Form attempts to validate before it submits

I see the same thing. info on if this is the best approach would be appreciated as well.

Thanks

This same problem has been observed with 5.x-1.1 running on Drupal 5.1. I've observed this issue mainly when comments are allowed by anonymous user and the user is anonymous. Did not see the issue with as an authenticated user.

  if (trim($captcha_response) == '') return FALSE;

This is directly responsible for the "or by providing certain (incorrect) responses." part of the advisory.

I'd advise a rewrite and proper FAPIfication of the module (was out of scope for the advisory, now is a good time).

The attached patch works for me.

I see the advertise: "Duplicate of http://drupal.org/node/114387 "

I applicate the proposed patch (for 4.7) and the first part of the problem seems solved.
But the second part of my problem still remains! Until I try to login (with a valid username) the captcha image isn't visible (instead I see an image with "Captcha image: you will need to recognize the text in it.").
After I submit (with a valid username) the login failed but I finally can see the right captcha image (and so I can successfully login).
Is this kind of problem known or is a site misconfiguration?
Thanks in advance

Problem solved...
I don't know the exact cause, but the problem is disappeared when I pubblicated the site (before it was offline).
Now the site is online and the captcha picture appears always correct!
Thanks

I can confirm the patch in post #4 appears to work... Thanks!

Unfortunately, the patch in post #4 did not work for me.

I even off-lined the site and tried again but the problem still persists.

have you tried emptying the cache?

I'm having the same problem as the original poster with 5.x-1.1. Haven't tried patch yet. This on the drupal.org/user/ page of my site, i.e. trying to register a new user.

nicholasThompson: yes, I deleted the cache but the problem persists.

same problem here,
using drupal 5.1 and the patch is named captcha.4.7..patch so i don't know if it's the right one.

I had this problem. When I applied the patch it went away. Running with no cache.

Solved it for me on v5, thanks.

FYI... I am running 4.7.x and no patch here worked for me. I use cache and deleted all the cache but problem persists.

+1

Remember to clear your cache to have the patch take effect.

I download the 4.7-1.2 captcha module and had the pre validation issue, the 4.7 patch listed above contains lines that no longer exist in that revision so the patch doesn't apply. The 5.1 patch appears to have solved it for me with 4.7 module. No cache clearing necessary.

How does one apply a patch?

#19: http://drupal.org/node/60108 explains how to apply patches

Please port this to 4.7.x and 5.x stable release. Lots of troubles here.

Sorry folks,
but these patches don't work, cause they allow an easy by pass to the captcha.

With some debugging, I can see that the problem lies in the fact that the module tries to validate the captcha challenge during form_alter and not after form_submit.

So, whenever the form is loaded and shown on the page, the captcha challenge fails because it wasn't used in the first place.

Can anybody fix this?

This fix prevents the error message (incorrect captcha response) from showing up on pages when they are initially loaded.

Obviously, the core issue remains unresolved (that of form validation before submission), but at least users won't see the error message when they try to register, etc., which, IMHO, is an improvement over the current situation. The above patches just don't work, because they allow users to bypass captcha...

My patch software is messed up, but this is what I did:

In captcha.module, line 215 in function captcha_captchavalidate, replace:

form_set_error('captcha_response', t('The answer you entered to the math problem is incorrect.'));

with:

if(isset($_SESSION['captcha'])) {
form_set_error('captcha_response', t('The answer you entered to the math problem is incorrect.'));
}

And, for textimage.module, in captcha.inc, line 186 in function textimage_captchavalidate, replace:

form_set_error('captcha_response', t('The image verification code you entered is incorrect.'));

with:

if(isset($_SESSION['captcha'])) {
form_set_error('captcha_response', t('The image verification code you entered is incorrect.'));
}

Any input?

The patch at the top of this thread works beautifully. The fix directly above does not, at least for 4.7.x versions.

Unfortunately, the patches above provide an easy bypass to captcha.

My fix works for Drupal 5.x, not with 4.7...

I'm running Drupal 5.1. What do I need to do to edit the captcha.module to prevent the warning message appear when the comment form first appears. I tried #24, found that the line to be edited is on 216 not 215, replaced that with the suggested code fragment, leaving line 215 intact ($correct=false). On initially checking it appeared to work, that is, the warning message was not appearing. Checking again (not changing anything) the errant warning message re-appeared for first time opening of a comment form.

I'm not yet PHP savvie but isn't there a variable that indicates a page is opened for the first time or is it a little more complex than that.

Restoring the title.

Please be aware that this is not a support issue and me tooing doesn't help much.

I'll write once again:

I'd advise a rewrite and proper FAPIfication of the module.

in response aw05 - #24 (& #26)

I appreciate what you're attempting to do... and the approach seems more sound than bypassing... however the patch did not work for me on Drupal 5.1
(including with cache empty, and/or disabled). I am using textimage

/me returns HTML 101 diploma.

I am using only the math question part of captcha, but this fix should work just as well for the textimage version as well. I am also on Drupal 5.1.

I replaced my 'captcha_captcha_validate' method (last method in the file) with the following. Only replace the code inside the curly braces.

function captcha_captchavalidate(&$captcha_word, &$correct) {
  $captcha_word = drupal_strtolower($captcha_word);

  // Check if form has been submitted, if not, do not validate the captcha
  if(sizeof($_POST) == 0) {
      return;
  }

  if (($_SESSION['captcha'] != '') && ($captcha_word == $_SESSION['captcha'])) {
    $correct = TRUE;
  }
  else {
    $correct = FALSE;
    form_set_error('captcha_response', t('The answer you entered to the math problem is incorrect.'));
  }
}

Note that this fix does not suffer from the "No data entered, mark as correct" problem that all of the above fixes suffered from.

Setting to critical as captcha is effectively unusable right now...

Attached patch is a FAPIfication of the 5.x version of the module. I think I have it working, but there are rough edges. Specifically, the captcha form doesn't disappear after you've validated, but does on the next submission of the form if it still doesn't validate for other reasons. That's because using a proper build/validate/submit model, we end up buliding the captcha portion of the form before the captcha is validated, so we don't know to hide it. Otherwise it appears to be functional.

Please review.

The only solution that worked with me is the #31, congratulation!!

This is such a critical part in building Drupal websites. I even wonder why Drupal 5 did not include Captchas in its core. I hope these issues get resolved VERY soon. At my end, the absence (or lack thereof) of a reliably working Captcha implementation hurts Drupal promotion in my sphere of influence. Kindly post a stable release asap for the good of the general public. Thanks.

Initial patch works for Captcha 4.7.x-1.2 + Drupal 4.7.6.

Sin, can you please clarify? Are you referring to the "captcha.module_1.patch (396 bytes)" at the top of the page?

I'm needing a working captcha system to stop the bots flooding my site, and this is getting rather complicated to follow...

I would also add that I completely agree with #34 submitted by loloyd, that the maintaining of a working captcha system is absolutely vital to the continued usefulness of Drupal.

This will only continue to be more evident as more and more of the spmmers redirect their bot armies towards this latest exploitable media, social web2.0 sites.

Every single day now the number of bots hitting my Drupal sites is increasing.

I agree that working spam prevention is important. There are several ways to go about it, of course, and captchas aren't the only but they are useful. So can someone review and possibly suggest a final fix for the FAPI-ification patch in #32? :-)

I don't see a way to use full FAPI and still make this thing work. As described in 32 there are issues with building the form before the previous answer is validated.

As an alternative see my patch here:

http://drupal.org/node/114835

Hello,

I just upgraded from 4.7.5 to 5.1 and installed captcha. I noticed the same problems as reported by previous users.
However I didn't see that anyone else has reported that it is possible to log in with empty or incorrect captcha value!!!! Problem exists both with IE7 and Mozilla 1.5.
Just enter valid uid and pwd and leave captcha field empty. You get bounch back but when you refresh you are suddenly in!
I haven't looked into details yet but probably #32 is in same territory.

First patch (captcha.module_1.patch (396 bytes)) doesn't work for me on 4.7.6 / captcha-4.7.x-1.2. It appears to, but after one successful captcha (math) submission, it then disapears on subsequent comment forms.

Phillip.

There is a version in CVS that doesn't seem to have this problem, please try it out.
Note that the CVS version is incompatible with actual Textimage module.

Sorry, wundo. I tried the version in CVS, and had the following problems:

- Was able to submit contact form with wrong math answer.
- If the math answer is correct but the rest of the form is not, the question is still shown and with a new math question (but my old answer pre-filled).
- Captchas on the node-create form do not appear even when they should. (I suspect this is due to the way node forms are named now. There's another issue on file for that already.)

I just installed the latest CVS. Here is my review:

- Was NOT abe to submit Contact From with wrong answer
- If the math answer is correct but the rest of the form is not, the question is still shown and with a new math question (but my old answer pre-filled).

I am looking for help with this issue here http://drupal.org/project/issues/8404 From the captcha configuration page I get this white screen with errors. It is the same as before this lastest version of CVS

2 mediafrenzy,
yes, captcha.module_1.patch (396 bytes) works on my Linux blog comment form.
I use Drupal 4.7.6 and without this patch I see red error about wrong math problem solution even if I do not submit a comment form.

One month ago I had such problem, today I installed the latest release, still same problem.

In comment #42 (Feb. 28) this problem was already corrected, but why the formal release @ Feb. 30 (V5.x-1.1) still have this problem? I know this problem has occurred for a while and lots of users has this problem. So, it's better the author keep this as highest priority and prevent it in any later release. I am not criticizing the author, since no one has such right to do this (everyone needs to appreciate him very much). Just hope this problem can be completely solved asap.

Another problem in my usage. If I use textimage for captcha, the first try never pass the validation, only the 2nd or 3rd can pass it.

Using the new HEAD version (1.34) of the module I get a fatal PHP error:
Fatal error: Cannot use string offset as an array in captcha.module on line 124

Line 123-125:

$seed = $form['form_token']['#default_value'];
  if($_SESSION['captcha'][$seed]['success'] === TRUE)
    return;

the $seed variable seems to be null. I'm running PHP 5.1.6.

@wedge, would you please add print_r($form) before line 123, and then put the output as a new bug report?
thanks

If you choose to implement the patch as discussed in #31, and if you are using TextImage method, make sure you make the same change to the function textimage_captchavalidate that is included in the "\textimage\captcha.inc" file.

Subscribing...

the problem with the solution provided on #31 is that, when you try to login on a page with captcha, it will also return an capcha validation failed error.

here is my solution, instead of

  if(sizeof($_POST) == 0) {
      return;
  }

use

  if(!isset($_POST[captcha_response])) {
    return;
  }

instead. which pretty much solved the problem, without any side effects. though I do wish to see a patch that can fix the problem at its core.

sorry, I missed the quotes, it should be

  if(!isset($_POST['captcha_response'])) {
    return;
  }

#24 suggested the only workable quickfix, which does not introduce additional problems.
This is the solution that all of you should be implementing until this module is properly rewritten.

This part of the code is the same between all three available versions of capture currently available for download and it covers up the problem in all three versions equally well. This suggestion also works to fix textimage module for version 4.7. textimage has been rewritten for 5.0 and I have not looked to see what needs to be done there.

If you think that this solution doesn not work, most likely you are using a faulty test methodology.

P.S. We are using Drupal 4.7.6 to modernize the site of Odesskiy Listok newspaper, http://www.OdessaPage.com

@baraban

I would have to disagree.

keep in mind that $_SESSION['captcha'] is altered at call_user_func_array($captcha_type .'_captchachallenge', array(&$form, &$_SESSION['captcha'])) in function captcha_alter_form. which means, the fix in #24 would work only on the FIRST time a user visits a captcha protected page, if he simply refreshes the page, he would be given the validation failed error.

tried another fix, this should be better than patching textimage and captcha individually.

patch attached.

I Think.. it is so difficult for me..

I didn't install on my localhost.. but directly at my web host. And I use Drupal 4.7.6
May anyone can explain me step by step to fix this problem without patch?

Thanks.. before

Ahmad Daniyal

http://ahmad.indieoffset.com

luperry, your post #54 is exactly correct, but I would contend that this behaviour is expected, when someone refereshes without entering a value. It is not the cleanest way to deal with the problem, but it is a good way to cover up the problem and doesn't require a rewrite of the entire thing! I have not looked at your new patch, perhaps it solves the problem at its root!

lupery, my friend! Your #55 is certainly a more elegant way of implementing your previous suggestion (#51). I bet it will have the exact same problem, as well - once the challenge is correctly answered, it will never be check again! And that’s a much bigger no-no than the rest.

a user sure wouldn't want to see a validation error when he didn't try to validate anything.

the major problem with the patch in #24 is that, it works on the FIRST time, and ONLY the first time. so if you go to another page that's captcha protected, after visiting a captcha protected page previously, you would also be prompted the validation error, which certainly doesn't do a good job on covering up the problem.

after careful inspection, it would seem that the problem is quite simple. hook_form_alter is called every time the page loads, and the statement if (!_captcha_validate($_POST['captcha_response'])) would try to validate captcha regardless whether $_POST['captcha_response'] is there or not. my original fix was to simply change this line to if (!$_POST['captcha_response']) || !_captcha_validate($_POST['captcha_response'])), which is the most obvious fix. but then, the if statement would seem somewhat meaningless, and a problem arises when you try to post two messages consecutively. which leads to the patch I provided earlier.

re 58

nope, that won't occur.

I would suggest you to test it out first before looking for its problems. I did, even though I was pretty confident in my judgment at the beginning.

Thanks to escape164 for #31 and luperry for #51 and #52. I 'd fixed my problem.

http://ahmad.indieoffset.com

luperry, you were absolutely right!

It did get quite frustrating looking at that message after I changed captcha points to appear more often, so that solution that I was advocating is really not good enough. Which lead me back to looking at the various other ways of combating the problem. I tested a solution suggested by your #55 and you are quite right - it doesn't appear to create the problem I was talking about. (I didn't bother trying to figure out why - hey, I am not a programmer!) Your patch file, however, appears to be for a modified captcha.module. The fix for version 4.7.x-1.2 would simply be to replace:

    if (!_captcha_validate($_POST['edit']['captcha_response'])) {
      //use call_func because module_invoke does not allow call by reference.
      if (module_hook($captcha_type, 'captchachallenge')) {
        call_user_func_array($captcha_type.'_captchachallenge', array(&$form, &$_SESSION['captcha']));   
      }
    } 

with:

    if (isset($_POST['captcha_response'])) {
      _captcha_validate($_POST['captcha_response']);
    }
    if (module_hook($captcha_type, 'captchachallenge')) {
      call_user_func_array($captcha_type .'_captchachallenge', array(&$form, &$_SESSION['captcha']));
    }

in function captcha_form_alter($formid, &$form). Very simple and should work for both getimage and math problem captcha. The maintaner of this critical module should get this fixed already...

the patch I attached is for the 5.x-1.1 version of captcha.module.

Barbaran, you're solution in 62 didn't for my version of captcha, 4.7.x-1.2. I use the default captcha behavior, the math equation

I didn't see the error message when I first tried to post a comment (which was an improvement!), but then every answer I entered to the math equation brought the error, and my comments wouldn't submit. (I swear I wasn't doing the math wrong!) That actually made it worse for me. I'm not a coder, so I don't know what's going on, but I thought I'd post to say that it seems the 4.7.x solution still needs some work.

Sorry, baraban -- I spelled your name wrong. Oops.

Tested the #55, it works for me

Patch in #55 works for me. Drupal 5.1. Testing methodology: Apply patch. Go to create new account (no error). Navigate away. Go to new account (no error). Refresh page (no error). Fill out form with correct captcha validation (no error). Go back to create new account (no error). Fill out captcha validation with incorrect info (ERROR). Passes tests for initial visit, revisit, correct info, and incorrect info.

5.x-1.x-dev fixes the validation before submit problem for me but then creates a new problem as detailed at:
http://drupal.org/node/127572#comment-221879

it's not an issue with the patch I provided.

guess I won't be updating this module for a while.

luperry's patch , http://drupal.org/node/114387#comment-211356, works for me of d5.1

Thanks!!!

Changed title back.

oops! Sorry, didnt mean to hijack the thread!

If the bug was solved, could you submit a new official version? Or isn't the correction 100% sure?

Code on #62 works well for me using 4.7.5 with security patches. Thanks baraban.

Phil

Hi all,

As a non programmer, it's not clear to me how to apply the patch provided by Luperry (#55 ).
I understand that I have to copy and paste it into the captcha.module file, but how exactly?
I've tried to paste it inside the captcha_form_alter function,
- then removing all the "-" and "+" signs at the beginning of the lines => error message
- then removing all the lines beginning with "-", keeping the other lines but removing the "+" signs => error message

My question must look naive (stupid?) to all you guys, but how do you correctly apply that patch?
Thanks for your help on it.

luperry's patch , http://drupal.org/node/114387#comment-211356, works for me too

BobLouis: Have a look at http://drupal.org/patch/apply.

Thank you Colan, I know how to apply a patch now, and the one provided by Luperry works for me too :)

Out of interest, is there a problem with the patch in #55 that is preventing it being committed, or has the module maintainer just not got around to looking at it yet?

Although several people have said applying this patch works, I'm a bit hesitant to apply something thats been needing review for nearly 2 months without any progress! This gives me the impression that there may be something wrong with it...

Captcha 5.x.2 solve that issue.

I've installed the 5.x.2 version and the first time I answer correctly the math question in the sitewide contact form, I get an error saying:

"The answer you entered to the captcha challenge is incorrect"

I try for a second time and it works. It happens in IE7 and FF. Always works on the second time.

How can I fix this?

I've noticed that this only happens with authenticated users. With anonymous users works fine.

The "patch" in #62 works for me when applied to 4.7.x-1.x-dev, but not with 4.7.x-1.2 (always says my code/math response is wrong), though only with textimage and not math. I agree with Banaba that this module should have a working version as the current one, and I don't think the issue is closed - well maybe for 5.1, but not for 4.7.x.

I can confirm that the code in #62 worked OK for me on 4.7.x-1.x-dev. Thanks a lot, baraban! I don't know if it exposes some security issues. Could someone elaborate on this? Thanks again.

Does #80 imply that the latest version for 5.1 solves this problem?

I have 5.x-2.1 and I'm getting this problem with authenticated users. I assume that apply the patch from #55 fails because this has been integrated? I'm lost on what to do next; at this point I have to disable Captcha for comments, which is setting me up for trouble.

A lot of people myself included are having serious problems getting 5.x.2 to work properly with textimage and are being forced to use 5.x-1.1 instead. This patch works fine for me, but if it were to be committed then it would have saved me an hour of my life trying to fix the problem in the first place.

I use Drupal 4.7.7 and want to apply patch #62.
Captcha was never validate, so I simply replace $_POST['captcha_response'] by $_POST['edit']['captach_reponse']
and it seems to work fine.

Just hit this problem again after upgrading my 4.7.x site to 4.7.11 (oh the joy).

As a final summary for those wondering the status, it seems that captcha.4.7..patch [sic] applied to 4.7.x-1.x-dev solves the issue. The captcha appears to work, and there is not error on loading a page with a captcha.

Phillip.