Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-15426

Google reCaptcha URL wrong when behind an HTTPS proxy

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.2.1
    • Fix Version/s: None
    • Component/s: Authentication
    • Labels:
    • Environment:
      nginx (doing TLS) proxying to Apache mod_php

      Description

      When running phpBB on Apache behind a proxy running HTTPS, Apache only sees the plain HTTP request from the proxy so the $request->is_secure() in phpbb/captcha/plugins/recapatcha.php will return false resulting in an http:// URL being returned for Google's reCaptcha when it should be https:// This causes reCaptcha to fail in browsers unless you click "Load unsafe scripts".

      This is easily fixed by just using // URLs instead of http:// or https:// The patch below certainly fixes the problem but the logic for deciding which URL to serve could just be removed altogether:

      --- recaptcha.php.orig	2017-07-16 19:07:13.000000000 +0100
      +++ recaptcha.php	2017-10-29 21:02:52.105000506 +0000
      @@ -15,8 +15,8 @@
       
      class recaptcha extends captcha_abstract
      {
      -	var $recaptcha_server = 'http://www.google.com/recaptcha/api';
      -	var $recaptcha_server_secure = 'https://www.google.com/recaptcha/api'; // class constants :(
      +	var $recaptcha_server = '//www.google.com/recaptcha/api';
      +	var $recaptcha_server_secure = '//www.google.com/recaptcha/api'; // class constants :(
       
      var $response;
      
      

       

      Also noted in this comment.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mrironside mrironside [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: