Fix `validate()` returned value

Tethik / flask-session-captcha

A captcha implemention for flask

MIT License

24 stars 8 forks source link

Closed GuillaumeGomez closed 2 years ago

GuillaumeGomez commented 2 years ago

If value is None, it would return None and not False.

Tethik commented 2 years ago

Interesting. Did this cause a security issue upstream? I imagine if code exists like the following it could be bypassed.

if captcha.validate() == False:
    ... # abort
else:
   ... # do stuff

GuillaumeGomez commented 2 years ago

It's exactly what happened to me. ^^'

Tethik commented 2 years ago

I see. I'll raise a security advisory in case other users are affected. Thanks for the patch!