Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If you have a multi-step form, and add a captcha in the second step or later, when you submit the step with the captcha displayed, you see the error message "CAPTCHA session reuse attack detected.".
Comment | File | Size | Author |
---|---|---|---|
#4 | multistep_captcha_session_resuse_attack-2453723-04.patch | 1002 bytes | nicrodgers |
#1 | multistep_captcha_session_resuse_attack-2453723-01.patch | 1.14 KB | nicrodgers |
Comments
Comment #1
nicrodgersOn debugging, it looks as if the check in _captcha_get_posted_captcha_info is setting $posted_captcha_token based on whether or not $form_state['input']['captcha_token'] is set.
The trouble is, the default value here is an empty string, so it takes that, and then fails the comparison if ($expected_captcha_token !== $posted_captcha_token) as it's effectively doing if ( NULL != '' ).
Changing isset() to empty() seems to fix the issue. Patch attached.
Comment #2
nicrodgersComment #4
nicrodgersUploading a corrected patch.
Comment #5
nicrodgersComment #6
podarok