Index: trunk/CHANGELOG
===================================================================
--- trunk/CHANGELOG	(revision 638)
+++ trunk/CHANGELOG	(revision 639)
@@ -10,7 +10,10 @@
 # = Bugfix
 ! = Update/Change
 
-------------------------------------- 2.7.0 -------------------------------------
+------------------------------------- 2.7.0 -------------------------------------
+29-Jan-2008 Thomas Hornik
+#	Security bugfix: Text file for text-captcha was readable from everywhere
+#	Text-captcha: empty line in test file, following a question, was accepted as answer. Fixed.
 28-Jan-2008 Matthias Gallas
 #	Replaced all special chars in language files with htmlentities or unicode
 +	Added some missing lines in language files
Index: trunk/wb/include/captcha/captchas/text.php
===================================================================
--- trunk/wb/include/captcha/captchas/text.php	(revision 638)
+++ trunk/wb/include/captcha/captchas/text.php	(revision 639)
@@ -28,7 +28,7 @@
 
 global $admin;
 $name = 'text';
-$file = WB_PATH."/temp/.captcha_$name.txt";
+$file = WB_PATH."/temp/.captcha_$name.php";
 
 srand((double)microtime()*100000);
 $_SESSION['captcha'] = rand(0,99999);
@@ -61,10 +61,11 @@
 	$s=next($content);
 	$s=trim(rtrim(rtrim($s,"\n"),"\r")); // remove newline
 	$s=$admin->strip_slashes($s);
-	if(isset($s{0}) && $s{0}!='!') continue;
-	$a=substr($s,1);
-	$qa[$lang][$q]=$a;
-	next($content);
+	if(isset($s{0}) && $s{0}=='!') {
+		$a=substr($s,1);
+		$qa[$lang][$q]=$a;
+		next($content);
+	}
 }
 if($qa == array()) {
 	echo '<b>Error</b>: no text defined! Enter <b>0</b> to solve this captcha';
Index: trunk/wb/modules/captcha_control/tool.php
===================================================================
--- trunk/wb/modules/captcha_control/tool.php	(revision 638)
+++ trunk/wb/modules/captcha_control/tool.php	(revision 639)
@@ -56,7 +56,8 @@
 		$text_qa=$_POST['text_qa'];
 		if(strpos($text_qa, '### example ###') === FALSE) {
 			$text_qa=$admin->add_slashes($text_qa);
-			if($fh = fopen(WB_PATH.'/temp/.captcha_text.txt', 'wb')) {
+			$text_qa="<?php die(header('Location: ../index.php')); ?>\n".$text_qa;
+			if($fh = fopen(WB_PATH.'/temp/.captcha_text.php', 'wb')) {
 				fwrite($fh, $text_qa);
 				fclose($fh);
 			}
@@ -78,9 +79,10 @@
 	// load text-captchas
 	$text_qa='';
 	if(file_exists(WB_PATH.'/include/captcha/captchas/text.php')) {
-		if(file_exists(WB_PATH.'/temp/.captcha_text.txt')) {
-			@$content = file(WB_PATH.'/temp/.captcha_text.txt');
+		if(file_exists(WB_PATH.'/temp/.captcha_text.php')) {
+			@$content = file(WB_PATH.'/temp/.captcha_text.php');
 			if($content!==FALSE) {
+				$content[0]='';
 				$text_qa = $admin->strip_slashes(implode('', $content));
 			}
 		}