From a1712a5ffba0d63886377103e2a98bd9b1ddb237 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Dec 16 2016 09:40:44 +0000 Subject: Finally get rid of the eval() in the captcha code I've hated this forever, and I finally decided to get rid of it after writing some intemperate comments about how using eval() is awful and no-one should ever do it. This still doesn't actually *work* any more, but it fails to work just the same way as the old code, so it's no worse! I don't recall all the details of why it doesn't work, but it's something like like mediawiki doesn't recognize that we're the 'same' session that it sent the question to, so it doesn't care that we got the answer right, it just starts over with another question. I may dig into this a bit more with puiterwijk and fix it tomorrow, but we've been relying on just not hitting this code for months. --- diff --git a/wikitcms/page.py b/wikitcms/page.py index d500ad2..3bea9d7 100644 --- a/wikitcms/page.py +++ b/wikitcms/page.py @@ -136,11 +136,15 @@ class Page(mwp.Page): question = question.replace('\u2212', '-') captchaid = err.args[1]['captcha']['id'] logger.debug("Got captcha! Q: %s ID: %s", question, captchaid) - # This 'eval' could be quite dangerous if EVIL PPL - # took over a wiki server. So let's try and make sure - # all we're going to do is solve a math question. - if re.match(r'\d\d?(\+|-)\d\d?', question): - answer = eval(question) + # look for the expected math question + qmatch = re.match(r'(\d+)([+-])(\d+)', question) + if qmatch: + answer = 0 + # if we got one, solve it, without using eval + if qmatch.group(2) == '+': + answer = int(qmatch.group(1)) + int(qmatch.group(3)) + elif qmatch.group(2) == '-': + answer = int(qmatch.group(1)) - int(qmatch.group(3)) logger.debug( "Answering captcha! Q: %s A: %s", question, answer) ret = super(Page, self).save(*args, captchaword=answer,