Feature request: simple captcha

I have implemented such a simple CAPTCHA for Mailman 2 and described the patch at <https://www.ralfj.de/blog/2018/06/10/mailman-subscription-spam-continued.html>. If there is interest from the maintainers, I'd be happy to prepare a merge request for this.

I have looked at your blog post describing the patch. It is interesting and to me it is quite reminiscent of the MoinMoin TextCHA feature. See https://moinmo.in/HelpOnSpam for a bit on that.

I'd be interested in a merge request against the current HEAD, but it would need work. I think the display and verify functions should be in Mailman/Utils.py rather than a separate module. Also, I would like to see support for multiple languages as in the MoinMoin implementation, and I would like to see it done in such a way that one could set neither, one or both of CAPTCHAS and RECAPTCHA_SITE_KEY/RECAPTCHA_SECRET_KEY in mm_cfg.py and the right thing would be done in each case.

> I think the display and verify functions should be in Mailman/Utils.py rather than a separate module.

Absolutely, I just did that to keep the diff small and reduce the chance of conflicts.

> I would like to see support for multiple languages as in the MoinMoin implementation

So, having an additional outer-level dictionary mapping languages to something like what I am using currently? Yes, I can do that.

Technical question: Can I rely on the language being the same on the listinfo and the subscribe page, or do I have to put the language into the FORM_SECRET to be able to know which language was used?

> and I would like to see it done in such a way that one could set neither, one or both of CAPTCHAS and RECAPTCHA_SITE_KEY/RECAPTCHA_SECRET_KEY in mm_cfg.py and the right thing would be done in each case

I definitely planned to implement it that way.

Do you have any suggestions for the best way to test such a patch locally before submission? Is there a good way to run mailman from source? I guess I could copy-paste the changed files to one of my servers but that seems suboptimal.

On 06/14/2018 12:27 AM, Ralf Jung wrote:
>
> So, having an additional outer-level dictionary mapping languages to
> something like what I am using currently? Yes, I can do that.

My thought on languages is that the definition of CAPTCHAS to enable the
feature would be something like:

CAPTCHAS = {'en': [('english question one', 'regexp matching answers'),
                   ('english question two', 'regexp matching answers'),
                   ...
                  ]
            'l2': [('language2 question one', 'regexp matching answers'),
                   ('language2 question two', 'regexp matching answers'),
                   ...
                  ]
            ...
           }

Then the trigger would be something like:
    if isinstance(CAPTCHAS, dict) and 'en' in CAPTCHAS:

And the idea being to look up the questions and answer regexps for the
language in question and if not found, use the 'en' questions and answer
regexps.

> Technical question: Can I rely on the language being the same on the
> listinfo and the subscribe page, or do I have to put the language into
> the FORM_SECRET to be able to know which language was used?

No. you can't. The language that you will see when generating the
question is the language selected with the "View this page in" button at
the upper right of the listinfo page.

The language passed to the subscribe CGI as the value of 'language' is
the language selected at "Which language do you prefer to display your
messages?" These are not necessarily the same as each other or as the
list's or sites preferred language. So, yes, you have to pass bothe the
language and the question index in the token.

> Do you have any suggestions for the best way to test such a patch
> locally before submission? Is there a good way to run mailman from
> source? I guess I could copy-paste the changed files to one of my
> servers but that seems suboptimal.

It's easy enough. I actually have development environments on my local
work stations, so I don't think much about how to set it up, but you
basically need to have a development box that has a web server. For
this, you don't need an MTA and you don't need to run Mailman as you're
only testing CGIs and you can see from Mailman's logs and qfiles what
happened beyond the web responses.

You need to start with the source plus your changes, run configure with
some local directory as --prefix. I use:

> #! /bin/sh
> ./configure --prefix=/var/MM/21 --with-username=mark --with-groupname=mark --with-cgi-gid=www-data --with-mail-gid=mark --with-mailhost=msapiro.net --with-urlhost=msapiro.net

and then 'make install'. In my apache config I have

> ScriptAlias /mailman/ /var/MM/21/cgi-bin/
> Alias /pipermail/ /var/MM/21/archives/public/
>
> <Directory "/var/MM/21/cgi-bin/">
> AllowOverride None
> Options ExecCGI
> Require all granted
> </Directory>
>
> <Directory "/var/MM/21/archives/public">
> Options +FollowSymLinks
> Require all granted
> </Directory>

You also have to create a list, and I think that's about it.

--
Mark Sapiro <email address hidden> The highway is for gamblers,
San Francisco Bay Area, California better use your sen...

All right, I finally got around to implement this. I submitted a merge request at https://code.launchpad.net/~ralfjung-e/mailman/2.1/+merge/368614. It took quite a while to figure out how to do that on Launchpad so I hope that's the right thing to do.