Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-15426

Google reCaptcha URL wrong when behind an HTTPS proxy

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.2.1
    • Fix Version/s: None
    • Component/s: Authentication
    • Labels:
    • Environment:
      nginx (doing TLS) proxying to Apache mod_php

      Description

      When running phpBB on Apache behind a proxy running HTTPS, Apache only sees the plain HTTP request from the proxy so the $request->is_secure() in phpbb/captcha/plugins/recapatcha.php will return false resulting in an http:// URL being returned for Google's reCaptcha when it should be https:// This causes reCaptcha to fail in browsers unless you click "Load unsafe scripts".

      This is easily fixed by just using // URLs instead of http:// or https:// The patch below certainly fixes the problem but the logic for deciding which URL to serve could just be removed altogether:

      --- recaptcha.php.orig	2017-07-16 19:07:13.000000000 +0100
      +++ recaptcha.php	2017-10-29 21:02:52.105000506 +0000
      @@ -15,8 +15,8 @@
       
      class recaptcha extends captcha_abstract
      {
      -	var $recaptcha_server = 'http://www.google.com/recaptcha/api';
      -	var $recaptcha_server_secure = 'https://www.google.com/recaptcha/api'; // class constants :(
      +	var $recaptcha_server = '//www.google.com/recaptcha/api';
      +	var $recaptcha_server_secure = '//www.google.com/recaptcha/api'; // class constants :(
       
      var $response;
      
      

       

      Also noted in this comment.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            mrironside mrironside [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: