r98461 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r98460‎ | r98461 | r98462 >
Date:21:31, 29 September 2011
Author:brion
Status:ok
Tags:
Comment:
* (bug 31252) ReCaptcha HTTPS support, avoids mixed-content security warnings

Patch from Alex Legler with a slight tweak for easier 1.17 compat (use $_SERVER['HTTPS'] directly as WebRequest::detectPort() isn't there yet)

Updates recaptchalib.php to current: version 1.11 from http://code.google.com/p/recaptcha/downloads/detail?name=recaptcha-php-1.11.zip&can=2&q=
Modified paths:
  • /trunk/extensions/ConfirmEdit/ReCaptcha.php (modified) (history)
  • /trunk/extensions/ConfirmEdit/recaptchalib.php (modified) (history)

Diff [purge]

Index: trunk/extensions/ConfirmEdit/ReCaptcha.php
@@ -63,8 +63,9 @@
6464 */
6565 function getForm() {
6666 global $wgReCaptchaPublicKey;
 67+ $useHttps = ( isset( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] == 'on' );
6768 return "<script>var RecaptchaOptions = { tabindex : 1 }; </script> " .
68 - recaptcha_get_html($wgReCaptchaPublicKey, $this->recaptcha_error);
 69+ recaptcha_get_html($wgReCaptchaPublicKey, $this->recaptcha_error, $useHttps);
6970 }
7071
7172 /**
Index: trunk/extensions/ConfirmEdit/recaptchalib.php
@@ -4,7 +4,7 @@
55 * - Documentation and latest version
66 * http://recaptcha.net/plugins/php/
77 * - Get a reCAPTCHA API Key
8 - * http://recaptcha.net/api/getkey
 8+ * https://www.google.com/recaptcha/admin/create
99 * - Discussion group
1010 * http://groups.google.com/group/recaptcha
1111 *
@@ -35,11 +35,10 @@
3636 /**
3737 * The reCAPTCHA server URL's
3838 */
39 -$recaptcha_api_server = 'http://api.recaptcha.net';
40 -$recaptcha_api_secure_server = 'https://api-secure.recaptcha.net';
41 -$recaptcha_verify_server = 'api-verify.recaptcha.net';
 39+define("RECAPTCHA_API_SERVER", "http://www.google.com/recaptcha/api");
 40+define("RECAPTCHA_API_SECURE_SERVER", "https://www.google.com/recaptcha/api");
 41+define("RECAPTCHA_VERIFY_SERVER", "www.google.com");
4242
43 -
4443 /**
4544 * Encodes the given data into a query string format
4645 * @param $data - array of string elements to be encoded
@@ -92,6 +91,8 @@
9392 return $response;
9493 }
9594
 95+
 96+
9697 /**
9798 * Gets the challenge HTML (javascript and non-javascript version).
9899 * This is called from the browser, and the resulting reCAPTCHA HTML widget
@@ -104,17 +105,16 @@
105106 */
106107 function recaptcha_get_html ($pubkey, $error = null, $use_ssl = false)
107108 {
108 - global $recaptcha_api_server, $recaptcha_api_ssl_server;
109 -
110109 if ($pubkey == null || $pubkey == '') {
111 - die ("To use reCAPTCHA you must get an API key from <a href='http://recaptcha.net/api/getkey'>http://recaptcha.net/api/getkey</a>");
 110+ die ("To use reCAPTCHA you must get an API key from <a href='https://www.google.com/recaptcha/admin/create'>https://www.google.com/recaptcha/admin/create</a>");
112111 }
113 -
 112+
114113 if ($use_ssl) {
115 - $server = $recaptcha_api_ssl_server;
 114+ $server = RECAPTCHA_API_SECURE_SERVER;
116115 } else {
117 - $server = $recaptcha_api_server;
 116+ $server = RECAPTCHA_API_SERVER;
118117 }
 118+
119119 $errorpart = "";
120120 if ($error) {
121121 $errorpart = "&amp;error=" . $error;
@@ -122,12 +122,15 @@
123123 return '<script type="text/javascript" src="'. $server . '/challenge?k=' . $pubkey . $errorpart . '"></script>
124124
125125 <noscript>
126 - <iframe src="'. $server . '/noscript?k=' . $pubkey . $errorpart . '" height="300" width="500" frameborder="0"></iframe><br>
 126+ <iframe src="'. $server . '/noscript?k=' . $pubkey . $errorpart . '" height="300" width="500" frameborder="0"></iframe><br/>
127127 <textarea name="recaptcha_challenge_field" rows="3" cols="40"></textarea>
128 - <input type="hidden" name="recaptcha_response_field" value="manual_challenge">
 128+ <input type="hidden" name="recaptcha_response_field" value="manual_challenge"/>
129129 </noscript>';
130130 }
131131
 132+
 133+
 134+
132135 /**
133136 * A ReCaptchaResponse is returned from recaptcha_check_answer()
134137 */
@@ -136,24 +139,28 @@
137140 var $error;
138141 }
139142
 143+
140144 /**
141145 * Calls an HTTP POST function to verify if the user's guess was correct
142146 * @param string $privkey
143147 * @param string $remoteip
144148 * @param string $challenge
145149 * @param string $response
 150+ * @param array $extra_params an array of extra variables to post to the server
146151 * @return ReCaptchaResponse
147152 */
148 -function recaptcha_check_answer ($privkey, $remoteip, $challenge, $response)
 153+function recaptcha_check_answer ($privkey, $remoteip, $challenge, $response, $extra_params = array())
149154 {
150155 if ($privkey == null || $privkey == '') {
151 - die ("To use reCAPTCHA you must get an API key from <a href='http://recaptcha.net/api/getkey'>http://recaptcha.net/api/getkey</a>");
 156+ die ("To use reCAPTCHA you must get an API key from <a href='https://www.google.com/recaptcha/admin/create'>https://www.google.com/recaptcha/admin/create</a>");
152157 }
153158
154159 if ($remoteip == null || $remoteip == '') {
155160 die ("For security reasons, you must pass the remote ip to reCAPTCHA");
156161 }
157162
 163+
 164+
158165 //discard spam submissions
159166 if ($challenge == null || strlen($challenge) == 0 || $response == null || strlen($response) == 0) {
160167 $recaptcha_response = new ReCaptchaResponse();
@@ -162,14 +169,13 @@
163170 return $recaptcha_response;
164171 }
165172
166 - global $recaptcha_verify_server;
167 - $response = _recaptcha_http_post ($recaptcha_verify_server, "/verify",
 173+ $response = _recaptcha_http_post (RECAPTCHA_VERIFY_SERVER, "/recaptcha/api/verify",
168174 array (
169175 'privatekey' => $privkey,
170176 'remoteip' => $remoteip,
171177 'challenge' => $challenge,
172178 'response' => $response
173 - )
 179+ ) + $extra_params
174180 );
175181
176182 $answers = explode ("\n", $response [1]);
@@ -194,18 +200,24 @@
195201 * @param string $appname The name of your application
196202 */
197203 function recaptcha_get_signup_url ($domain = null, $appname = null) {
198 - return "http://recaptcha.net/api/getkey?" . _recaptcha_qsencode (array ('domain' => $domain, 'app' => $appname));
 204+ return "https://www.google.com/recaptcha/admin/create?" . _recaptcha_qsencode (array ('domains' => $domain, 'app' => $appname));
199205 }
200206
 207+function _recaptcha_aes_pad($val) {
 208+ $block_size = 16;
 209+ $numpad = $block_size - (strlen ($val) % $block_size);
 210+ return str_pad($val, strlen ($val) + $numpad, chr($numpad));
 211+}
 212+
201213 /* Mailhide related code */
202214
203215 function _recaptcha_aes_encrypt($val,$ky) {
204216 if (! function_exists ("mcrypt_encrypt")) {
205217 die ("To use reCAPTCHA Mailhide, you need to have the mcrypt php module installed.");
206218 }
207 - $mode=MCRYPT_MODE_CBC;
 219+ $mode=MCRYPT_MODE_CBC;
208220 $enc=MCRYPT_RIJNDAEL_128;
209 - $val=str_pad($val, (16*(floor(strlen($val) / 16)+(strlen($val) % 16==0?2:1))), chr(16-(strlen($val) % 16)));
 221+ $val=_recaptcha_aes_pad($val);
210222 return mcrypt_encrypt($enc, $ky, $val, $mode, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
211223 }
212224
@@ -218,13 +230,14 @@
219231 function recaptcha_mailhide_url($pubkey, $privkey, $email) {
220232 if ($pubkey == '' || $pubkey == null || $privkey == "" || $privkey == null) {
221233 die ("To use reCAPTCHA Mailhide, you have to sign up for a public and private key, " .
222 - "you can do so at <a href='http://mailhide.recaptcha.net/apikey'>http://mailhide.recaptcha.net/apikey</a>");
 234+ "you can do so at <a href='http://www.google.com/recaptcha/mailhide/apikey'>http://www.google.com/recaptcha/mailhide/apikey</a>");
223235 }
 236+
224237
225238 $ky = pack('H*', $privkey);
226239 $cryptmail = _recaptcha_aes_encrypt ($email, $ky);
227 -
228 - return "http://mailhide.recaptcha.net/d?k=" . $pubkey . "&c=" . _recaptcha_mailhide_urlbase64 ($cryptmail);
 240+
 241+ return "http://www.google.com/recaptcha/mailhide/d?k=" . $pubkey . "&c=" . _recaptcha_mailhide_urlbase64 ($cryptmail);
229242 }
230243
231244 /**
@@ -237,7 +250,7 @@
238251
239252 if (strlen ($arr[0]) <= 4) {
240253 $arr[0] = substr ($arr[0], 0, 1);
241 - } elseif (strlen ($arr[0]) <= 6) {
 254+ } else if (strlen ($arr[0]) <= 6) {
242255 $arr[0] = substr ($arr[0], 0, 3);
243256 } else {
244257 $arr[0] = substr ($arr[0], 0, 4);
@@ -249,14 +262,16 @@
250263 * Gets html to display an email address given a public an private key.
251264 * to get a key, go to:
252265 *
253 - * http://mailhide.recaptcha.net/apikey
 266+ * http://www.google.com/recaptcha/mailhide/apikey
254267 */
255268 function recaptcha_mailhide_html($pubkey, $privkey, $email) {
256269 $emailparts = _recaptcha_mailhide_email_parts ($email);
257270 $url = recaptcha_mailhide_url ($pubkey, $privkey, $email);
258 -
 271+
259272 return htmlentities($emailparts[0]) . "<a href='" . htmlentities ($url) .
260273 "' onclick=\"window.open('" . htmlentities ($url) . "', '', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=300'); return false;\" title=\"Reveal this e-mail address\">...</a>@" . htmlentities ($emailparts [1]);
261274
262275 }
263276
 277+
 278+?>

Follow-up revisions

RevisionCommit summaryAuthorDate
r98465MFT r98461: ReCaptcha HTTPS compat (bug 31252)brion21:37, 29 September 2011

Status & tagging log