mCaptcha/CHANGELOG.md

945 B

0.1.0(unreleased)

Changed

  • (7d0e4c6) Add secret parameter to token verification request payload(/api/v1/pow/siteverify) to mitigate a security issue that @gusted found:

    ...A malicious user could grab the sitekey and use that sitekey with mcaptcha to use it for their own server. While they can now go abuse it for illegal stuff or other stuff. You might decide, oh I don't want this! and terminate a legitimate siteKey. New request payload:

    {
    	"secret": "<your-users-secret>", // found in /settings in the dashbaord
    	"token": "<token-presented-by-the-user>",
    	"key": "<your-sitekey>"
    }
    
  • (42544ec42) Rename pow section in settings to captcha and add options to configure