? captcha.module.login_.patch
Index: captcha.module
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/captcha/captcha.module,v
retrieving revision 1.42.2.27
diff -u -u -p -b -B -r1.42.2.27 captcha.module
--- captcha.module	5 Sep 2007 09:03:29 -0000	1.42.2.27
+++ captcha.module	6 Sep 2007 08:16:28 -0000
@@ -443,6 +443,14 @@ function captcha_validate($form_values) 
   }
   else {
     form_set_error('captcha_response', t('The answer you entered for the captcha challenge was not correct.'));
+    // If CAPTCHA was on a login form: stop validating, quit the current request
+    // and forward to the current page (like a reload) to prevent loging in.
+    // We do that because the log in procedure, which happens after
+    // captcha_validate(), does not check error conditions of extra form
+    // elements like the CAPTCHA.
+    if ($form_id == 'user_login' || $form_id == 'user_login_block') {
+      drupal_goto($_GET['q']);
+    }
   }
 
   // Unset the solution to prevent reuse of the same captcha solution