Magento formId is mandatory on captcha refresh

Written by Peter Davies on .

On a client site we kept getting the following message where it appeared a client could somehow directly access the captcha URL without posting any *required* data:

IP Address:
Time: 2013-04-17 08:19:56 GMT
formId is mandatory

A quick edit of /app/code/core/Mage/Captcha/controllers/RefreshController.php just after line 44 and adding a check on the posted value "formId" as such should prevent the error:

if (empty($formId)) return false;

Now any direct query to the /captcha/refresh/ will not generate an error e-mail.