[moin-devel] TextCha not working because of wrong signature
Paul Boddie
paul at boddie.org.uk
Sat Aug 11 08:05:05 EDT 2018
On Monday 6. August 2018 21.29.02 Jasper Olbrich wrote:
>
> I configured TextCha some time ago because bots seem to have found my
> account creation page.
>
> Now I'm unable to create new users or edit pages, because the answer to
> the TextCha is always considered wrong. This is because the
> reconstruction of the question from the form data fails. It all seems to
> boil down to a wrong digest method:
[...]
> I couldn't find any information on this yet and I'm asking what the
> right fix to this would be?
>
> 1) Explicitly use hashlib.sha1?
> 2) Use an universal DIGEST_LEN=len(hmac.new("key", "").hexdigest())?
> 3) ???
>
> And of course I'm curious why this hasn't bitten anybody else so far.
There is a bug report about it on the Moin site:
https://moinmo.in/MoinMoinBugs/TextChaWrongHMAC
It looks like the SHA1 default for the hmac_new function in
python_compatibility was not made explicit when the hmac.new function from the
standard library was adopted. This caused the MD5 digest algorithm to be used
instead since it is the default for the hmac.new function.
Why it didn't get more widely noticed could be a number of things. TextCha
measures aren't really very effective by themselves any more, and people are
increasingly using manual approval processes for granting wiki editing rights.
I also wonder about version adoption. For ages I ran Moin 1.8 because it
worked well enough, used more familiar and comprehensible libraries in some
areas (the request handling), and it actually wasn't vulnerable for a few
things that were problems in 1.9, if I remember correctly.
Meanwhile, migrating to a newer Moin version recently involved a lot of work
for no real benefit. Also operating system distributions might provide 1.9.8
or earlier, in some cases, avoiding this particular problem.
Paul
More information about the moin-devel
mailing list