fix difference in captcha hash calculation between js and py

1f3d263c · Romain Loth · c4c42a6c · 1f3d263c · 1f3d263c · 1f3d263c
Commit 1f3d263c authored Nov 17, 2016 by Romain Loth
4 changed files
--- a/base_form.html
+++ b/base_form.html
@@ -18,8 +18,14 @@
  <!--   libs   -->
  <script type="text/javascript" src="static/js/jquery-3.1.1.min.js"></script>
  <script type="text/javascript" src="static/js/jquery-ui-1.12.1/jquery-ui.min.js"></script>
+  <!-- possible to change it and send it each time with makeSalt-->
+  <script type="text/javascript">$.salt = 'verylonverylongverylonverylongverylonverylong'</script>
  <script type="text/javascript" src="static/js/realperson/jquery.plugin.min.js"></script>
-  <script type="text/javascript" src="static/js/realperson/jquery.realperson.min.js"></script>
+  <!-- for some reason jquery.realperson.min.js reacts differently to salt than jquery.realperson.js -->
+  <script type="text/javascript" src="static/js/realperson/jquery.realperson.js"></script>
  <!--  our js is at the end -->
  <!-- Piwik -->
@@ -69,8 +75,6 @@
        </div>
        <!-- ########################### ( debg ) ########################## -->
        <!-- test cgi user from submit point of view -->
        <!-- <form id="test_user_form" enctype="multipart/form-data"

--- a/cgi-bin/comex_merci_pour_les_infos.py.cgi
+++ b/cgi-bin/comex_merci_pour_les_infos.py.cgi
@@ -20,7 +20,7 @@ __status__    = "Test"
 from cgi         import FieldStorage
 from traceback   import format_exc, format_tb
-from ctypes      import c_int
+from ctypes      import c_int32
 from re          import sub
 from jinja2      import Template, Environment, FileSystemLoader
 from sys         import stdout   # for direct buffer write of utf-8 bytes
@@ -62,25 +62,34 @@ COLS = [ ("doors_uid",              True,        36),
 ########### SUBS ###########
-def re_hash(userinput, salt=""):
+def re_hash(userinput, salt="verylonverylongverylonverylongverylonverylong"):
    """
    Build the captcha's verification hash server side
    (my rewrite of keith-wood.name/realPerson.html python's version)
+    NB the number of iterations is prop to salt length
+    << 5 pads binary repr by 5 zeros on the right (including possible change of sign)
+    NB in all languages except python it truncates on the left
+        => here we need to emulate the same mechanism
+        => using c_int32() works well
    """
    hashk = 5381
    value = userinput.upper() + salt
-    for i, char in enumerate(value):
-        hashk = c_int( ((hashk << 5) + hashk + ord(char)) & 0xFFFFFFFF ).value
+    # debug
-        # bitwise masks 0xFFFFFFFF to go back to int32 each time
+    # print_to_buffer("<br/><br/><br/><br/><br/><br/>evaluated value:"+value)
-        # c_int( previous ).value to go from unsigned ints to c signed ints each time
+    for i, char in enumerate(value):
+        hashk = c_int32(hashk << 5).value + hashk + ord(char)
        # debug iterations
-        # print(i, hashk, '<br/>')
+        # print_to_buffer(str(i) + ": " + str(hashk) + '<br/>')
    return hashk
 def get_template(filename):
    """
    Retrieve a jinja2 template from ../templates
@@ -157,6 +166,10 @@ if __name__ == "__main__":
    if 'my-captcha' in incoming_data:
        captcha_userinput = incoming_data['my-captcha'].value
        captcha_verifhash = int(incoming_data['my-captchaHash'].value)
+        # dbg
+        # print_to_buffer(str(captcha_verifhash))
        captcha_userhash = re_hash(captcha_userinput)
        captcha_accepted = (captcha_userhash == captcha_verifhash)
    # ----------------------------------------------------------------------

--- a/static/js/comex_reg_form_controllers.js
+++ b/static/js/comex_reg_form_controllers.js
@@ -624,9 +624,7 @@ $(function() {
 // pseudo captcha
-$.salt = ''
 $('#my-captcha').realperson({length: realCaptchaLength});
 $('#my-captcha').val('')

--- a/static/js/realperson/jquery.realperson.js
+++ b/static/js/realperson/jquery.realperson.js
@@ -155,6 +155,7 @@
 		   @return {number} The hash value. */
 		getHash: function(elem) {
 			var inst = this._getInst(elem);
+            // console.log("inst", inst)
 			return inst ? inst.hash : 0;
 		},
@@ -202,15 +203,21 @@
 	   @param value {string} The text to hash.
 	   @return {number} The corresponding hash value. */
 	function hash(value) {
-    console.log("original value:", value)
+    // dbg
+    // console.log("original value:", value)
 		var hash = 5381;
 		for (var i = 0; i < value.length; i++) {
 			hash = ((hash << 5) + hash) + value.charCodeAt(i);
-      console.log(i, hash)
+      // dbg
+    //   console.log(i, hash)
 		}
-    console.log("hashed value:", hash)
+    // dbg
+    // console.log("hashed value:", hash)
 		return hash;
 	}
 })(jQuery);
+// console.log("loaded realperson")