Feedback on CaptchaPlugin

Any suggestions on where to store the hash db files?? Somehow, pub/visualconfirm/db is not such a good place, since private is not public

-- KoenMartens - 09 Oct 2005

To confirm the need for an answer to your question, just try your code against DakarRelease with AutomaticAttachments switched on! Same goes when it is turned off - see SecuringAttachments - you will note that just going to yourserver.com/twiki/pub/visualconfirm/db will likely show a listing.

Koen, does this produce a visual Capature confirmation code? That would be useful as a standard feature for Dakar.

I'd be concerned at needing the whole of the GD library though: is there a lighter weight one available?

-- MartinCleaver - 12 Oct 2005

About the dakar release problem, renaming db to _db should fix this, right? The db directory should be protected in the httpd configuration anyway to prevent direct access, unfortunatelly the standard setup of twiki (sept04 release) does not allow one to do this with .htaccess.. I'll have to try dakar release myself, didn't install that before.

About the question whether it produces Capature confirmation code, you'd have to provide me with some info/url about what Capature is first

Finally, I see there is a more light-weight alternative in cpan: Imager which only needs freetype2 and libpng to produce the same sort of graphics. I'll put that in.

-- KoenMartens - 12 Oct 2005

Thanks Koen for contributing this Plugin and sharing it with the TWikiCommunity

I made a small change to the SHORTDESCRIPTION.

How about measuring and documenting the PluginBenchmarks?

-- PeterThoeny - 02 Nov 2005

I'll measure this soon, when i've got some more time on it.. I'll have to look into how this works anyway. Been off this for a while now, busy busy busy.. I will get that light weight version done too, can someone please make the earth rotate just a slight bit slower so that there are more hours in a day! Thanks

-- KoenMartens - 03 Nov 2005

I tried to slow down the rotation, I need it myself. No luck.

It think the db file is reasonably safe if in the Plugin's attachment directory you prefix it with an underscore and if you protect the directory with an .htaccess file. See also TWikiPlugins

-- PeterThoeny - 03 Nov 2005

There is a problem when running Perl in Safe-Mode (-T). The parameter to unlink in line 126 of VisualConfirmPlugin.pm is considered unsafe. So unlink fails.

-- ChrisHuebsch - 07 Nov 2005

What version of perl is that? Seems to unlink fine here with tainted mode (-T) on, but just to be sure i'll untaint it.. While doing that, i noticed there is more wrong with that part of the code, which i'll be fixing now.. Finally found some time, so I guess Peter succeeded in slowing down that rotation afterall

-- KoenMartens - 02 Jan 2006

Oh, and i checked Imager as a light-weight alternative to GD, but is doesn't provide some of the functionality in the same easy way. Maybe i will add some of the wanted functionality to Imager, or remove some functionality from the plugin if Imager is used.

Still have to work on the data dir issue though.

-- KoenMartens - 03 Jan 2006

I did not really pay attention to what the Plugin does (there are so many Plugins ) This is a CAPTCHA for TWiki registration.

-- PeterThoeny - 03 Jan 2006

A couple of months ago I wrote a little plugin (VisualConfirmPlugin) that asks for visual confirmation when a user registers. It is a bit unpolished yet, and untested with DakarRelease (although that will soon come as i am in the process of upgrading all my twiki installations to DakarRelease).

-- KoenMartens - 09 Feb 2006

(I cross-posted Koen's comment above from WikiSpam.)

When you upgrade the Plugin, could you try to keep it compabile with Cairo and Dakar codebase? HandlingCairoDakarPluginDifferences has more.

-- PeterThoeny - 09 Feb 2006

Quite useful, would be killer with BlackListPlugin since it does registrations filtering too as well as the topic text filtering. Please update this ASAP .

-- EricCote - 27 Feb 2006

I've been a bit lazy at this one lately. Since Dakar had its email confirmation regime, i thought i was safe. But at least one spammer went to the trouble of setting up a throw-away email address to use for confirmation in the past month, so my interest in this plugin is renewed. Maybe I better check what state CAPTCHA is in first..

-- KoenMartens - 20 Jun 2006

FYI - I tried to install this plugin a while back but got hung-up somewhere in the process of finding & installing all of the necessary PNG libraries.

The first user to try and register since that time received an error message :

   Visual Confirmation failed
   Common.TWikiRegistration (oops)

The visual confirmation has expired.

Please go back in your browser and try again.

My first response to this was to add the VisualConfirmPlugin to the disabled plugins list in TWikiPreferences. However, this was not sufficient to disable the plugin.

The only way to get 'round the error was to back out the edits made to /bin/register

Guess the reason for this post is to share that perhaps this plugin does not check whether it has been disabled in TWikiPreferences ?

-- KeithHelfrich - 30 Jun 2006

Koen, if you re-work the Plugin for Dakar, how about renaming it CaptchaPlugin?

-- PeterThoeny - 03 Jul 2006

I think the rework for dakar will come very soon, and renaming it sounds like plan.

I will also see whether i can make the changes to register a bit more friendly in combination with the disabling of the plugin..

-- KoenMartens - 24 Jul 2006

Thanks Koen for releasing the new plugin, renaming ir from VisualConfirmPlugin to CaptchaPlugin.

-- PeterThoeny - 03 Aug 2006

Such an image-base CAPTCHA has well known accessibility issues. For further details, and possible solutions easily implementable in CaptchaPlugin, see my today's comment on WikiSpam.

-- BenVoui - 29 Sep 2006

http://sam.zoy.org/pwntcha/ give a good general overview of the common weaknesses of Captcha plugins, maybe we can work towards building something stronger? e.g. random fonts for each character? Doesn't sound easy, but it is something.

BenVoui's suggestion seems good too.

-- KwangErnLiew - 03 Nov 2006

After installing the latest CaptchaPlugin on TWiki-4.0.5, %CAPTCHAURL% and %CAPTCHAHASH% do not expand to anything. The plugin is enabled, Register.pm is patched, and I don't see any errors in the debug log.

Any suggestions or help would be greatly appreciated.

-- DevinBougie - 16 Jan 2007

Make sure you have the necessary perl module installed. GD if i'm not wrong.

-- KwangErnLiew - 02 Feb 2007

To the plugin maintainer: The plugin topic has been updated with additional installation steps.

-- PeterThoeny - 05 Feb 2007

Hi,

Do You have problem in your profil just after reigstration ? Because I have two line about CAPTCHA after form (UserForm)..

Thank YOu

-- YannickPavard - 27 Mar 2007

Just updated the plugin. Visible bugs are exterminated. Some awesome improvements.

-- KwangErnLiew - 06 Aug 2007

And yet another update, thanks to TWiki:Main.KwangErnLiew also. Found some minor bugs, and it can now be used on topic edits too.

I'm aware of the accesiblity issues, but haven't found the time to fix it. Right now my worries about spammers abusing my wikis are bigger than those of accesibility problems.

The simple solution was: put up a notice 'If you can not read the captcha image, contact %WEBMASTER%' or something. If you have time to add eg an audio captcha to the plugin, feel free. I for one don't have the time atm.

To Devin: check if the permissions are right on the directories under pub/TWiki/CaptchaPlugin. Should be readable/writable by the web server.

-- KoenMartens - 08 Aug 2007

I just installed the CAPTCHA plugin on TWiki 4.1.2. When I test it, it only displays a rectangle in a shade between grey and black. There is no visible character string in the rectangle. I would appreciate any help.

-- MartinMayer - 03 Sep 2007

I am looking for another way to use captcha. It is usability-proof and readable. See: http://www.monkeyfood.com/contact.php

Perhaps in a TextCaptchaPlugin.

-- ArthurClemens - 03 Sep 2007

Martin, ensure that you have installed all the necessary perl modules dependencies.

Not sure how readable the improvements are for what I've done, I would be glad to receive some comments on that. In terms of usability, such captcha is quite a known thing, so I wouldn't rate it low.

-- KwangErnLiew - 04 Sep 2007

Brilliant: Recaptcha. I want a ReCaptchaPlugin! (Perl lib here)

-- ArthurClemens - 10 Oct 2007

Latest build (28 Oct 2007 1.5-pre4) has a silly syntax error. file lib/TWiki/Plugins/CaptchaPlugin.pm line 149 shoud read like this TWiki::Func::writeDebug(" expiring") if $debug;

-- AndrewTutolmin - 08 Nov 2007

There is a bug in CaptchaPlugin.pm, here is the patch..

--- CaptchaPlugin.pm~   Fri Nov 23 12:42:10 2007
+++ CaptchaPlugin.pm    Fri Nov 23 12:41:52 2007
@@ -146,7 +146,7 @@
        my $value=$database{$key};
        my ($time,$txt)=split(",",$value);
        if( ($key eq $explicit) || ($now>=$time+$expiry) ) {
-         TWiki::Func::writeDebug(" expiring") if debug;
+         TWiki::Func::writeDebug(" expiring") if $debug;
          delete($database{$key});
          my $tainted="$imgdir/$key.png";
          $tainted=~/^(.*)$/;

-- KuoFengTseng - 23 Nov 2007

Don't know if it's the right forum for this. If so, please can someone direct me to the correct place? I cannot get Captcha to work. My log spews out:

(TWiki::Plugins::CommentPlugin) Can't locate object method "png" via package "GD::Image" at 
/usr/share/perl5/TWiki/Plugins/CaptchaPlugin.pm line 122.
 at /usr/share/perl5/TWiki/Plugins/CaptchaPlugin.pm line 122
 

-- ChrisCauser - 29 Nov 2007

Scrap my last comment. I've fixed all the problems, and it seems to work. However, can I please add a few things that might be of use to someone else who's having the same problems.

• The default settings that need to go into LocalSite.cfg really do need to go in there. I thought they were defaults copied from somewhere else. In fact, when my screen was grey, it was because the Captcha plugin had a list of 0 characters to choose from!
• My "by the book" install didn't give the right permissions. the img directory needs to be www-data so that images can be created within it.
• Some of the Plugin page is a little out of date (eg. db=>_db)

Other than that, it works great now! Thanks a lot for doing such a good plugin!

-- ChrisCauser - 30 Nov 2007

Also, Set Debug = 1 makes the Registration fail at the last hurdle (it works fine if you don't put in the wrong string, but if you put in the right string, it cannot write to the debug.txt for some reason.)

-- ChrisCauser - 30 Nov 2007

Is it possible to release an updated patch for NatSkin rel 3.00 (2007 11 13) ?

-- JoseREMY - 22 Jan 2008

The author stopped maintaining this plugin. Anyone interested in picking it up?

-- PeterThoeny - 16 Jul 2008

I'm not so interested in picking it up, but I would like to toss in a patch or two. TWiki really HAS to get out-of-the-box protection from registration spambots... right now this is the only defense I know of.

-- SeanNewton - 2011-08-29

Thanks you Sean for the offer to send patches. That is a good way to get started. Please create a bug topic or two in TWikibug:CaptchaPlugin and attach the patch(es) to the bug topic(s).

-- PeterThoeny - 2011-08-29

The bug topics have been in for a while. Is there any further action expected on my part at this point, or is it in for the next release...?

-- SeanNewton - 2011-11-29

Thanks Sean! Hopefully someone will pick this up soon.

-- PeterThoeny - 2011-11-30