Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.On AJAX calls CAPTCHA token gets regenerated even if the CAPTCHA element in not updated in the form
On a node form with plupload field, after you press UPLOAD the captcha token is regenerated during AJAX request, but the CAPTCHA image/element is not updated afterwards. So even if the user fills in the correct captcha (the one he sees), he will get an error message.
Tried the following:
- First time this was fixed with image_captcha_refresh module and javascript. After the AJAX request the captcha was refreshed automatically. But this introduced an UX problem: if the captcha field was already filled by the user then the user has to fill it again and most of the times he will not see that the image was refreshed.
- jay.dansand's sandbox: CAPTCHA AJAX Fix. With this the AJAX request returned HTTP STATUS 500 (probably some incompatibility with other modules or this version of captcha). It also looks a little bit hacky.
Proposed resolution
The patch attached to this ticked fixes that by checking $form_state['triggering_element']['#limit_validation_errors']. If the form is submitted and validation is limited to certain elements then it checks if the captcha is not in that list. If captcha shouldn't be validated, then the token it's not regenerated.
To do
For the problem mentioned in the beginning this patch did the trick, but I'm not sure if this will break other use cases or if it breaks security. Any feedback would be much appreciated.
| Comment | File | Size | Author |
|---|---|---|---|
| #6 | captcha-upload-issue.gif | 28.45 KB | crutch |
| #1 | captcha-ajax-fix-2223219-1.txt | 658 bytes | Luxian |
| #1 | captcha-ajax-fix-2223219-1.patch | 2.71 KB | Luxian |
Comments
Comment #1
LuxianWrong variable used in foreach. New patch attached.
Comment #2
podarok1: captcha-ajax-fix-2223219-1.patch queued for re-testing.
Comment #3
sic CreditAttribution: sic commentedthanks for the fix!
Comment #4
burnsjeremy CreditAttribution: burnsjeremy commentedHi,
Thanks for the fix! I have made a few notes on using this patch and the CAPTCHA module just incase anyone else runs across this until it is fixed.
I came across this issue while trying to use CAPTCHA/reCAPTCHA along with a webform with an AJAX file upload.
I initially had the setting "Use AJAX API" turned on and with that reCAPTCHA disappears when the file upload happens even with the patch.
So turning off the "Use AJAX API" setting on reCAPTCHA and not using the patch gives the session reuse attack detected message still (it seems that the form submitted still).
Applying the patch with the "Use AJAX API" turned off everything works correctly with the AJAX file upload and reCAPTCHA, no messages, no errors.
I will try to update this with more detail later and a possible root cause but with this info hopefully other users can navigate around them until they are completely fixed.
Thanks again for the patch.
Jeremy
Comment #5
LuxianComment #6
crutch CreditAttribution: crutch commentedencountered with captcha & draggable captcha
error message just after upload and captcha solution doesn't pass have to manual refresh. Would this patch also fix this?
error message also seems out of place
Comment #7
Luxian@burnsjeremy seems more like a webform integration issue.
@crutch: the error message usually appears after the first element rendered by ajax, that means the file uploaded triggered the issue, but I can't see any draggable element in your print screen.
Comment #8
divined CreditAttribution: divined commented#6 the same.
Patch not work. I see the message after uploading an image.
Comment #9
divined CreditAttribution: divined commentedAnd captcha can't be validated after an image is uploaded.
Comment #10
crutch CreditAttribution: crutch commented@Luxian - the draggable items are the geometric shapes in the print screen to solve the riddle. The riddle can't be solved because the error is given directly after the upload of the file.
using the https://www.drupal.org/project/draggable_captcha add-on module
Comment #11
Luxian@crutch: Aha! Yes, this patch should fix this. The message is there because only the file element is refresh during AJAX and that's why the message is there.
Comment #12
wundo CreditAttribution: wundo commented@Luxian, which patch are you talking about?
I think you forgot to attach something.
Comment #13
divined CreditAttribution: divined commentedWe are using it:
https://www.drupal.org/project/draggable_captcha add-on module
Apply patch #1
And get this error.
Comment #14
Luxian@wundo I'm talking about about #1 patch
@divined Unfortunately I have no time to check this at the moment. I suggest to look at the module that implements that file field. I think your file upload doesn't set #limit_validation_errors and after the file is uploaded the whole form is validated (including captcha). In that case the fix should be applied on the file field.
Is that the default file upload field?
Comment #15
divined CreditAttribution: divined commentedYes it's default.
Comment #16
koppie CreditAttribution: koppie at Exygy for Cohere commentedI can confirm that upgrading to the latest dev version solves the problem.
We haven't had a stable release of this module since 2015, so hopefully we'll get one soon. In the mean time, I'm marking this issue as fixed.