>challenge for [_nick_place]@{_VAR_host}</title>
|
|{_HTML_head}
|<div align="center">
|<h1>[_challenge]</h1>
|
|## action="/@[_nick_place]" doesn't make it better
|<form method="GET">
|<input type="string" name="answer">
|<input type="hidden" name="parameters" value="[_parameters]">
|</form>
|
|</div>
|{_HTML_tail}
_PAGES_group_scratchpad _PAGES_group_scratchpad
|<title>scratchpad for [_nick_place]@{_VAR_host}</title> |<title>scratchpad for [_nick_place]@{_VAR_host}</title>
| |

View file

@ -614,25 +614,32 @@ htget(prot, query, headers, qs) {
#include <sys/regexp.h> #include <sys/regexp.h>
htget(prot, query, headers, qs, data, noprocess) { htget(prot, query, headers, qs, data, noprocess) {
if (query["challenge"] == "complete") // could use a hash of the password instead
if (stringp(headers["cookie"]) && regmatch(headers["cookie"],
"challenge=complete&answer=" CHALLENGE_MATCH))
return ::htget(prot, query, headers, qs, data, noprocess); return ::htget(prot, query, headers, qs, data, noprocess);
string item = headers[item] || "/@"+ MYNICK; string item = headers[item] || "/@"+ MYNICK;
if (query["challenge"] == "given" && if (stringp(query["answer"]) &&
# if __EFUN_DEFINED__(regmatch) regmatch(headers["cookie"], "challenge=given") &&
stringp(query["answer"]) && regmatch(lower_case(query["answer"]), CHALLENGE_MATCH,
regmatch(lower_case(query["answer"]), CHALLENGE_MATCH, RE_MATCH_SUBS) RE_MATCH_SUBS)) {
# else // lazy me could have used referer here ;)
query["answer"] == CHALLENGE_MATCH string nu = stringp(query["parameters"]) &&
# endif strlen(query["parameters"]) ?
) { item +"?"+ query["parameters"] : item;
htredirect(prot, item, "Reload, please", 0, "Set-Cookie: psyced=\"challenge=complete\"; path="+ item +";\n"); htredirect(prot, nu, "Reload, please", 0, "Set-Cookie: psycplace=\"challenge=complete&answer=" CHALLENGE_MATCH "\"; path="+ item +";\n");
return 1; return 1;
} }
sTextPath(query["layout"], query["lang"], "html"); sTextPath(query["layout"], query["lang"], "html");
// using a non-psyced cookie here so that you can't construct a
// url that allows other people to bypass the challenge.
// could add a timeout here... // could add a timeout here...
htok3(prot, 0, "Set-Cookie: psyced=\"challenge=given\"; path="+ item +";\n"); htok3(prot, 0, "Set-Cookie: psycplace=\"challenge=given\"; path="+ item +";\n");
w("_PAGES_group_challenge", 0, w("_PAGES_group_challenge", 0,
([ "_challenge" : htquote(CHALLENGE_QUESTION), ([ "_challenge" : htquote(CHALLENGE_QUESTION),
// if the user failed the challenge,
// we maintain the original qs for next attempt:
"_parameters" : query["parameters"] || qs,
"_nick_place" : MYNICK ]) ); "_nick_place" : MYNICK ]) );
printf("%O (%O) in %O\n", query, qs, headers); printf("%O (%O) in %O\n", query, qs, headers);
return 1; return 1;