Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
There was a change on the 23 may #2474959: CAPTCHA session reuse attack detected.
It changed code in _captcha_get_posted_captcha_info to "Invalidate CAPTCHA token to avoid reuse", adding execute to the database update call. This has resulted in the testPersistenceAlways test in CaptchaPersistenceTestCase to fail.
// Invalidate CAPTCHA token to avoid reuse.
\Drupal::database()->update('captcha_sessions')
->fields(['token' => NULL])
->condition('csid', $posted_captcha_sid)
->execute();
Comment | File | Size | Author |
---|---|---|---|
#12 | 2992697-12.patch | 1.57 KB | elachlan |
| |||
#10 | 2992697-9.patch | 1.2 KB | elachlan |
#8 | 2992697-7.patch | 1.2 KB | elachlan |
#5 | 2992697-5.patch | 685 bytes | elachlan |
Comments
Comment #2
elachlan CreditAttribution: elachlan commentedset to critical because HEAD is failing.
Comment #3
elachlan CreditAttribution: elachlan commentedComment #5
elachlan CreditAttribution: elachlan commentedComment #8
elachlan CreditAttribution: elachlan commentedI found mention to the #executes_submit_callback in the other issue.
Comment #10
elachlan CreditAttribution: elachlan commentedComment #12
elachlan CreditAttribution: elachlan commentedI think that the code to invalidate the token is not needed if the session is invalidated.
Previously some code related to the token was commented out, which is related to this. That was done in #810534: Fix CAPTCHA session reuse.
Comment #14
elachlan CreditAttribution: elachlan commented