mirror of
git://git.psyced.org/git/psyced
synced 2024-08-15 03:25:10 +00:00
non trivially hackable challenge ;)
This commit is contained in:
parent
b0b3d375a3
commit
79d7ed3549
2 changed files with 34 additions and 11 deletions
|
@ -1005,6 +1005,22 @@ _PAGES_error
|
|||
|
|
||||
|{_HTML_tail}
|
||||
|
||||
_PAGES_group_challenge
|
||||
|<title>challenge for [_nick_place]@{_VAR_host}</title>
|
||||
|
|
||||
|{_HTML_head}
|
||||
|<div align="center">
|
||||
|<h1>[_challenge]</h1>
|
||||
|
|
||||
|## action="/@[_nick_place]" doesn't make it better
|
||||
|<form method="GET">
|
||||
|<input type="string" name="answer">
|
||||
|<input type="hidden" name="parameters" value="[_parameters]">
|
||||
|</form>
|
||||
|
|
||||
|</div>
|
||||
|{_HTML_tail}
|
||||
|
||||
_PAGES_group_scratchpad
|
||||
|<title>scratchpad for [_nick_place]@{_VAR_host}</title>
|
||||
|
|
||||
|
|
|
@ -614,25 +614,32 @@ htget(prot, query, headers, qs) {
|
|||
#include <sys/regexp.h>
|
||||
|
||||
htget(prot, query, headers, qs, data, noprocess) {
|
||||
if (query["challenge"] == "complete")
|
||||
// could use a hash of the password instead
|
||||
if (stringp(headers["cookie"]) && regmatch(headers["cookie"],
|
||||
"challenge=complete&answer=" CHALLENGE_MATCH))
|
||||
return ::htget(prot, query, headers, qs, data, noprocess);
|
||||
string item = headers[item] || "/@"+ MYNICK;
|
||||
if (query["challenge"] == "given" &&
|
||||
# if __EFUN_DEFINED__(regmatch)
|
||||
stringp(query["answer"]) &&
|
||||
regmatch(lower_case(query["answer"]), CHALLENGE_MATCH, RE_MATCH_SUBS)
|
||||
# else
|
||||
query["answer"] == CHALLENGE_MATCH
|
||||
# endif
|
||||
) {
|
||||
htredirect(prot, item, "Reload, please", 0, "Set-Cookie: psyced=\"challenge=complete\"; path="+ item +";\n");
|
||||
if (stringp(query["answer"]) &&
|
||||
regmatch(headers["cookie"], "challenge=given") &&
|
||||
regmatch(lower_case(query["answer"]), CHALLENGE_MATCH,
|
||||
RE_MATCH_SUBS)) {
|
||||
// lazy me could have used referer here ;)
|
||||
string nu = stringp(query["parameters"]) &&
|
||||
strlen(query["parameters"]) ?
|
||||
item +"?"+ query["parameters"] : item;
|
||||
htredirect(prot, nu, "Reload, please", 0, "Set-Cookie: psycplace=\"challenge=complete&answer=" CHALLENGE_MATCH "\"; path="+ item +";\n");
|
||||
return 1;
|
||||
}
|
||||
sTextPath(query["layout"], query["lang"], "html");
|
||||
// using a non-psyced cookie here so that you can't construct a
|
||||
// url that allows other people to bypass the challenge.
|
||||
// could add a timeout here...
|
||||
htok3(prot, 0, "Set-Cookie: psyced=\"challenge=given\"; path="+ item +";\n");
|
||||
htok3(prot, 0, "Set-Cookie: psycplace=\"challenge=given\"; path="+ item +";\n");
|
||||
w("_PAGES_group_challenge", 0,
|
||||
([ "_challenge" : htquote(CHALLENGE_QUESTION),
|
||||
// if the user failed the challenge,
|
||||
// we maintain the original qs for next attempt:
|
||||
"_parameters" : query["parameters"] || qs,
|
||||
"_nick_place" : MYNICK ]) );
|
||||
printf("%O (%O) in %O\n", query, qs, headers);
|
||||
return 1;
|
||||
|
|
Loading…
Reference in a new issue