CAPTCHA is presented, but the results are ignored.
Patch incoming.
CAPTCHA is presented, but the results are ignored.
Patch incoming.
Change 361283 had a related patch set uploaded (by MarkAHershberger; owner: MarkAHershberger):
[mediawiki/extensions/ConfirmAccount@master] Pay attention to CAPTCHA failures
I understand this has been a bug for 4 years. It's kind of alarming because this makes wikis still susceptible to spambot attacks that target Special:RequestAccount. Some spambots on our wikis have already started to take advantage of this. Before they do, this needs to be fixed or lots of wikis relying on this extension will fall prey to spambots. I understand that humans can filter through the spam accounts, but this extension doesn't offer a mass-reject tool. Furthermore, for those using SES for email on their wikis, this can drive up bounce rates to a dangerous point where they might risk being booted off of SES. Has any other work been done on this so far?
Looks like there's no code in Special:RequestAccount to even handle the checking of captchas. Furthermore ConfirmAccount doesn't expose any hooks, so it's difficult for ConfirmEdit to extend ConfirmAccount. I'm working on a temporary stopgap solution for hCaptcha since that is our priority need right now at MyWikis, but hope this is some useful food for thought.
Since this is a priority for MyWikis, I have written the first (very temporary) patch fixes for hCaptcha only (since it is the most effective captcha currently publicly available). It's not pretty but it'll do the job for anyone who needs to secure their wiki immediately.
Here are the changed files:
MediaWiki 1.35+:
MediaWiki 1.31:
Also posted at https://www.mediawiki.org/w/index.php?title=Topic:W449yd63slfossl2&topic_showPostId=w457lxnfmrb51gct#flow-post-w457lxnfmrb51gct
I don't expect these changes to be merged as a solution for this bug report but hope this helps.
Change 831136 had a related patch set uploaded (by Seb35; author: Seb35):
[mediawiki/extensions/ConfirmAccount@master] Do verify the captcha
Change 831136 merged by jenkins-bot:
[mediawiki/extensions/ConfirmAccount@master] Do verify the captcha
Fixed in current master, so it will be available in REL1_40+ (version 1.40+).
I updated the documentation on MediaWiki.org (diff).
@Seb35 Will it be possible to back-port this to MW 1.39 since this the the LTS branch? Will be cool I believe.
Change 879996 had a related patch set uploaded (by Seb35; author: Seb35):
[mediawiki/extensions/ConfirmAccount@REL1_39] Do verify the captcha
It is prepared and I tested it, the patch is now in the review phase. (sorry, I did not see your message sooner :(
@Seb35 No problem at all. I believe we all have a lot of tasks on our plates. Thanks for doing the backport!
Change 879996 merged by jenkins-bot:
[mediawiki/extensions/ConfirmAccount@REL1_39] Do verify the captcha