Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-15426

Google reCaptcha URL wrong when behind an HTTPS proxy

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 3.2.1
    • None
    • Authentication
    • nginx (doing TLS) proxying to Apache mod_php

    Description

      When running phpBB on Apache behind a proxy running HTTPS, Apache only sees the plain HTTP request from the proxy so the $request->is_secure() in phpbb/captcha/plugins/recapatcha.php will return false resulting in an http:// URL being returned for Google's reCaptcha when it should be https:// This causes reCaptcha to fail in browsers unless you click "Load unsafe scripts".

      This is easily fixed by just using // URLs instead of http:// or https:// The patch below certainly fixes the problem but the logic for deciding which URL to serve could just be removed altogether:

      --- recaptcha.php.orig	2017-07-16 19:07:13.000000000 +0100
      +++ recaptcha.php	2017-10-29 21:02:52.105000506 +0000
      @@ -15,8 +15,8 @@
       
      class recaptcha extends captcha_abstract
      {
      -	var $recaptcha_server = 'http://www.google.com/recaptcha/api';
      -	var $recaptcha_server_secure = 'https://www.google.com/recaptcha/api'; // class constants :(
      +	var $recaptcha_server = '//www.google.com/recaptcha/api';
      +	var $recaptcha_server_secure = '//www.google.com/recaptcha/api'; // class constants :(
       
      var $response;
      
      

       

      Also noted in this comment.

      Attachments

        Activity

          People

            Unassigned Unassigned
            mrironside mrironside [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: