Captcha background image-rotate issue (Bugs)

by vihuna, (734 days ago)

Hi everyone.

`imagerotate()` php function fails to return an image object, at least with PHPv7.4 on my hosting.

More specifically, the error occurs specifying 180 degrees as the parameter value (so half of the times the captcha will not be displayed, as designed in function `generate_image()`).

I'm not sure, but I think I remember getting similar errors in the past with older versions of PHP, for some other particular values (negative?). Has anyone else experience similar issues with `imagerotate()`? And what about PHP8?

I have temporally avoided this issue manually changing the value to 179.9 for the parameter. But if It's a common issue, maybe a fix can be added for it: it could be verified that the value returned by `imagerotate()` is not `false`; or a option in the admin panel to not rotate the captcha background?

Best regards.

Avatar

Captcha background image-rotate issue

by Auge ⌂, (731 days ago) @ vihuna

Hello

Sorry for the delayed reply. I looked into the code but had no time to answer.

`imagerotate()` php function fails to return an image object, at least with PHPv7.4 on my hosting.

More specifically, the error occurs specifying 180 degrees as the parameter value (so half of the times the captcha will not be displayed, as designed in function `generate_image()`).

This looks strange. The code is unchanged since ages and the 180-degree-turn itself is similar to the code from the PHP documentation.

The code in modules/captcha/captcha.php (version 20220803.1): $im = imagerotate($im, 180, 0)

The code in the PHP-documentation for imagerotate (variable $degrees dissolved to its value 180): imagerotate($source, 180, 0)

I'm not sure, but I think I remember getting similar errors in the past with older versions of PHP, for some other particular values (negative?). Has anyone else experience similar issues with `imagerotate()`? And what about PHP8?

I do not remember any previous bug report in this regard, even there was made changes for the return value with PHP 8.0. But, to be fair, graphical captchas are generally considered ineffective, so they might be not in use in the most cases/instances anyway.

I have temporally avoided this issue manually changing the value to 179.9 for the parameter. But if It's a common issue, maybe a fix can be added for it: it could be verified that the value returned by `imagerotate()` is not `false`; or a option in the admin panel to not rotate the captcha background?

IMHO checking the return value of the fuction is – independently from the current issue – the way to go. I opened an issue at Github (#658).

Tschö, Auge

--
Trenne niemals Müll, denn er hat nur eine Silbe!

Captcha background image-rotate issue

by vihuna, (731 days ago) @ Auge

But, to be fair, graphical captchas are generally considered ineffective, so they might be not in use in the most cases/instances anyway.

I know. There is an extensive bibliography with algorithms that they used to break the different captchas.

Thanks for your answer.

Avatar

Captcha issue, a few additional thoughts

by Auge ⌂, (731 days ago) @ vihuna

Hello

But, to be fair, graphical captchas are generally considered ineffective, so they might be not in use in the most cases/instances anyway.


I know. There is an extensive bibliography with algorithms that they used to break the different captchas.

Also our alternative for the graphical captcha, the mathematical captcha, is not really effective, as reports here in the forum show (in example this one or that older one). Both captcha methods have an additional issue beside their ineffectiveness. The captchas makes it harder up to impossible to use the software for people with certain disabilities. Being not able to solve the captcha tasks exclude one from using the software.

All that says nothing about a really working alternative to captchas.

- The forum script works optionally with the service Stop Forum Spam to check e-mail-addresses during the registration process for being known as spam senders. There is no check for the entry form or the contact form.
- The script works optionally with Akismet, to check the content of the entry form and/or the contact form for being possibly spam. There is no check for the registration form.
- The script utilises Bad Behavior locally to scan for spam. The entry form will definitely be checked but I can't say anything about the other cases (registration and contact form) at the moment.
- Last but not least there are the (in this software) ancient blacklist methods for bad words, IPs and user agents. Those methods works in all three cases (entry form, contact form, registration form) but are IMHO very limited because of the really great maintenance effort.

We introduced honey pot fields to several forms in a few minor versions of the 2.4-branch what excludes really silly bots. We introduced a Bayes based spam filter with version 20220508.1, that can be enabled for forum entries, e-mails sent over the contact form and for the registration form separately. The filter has to be trained manually before working good by itself. This is getting done by catching spam entries by hand and with the old methods, that can mark entries as spam and hide them from the thread list. Those hidden entries can be manually marked as spam afterwards, what trains the Bayes based filter.

Every single method is far from perfect but working in combination makes them much more efficient although still not perfect. See therefore also the Swiss Cheese Model. In this installation we use all of the methods, even without using every feature of every method. For entries I can say, that every when and then (maybe every two or three weeks) a spam entry succeeds but around eight to ten entries per day were catched and get hidden from the thread list to be training material for the Bayes based filter. I can say nothing about the contact form function but I know that our hosting company checks automatically for suspect traffic and there are no reports since over a half year (and the latest reports was about automatically sent e-mails for a privacy feature).

That's my experience with this installation. This tells us nothing about other cases. Other hosting companies might be more thin-skinned about possible spam or forbidding the use of one or another spam prevention method (in example by forbidding the contacting of external services). But with the knowledge of the ineffectiveness of both existing captcha methods we should be able to substract them in our mind from the conglomerate of the other methods we use without making the spam prevention remarkable less effective. Therefore, one should think about not using the captchas any more.

Tschö, Auge

[edit]: Added a sentence with a link to the Wikipedia article about the Swiss Cheese Model (2024-02-08).

--
Trenne niemals Müll, denn er hat nur eine Silbe!

Avatar

Captcha issue, a few additional thoughts

by Micha ⌂, (731 days ago) @ Auge

Hello

Therefore, one should think about not using the captchas any more.

I support this opinion!

/Micha

--
applied-geodesy.org - OpenSource Least-Squares Adjustment Software for Geodetic Sciences

Captcha issue, a few additional thoughts

by vihuna, (724 days ago) @ Auge

Thanks for this answer so informative.

And because you have some experience in the matter, I would like to know your opinion about the usefulness of "proof of work" technique.

Thanks.

Avatar

Captcha background image-rotate issue

by Auge ⌂, (730 days ago) @ vihuna

Hello

`imagerotate()` php function fails to return an image object, at least with PHPv7.4 on my hosting.

More specifically, the error occurs specifying 180 degrees as the parameter value (so half of the times the captcha will not be displayed, as designed in function `generate_image()`).

I tested the relevant code form /modules/captcha/ myself and on servers I have access to (PHP in versions 7.2.24 and 7.4.32). The rotation of the background images works flawless. So this is in itself not an issue with the PHP version 7.4.

What happens on your server, what is visible to the visitor in the browser? Do you see no image or maybe only the light grey placeholder image without any text? Do you find the background images in modules/captcha/backgrounds and a TTF-font in modules/captcha/fonts (at least Tahoma.ttf should be present)?

Tschö, Auge

--
Trenne niemals Müll, denn er hat nur eine Silbe!

Captcha background image-rotate issue

by vihuna, (729 days ago) @ Auge

Hi.

I tested the relevant code form /modules/captcha/ myself and on servers I have access to (PHP in versions 7.2.24 and 7.4.32). The rotation of the background images works flawless. So this is in itself not an issue with the PHP version 7.4.

Thanks. I already supposed it was probably not a php7.4 issue, when I was unable to find any comments about it on the web.

What happens on your server, what is visible to the visitor in the browser? Do you see no image or maybe only the light grey placeholder image without any text? Do you find the background images in modules/captcha/backgrounds and a TTF-font in modules/captcha/fonts (at least Tahoma.ttf should be present)?

I think your questions are quite relevant. In fact, checking the `false` return value will not fix the issue in my case. Specifically, I get a "Service Unavailable" and 503 Error.

[image]

`imagerotate` doesn't return a `false` value, and I couldn't catch the error, no matter what I have tried.

I have done additional tests on the hosting: the issue affects some specific angle values and some specific images. This is the code I have used for testing purposes (only for `imagerotate`, not the full captcha):

 
<?php
// error_reporting(E_ALL);
// ini_set("log_errors", 1);
// ini_set("error_log", $_SERVER['DOCUMENT_ROOT']."/imgrotate.log");
// error_log("Testing\n");
header('Content-type: image/png');
 
$degrees = $_GET['angle'];
$filename = $_GET['img'];
 
$source = imagecreatefrompng($filename.'.png');
$rotate = imagerotate($source, $degrees, 0);
imagepng($rotate);
 
// try {
//   $rotate = imagerotate($source, $degrees, 0);
// } catch (Exception $e) {
//   error_log('Caught exception: '.$e->getMessage()."\n");
// }
?>
 

You can try for the images: "background_1", "background_2", "avatar", "background_1_v2" and "admin-user-date-format":

https://www.reduccionalabsurdo.es/tests/imagerotate/test.php?img=background_1&angle=180

"background_1_v2" is the same as "background_1", I only have opened with Gimp and have changed some values like "image precision". However with "background_1" I get an error for 180 degrees but with "background_1_v2" it works fine.

Regards.

RSS Feed of thread