Clickqueros / recaptcha

Automatically exported from code.google.com/p/recaptcha
0 stars 0 forks source link

Mailhide verification fails when unpadded address is modulo 16 characters #131

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Open http://www.stmaustin.org/contacts.shtm
2. Scroll down to Pastoral Advisory Council
3. Click on chairperson's name, Catherine Harkness
4. Respond to reCaptcha challenge. Note that it always rechallenges.
5. Try other names. Most work.

What is the expected output? What do you see instead?
I expect the email address for Catherine to be revealed, but the mailhide 
window continues to challenge. Other instances using the same key and encoding 
program work fine. I tried re-encoding her email address and it produces the 
same encoding.

What version of the product are you using? On what operating system?
See the nospam.js script on that page for how mailhide is invoked. Website is 
hosted on Linux (CentOS I think) using Apache.

Please provide any additional information below.
I determined that all email addresses that are modulo 16 characters fail. I 
tried adding 16 padding characters to the address but that still fails.

My code that produces the encoding is:

use constant PRIVKEY  => [confidential];
sub encodemail {
    my $addr = shift;

    my $addrlen = length($addr);
    my $padlen  = int(($addrlen + 15) / 16) * 16;
    $addr .= chr(16 - $addrlen % 16) x ($padlen - $addrlen)
        if $addrlen < $padlen;

    my $crypt = Crypt::Rijndael->new(pack('H*', PRIVKEY),
                                     Crypt::Rijndael::MODE_CBC);
    $crypt->set_iv("\0" x 16);
    my $encoded = encode_base64($crypt->encrypt($addr), '');
    $encoded =~ tr{+/}{-_};
    return $encoded;
}

Original issue reported on code.google.com by webmas...@stmaustin.org on 11 Jan 2012 at 10:45