/**
* Renders the captcha image
*
* @return string empty string (the image is sent here)
*/
public function render()
{
// Avoid Brute Force Attacks:
if (!$this->word->getAttempts()) {
$this->word->setAttempts(1);
} else {
$this->word->setAttempts($this->word->getAttempts() + 1);
// if more than ($this->settings['maxAttempts']) refreshes, block further refreshes
// can be negated by connecting with new session id
// could get round this by storing num attempts in database against IP
// could get round that by connecting with different IP (eg, using proxy servers)
// in short, there's little point trying to avoid brute forcing
// the best way to protect against BF attacks is to ensure the dictionary is not
// accessible via the web or use random string option
if ($this->word->getAttempts() > $this->settings['maxAttempts']) {
$this->word->setWordHash('');
$this->word->setWordCypher(array());
$this->word->setHashFunction('');
// Get an instance of the word repository
$objectManager = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Extbase\\Object\\ObjectManager');
$wordRepository = $objectManager->get('SJBR\\SrFreecap\\Domain\\Repository\\WordRepository');
// Reset the word
$wordRepository->setWord($this->word);
$string = \TYPO3\CMS\Extbase\Utility\LocalizationUtility::translate('max_attempts', $this->extensionName);
$font = 5;
$width = imagefontwidth($font) * strlen($string);
$height = imagefontheight($font);
$image = ImageCreate($width + 2, $height + 20);
$background = ImageColorAllocate($image, 255, 255, 255);
ImageColorTransparent($image, $background);
$red = ImageColorAllocate($image, 255, 0, 0);
ImageString($image, $font, 1, 10, $string, $red);
\SJBR\SrFreecap\Utility\ImageContentUtility::sendImage($image, $this->settings['imageFormat']);
ImageDestroy($image);
// Return an empty string
return '';
}
}
// Get random word
$word = \SJBR\SrFreecap\Utility\RandomContentUtility::getRandomWord($this->settings['useWordsList'], $this->settings['wordsListLocation'], $this->settings['generateNumbers'], $this->settings['maxWordLength']);
// Save hash of word for comparison
// using hash so that if there's an insecurity elsewhere (eg on the form processor),
// an attacker could only get the hash
// also, shared servers usually give all users access to the session files
// echo `ls /tmp`; and echo `more /tmp/someone_elses_session_file`; usually work
// so even if your site is 100% secure, someone else's site on your server might not be
// hence, even if attackers can read the session file, they can't get the freeCap word
// (though most hashes are easy to brute force for simple strings)
$this->word->setWordHash(md5($word));
// We use a simple encrypt to prevent the session from being exposed
if ($this->settings['accessibleOutput']) {
$this->word->setWordCypher(\SJBR\SrFreecap\Utility\EncryptionUtility::encrypt($word));
}
// Build the image
$image = $this->buildImage($word, $this->settings['imageWidth'], $this->settings['imageHeight'], $this->settings['backgroundType']);
// Send the image
\SJBR\SrFreecap\Utility\ImageContentUtility::sendImage($image, $this->settings['imageFormat']);
// Cleanup
ImageDestroy($image);
// Return an empty string
return '';
}
/**
* Merge captcha image with background
*
* @param int $width: width of the image in pixels
* @param int $height: width of the image in pixels
* @param string $captchaImage: a GD image identifier
* @param string $backgroundImage: a GD image identifier
* @param string $backgroundType (see constants)
* @param int $mergeType: 0 - Background over captcha, 1 - Captcha over background (see constants)
* @param int $backgroundFadePercentage: fading factor for background
* @return string GD image identifier of merged image
*/
public static function mergeCaptchaWithBackground($width, $height, $captchaImage, $backgroundImage, $backgroundType, $mergeType)
{
if ($backgroundType != self::BACKGROUND_TYPE_TRANSPARENT) {
// How faded should the background be? (100=totally gone, 0=bright as the day)
// to test how much protection the bg noise gives, take a screenshot of the freeCap image
// and take it into a photo editor. play with contrast and brightness.
// If you can remove most of the background, then it's not a good enough percentage
switch ($backgroundType) {
case self::BACKGROUND_TYPE_WHITE_WITH_GRID:
case self::BACKGROUND_TYPE_WHITE_WITH_SQUIGGLES:
$backgroundFadePercentage = 65;
break;
case self::BACKGROUND_TYPE_MORPHED_IMAGE_BLOCKS:
$backgroundFadePercentage = 50;
break;
}
// Slightly randomize the background fade
$backgroundFadePercentage += RandomContentUtility::getRandomNumberInRange(-2, 2);
// Fade background
if ($backgroundType != self::BACKGROUND_TYPE_MORPHED_IMAGE_BLOCKS) {
$tempImage = ImageCreateTrueColor($width, $height);
$white = ImageColorAllocate($tempImage, 255, 255, 255);
ImageFill($tempImage, 0, 0, $white);
ImageCopyMerge($backgroundImage, $tempImage, 0, 0, 0, 0, $width, $height, $backgroundFadePercentage);
ImageDestroy($tempImage);
$colorFadePercentage = 50;
} else {
$colorFadePercentage = $backgroundFadePercentage;
}
// Merge background image with CAPTCHA image to create smooth background
if ($mergeType == self::MERGE_CAPTCHA_OVER_BACKGROUND) {
// Might want to not blur if using this method, otherwise leaves white-ish border around each letter
ImageCopyMerge($backgroundImage, $captchaImage, 0, 0, 0, 0, $width, $height, 100);
ImageCopy($captchaImage, $backgroundImage, 0, 0, 0, 0, $width, $height);
} else {
// Background over captcha
ImageCopyMerge($captchaImage, $backgroundImage, 0, 0, 0, 0, $width, $height, $colorFadePercentage);
}
}
return $captchaImage;
}