Empty basic-captcha field allows bypassing the captcha

getgrav / grav-plugin-form

Grav Form Plugin

http://getgrav.org

MIT License

53 stars 79 forks source link

Empty basic-captcha field allows bypassing the captcha #580

Open vedranmiletic opened 1 year ago

vedranmiletic commented 1 year ago

I copied everything from the Basic Captcha documentation, so I'm using defaults. When I enter the wrong text into the basic captcha field, form processing behaves as expected and the error message is shown. When I enter nothing (the field stays empty), the form is submitted successfully.

vedranmiletic commented 1 year ago

For some reason the $this->setSession() function call in getCaptchaCode() function seems to have no effect, i.e. the session data for the captcha is not there when the page loads.

rhukster commented 1 year ago

Do you have sessions disabled in Grav?

rhukster commented 1 year ago

It uses Grav's built-in session logic:

    public function __construct()
    {
        $this->session = Grav::instance()['session'];
    }