Problem: captcha doesn't prevent guess for login/pass.

When I pressed Enter by mistake right after I typed my login. I was surprised when I got both messages "Captcha check failed" and "Invalid login/pass".
After providing correct credential I saw only "Captcha check failed"

I have :
1. Drupal 7.59
2. captcha module 7.x-1.5
3. recaptcha module. 7.x-2.2

CommentFileSizeAuthor
wrong-password.png27.15 KBTheLion
correct-password.png25.75 KBTheLion
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

TheLion created an issue. See original summary.

elachlan’s picture

elachlan CreditAttribution: elachlan commented
Version: 7.x-1.5 » 7.x-1.x-dev
DrlF’s picture

DrlF CreditAttribution: DrlF commented

This can be fixed by altering CAPTCHA enabled forms

function mymodule_form_alter(&$form, &$form_state, $form_id)
{
  if ( function_exists('captcha_get_form_id_setting') && captcha_get_form_id_setting($form_id) )
  {
    $form['#validate'][] = '_mymodule_hide_errors';
  }
}

function _mymodule_hide_errors(&$form, &$form_state)
{
  $errors = form_get_errors();

  if ( !empty($errors['captcha_response']) )
  {
    // Original error message
    $captcha_error = $errors['captcha_response'];

    // Clear all errors
    form_clear_error();

    // Clear all error messages
    foreach ( $errors as $error_message )
    {
      if ( ($key = array_search($error_message, $_SESSION['messages']['error'])) !== FALSE )
      {
        unset($_SESSION['messages']['error'][$key]);
      }
    }

    // Set CAPTCHA error again
    form_set_error('captcha_response', $captcha_error);
  }
}
Anybody’s picture

Anybody
Primary language German
Location Porta Westfalica
CreditAttribution: Anybody at DROWL.de commented

I guess this is the related issue for the Drupal 8 version: #3202776: [PP-1][2.x] Do not execute other form validations if CAPTCHA is wrong
Would still make sense to fix this, if anyone is interested to provide a fix. So CAPTCHA doesn't introduce a security risk here, I guess, but doesn't require a valid response to check if the password is correct?

Still #3 looks super dirty to me ;)