r98465 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r98464‎ \| r98465 \| r98466 >
Date:	21:37, 29 September 2011
Author:	brion
Status:	ok
Tags:
Comment:	MFT r98461: ReCaptcha HTTPS compat (bug 31252)
Modified paths:	/branches/REL1_18/extensions/ConfirmEdit/ReCaptcha.php (modified) (history) /branches/REL1_18/extensions/ConfirmEdit/recaptchalib.php (modified) (history)

Diff [purge]

Index: branches/REL1_18/extensions/ConfirmEdit/ReCaptcha.php
—	—	@@ -63,8 +63,9 @@
64	64	*/
65	65	function getForm() {
66	66	global $wgReCaptchaPublicKey;
	67	+ $useHttps = ( isset( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] == 'on' );
67	68	return "<script>var RecaptchaOptions = { tabindex : 1 }; </script> " .
68		~~- recaptcha_get_html($wgReCaptchaPublicKey, $this->recaptcha_error);~~
	69	+ recaptcha_get_html($wgReCaptchaPublicKey, $this->recaptcha_error, $useHttps);
69	70	}
70	71
71	72	/**
Index: branches/REL1_18/extensions/ConfirmEdit/recaptchalib.php
—	—	@@ -4,7 +4,7 @@
5	5	* - Documentation and latest version
6	6	* http://recaptcha.net/plugins/php/
7	7	* - Get a reCAPTCHA API Key
8		~~- * http://recaptcha.net/api/getkey~~
	8	+ * https://www.google.com/recaptcha/admin/create
9	9	* - Discussion group
10	10	* http://groups.google.com/group/recaptcha
11	11	*
—	—	@@ -35,11 +35,10 @@
36	36	/**
37	37	* The reCAPTCHA server URL's
38	38	*/
39		~~-$recaptcha_api_server = 'http://api.recaptcha.net';~~
40		~~-$recaptcha_api_secure_server = 'https://api-secure.recaptcha.net';~~
41		~~-$recaptcha_verify_server = 'api-verify.recaptcha.net';~~
	39	+define("RECAPTCHA_API_SERVER", "http://www.google.com/recaptcha/api");
	40	+define("RECAPTCHA_API_SECURE_SERVER", "https://www.google.com/recaptcha/api");
	41	+define("RECAPTCHA_VERIFY_SERVER", "www.google.com");
42	42
43		-
44	43	/**
45	44	* Encodes the given data into a query string format
46	45	* @param $data - array of string elements to be encoded
—	—	@@ -92,6 +91,8 @@
93	92	return $response;
94	93	}
95	94
	95	+
	96	+
96	97	/**
97	98	* Gets the challenge HTML (javascript and non-javascript version).
98	99	* This is called from the browser, and the resulting reCAPTCHA HTML widget
—	—	@@ -104,17 +105,16 @@
105	106	*/
106	107	function recaptcha_get_html ($pubkey, $error = null, $use_ssl = false)
107	108	{
108		~~- global $recaptcha_api_server, $recaptcha_api_ssl_server;~~
109		-
110	109	if ($pubkey == null \|\| $pubkey == '') {
111		~~- die ("To use reCAPTCHA you must get an API key from <a href='http://recaptcha.net/api/getkey'>http://recaptcha.net/api/getkey</a>");~~
	110	+ die ("To use reCAPTCHA you must get an API key from <a href='https://www.google.com/recaptcha/admin/create'>https://www.google.com/recaptcha/admin/create</a>");
112	111	}
113		-
	112	+
114	113	if ($use_ssl) {
115		~~- $server = $recaptcha_api_ssl_server;~~
	114	+ $server = RECAPTCHA_API_SECURE_SERVER;
116	115	} else {
117		~~- $server = $recaptcha_api_server;~~
	116	+ $server = RECAPTCHA_API_SERVER;
118	117	}
	118	+
119	119	$errorpart = "";
120	120	if ($error) {
121	121	$errorpart = "&error=" . $error;
—	—	@@ -122,12 +122,15 @@
123	123	return '<script type="text/javascript" src="'. $server . '/challenge?k=' . $pubkey . $errorpart . '"></script>
124	124
125	125	<noscript>
126		~~- <iframe src="'. $server . '/noscript?k=' . $pubkey . $errorpart . '" height="300" width="500" frameborder="0"></iframe><br>~~
	126	+ <iframe src="'. $server . '/noscript?k=' . $pubkey . $errorpart . '" height="300" width="500" frameborder="0"></iframe><br/>
127	127	<textarea name="recaptcha_challenge_field" rows="3" cols="40"></textarea>
128		~~- <input type="hidden" name="recaptcha_response_field" value="manual_challenge">~~
	128	+ <input type="hidden" name="recaptcha_response_field" value="manual_challenge"/>
129	129	</noscript>';
130	130	}
131	131
	132	+
	133	+
	134	+
132	135	/**
133	136	* A ReCaptchaResponse is returned from recaptcha_check_answer()
134	137	*/
—	—	@@ -136,24 +139,28 @@
137	140	var $error;
138	141	}
139	142
	143	+
140	144	/**
141	145	* Calls an HTTP POST function to verify if the user's guess was correct
142	146	* @param string $privkey
143	147	* @param string $remoteip
144	148	* @param string $challenge
145	149	* @param string $response
	150	+ * @param array $extra_params an array of extra variables to post to the server
146	151	* @return ReCaptchaResponse
147	152	*/
148		~~-function recaptcha_check_answer ($privkey, $remoteip, $challenge, $response)~~
	153	+function recaptcha_check_answer ($privkey, $remoteip, $challenge, $response, $extra_params = array())
149	154	{
150	155	if ($privkey == null \|\| $privkey == '') {
151		~~- die ("To use reCAPTCHA you must get an API key from <a href='http://recaptcha.net/api/getkey'>http://recaptcha.net/api/getkey</a>");~~
	156	+ die ("To use reCAPTCHA you must get an API key from <a href='https://www.google.com/recaptcha/admin/create'>https://www.google.com/recaptcha/admin/create</a>");
152	157	}
153	158
154	159	if ($remoteip == null \|\| $remoteip == '') {
155	160	die ("For security reasons, you must pass the remote ip to reCAPTCHA");
156	161	}
157	162
	163	+
	164	+
158	165	//discard spam submissions
159	166	if ($challenge == null \|\| strlen($challenge) == 0 \|\| $response == null \|\| strlen($response) == 0) {
160	167	$recaptcha_response = new ReCaptchaResponse();
—	—	@@ -162,14 +169,13 @@
163	170	return $recaptcha_response;
164	171	}
165	172
166		~~- global $recaptcha_verify_server;~~
167		~~- $response = _recaptcha_http_post ($recaptcha_verify_server, "/verify",~~
	173	+ $response = _recaptcha_http_post (RECAPTCHA_VERIFY_SERVER, "/recaptcha/api/verify",
168	174	array (
169	175	'privatekey' => $privkey,
170	176	'remoteip' => $remoteip,
171	177	'challenge' => $challenge,
172	178	'response' => $response
173		~~- )~~
	179	+ ) + $extra_params
174	180	);
175	181
176	182	$answers = explode ("\n", $response [1]);
—	—	@@ -194,18 +200,24 @@
195	201	* @param string $appname The name of your application
196	202	*/
197	203	function recaptcha_get_signup_url ($domain = null, $appname = null) {
198		~~- return "http://recaptcha.net/api/getkey?" . _recaptcha_qsencode (array ('domain' => $domain, 'app' => $appname));~~
	204	+ return "https://www.google.com/recaptcha/admin/create?" . _recaptcha_qsencode (array ('domains' => $domain, 'app' => $appname));
199	205	}
200	206
	207	+function _recaptcha_aes_pad($val) {
	208	+ $block_size = 16;
	209	+ $numpad = $block_size - (strlen ($val) % $block_size);
	210	+ return str_pad($val, strlen ($val) + $numpad, chr($numpad));
	211	+}
	212	+
201	213	/* Mailhide related code */
202	214
203	215	function _recaptcha_aes_encrypt($val,$ky) {
204	216	if (! function_exists ("mcrypt_encrypt")) {
205	217	die ("To use reCAPTCHA Mailhide, you need to have the mcrypt php module installed.");
206	218	}
207		~~- $mode=MCRYPT_MODE_CBC;~~
	219	+ $mode=MCRYPT_MODE_CBC;
208	220	$enc=MCRYPT_RIJNDAEL_128;
209		~~- $val=str_pad($val, (16*(floor(strlen($val) / 16)+(strlen($val) % 16==0?2:1))), chr(16-(strlen($val) % 16)));~~
	221	+ $val=_recaptcha_aes_pad($val);
210	222	return mcrypt_encrypt($enc, $ky, $val, $mode, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
211	223	}
212	224
—	—	@@ -218,13 +230,14 @@
219	231	function recaptcha_mailhide_url($pubkey, $privkey, $email) {
220	232	if ($pubkey == '' \|\| $pubkey == null \|\| $privkey == "" \|\| $privkey == null) {
221	233	die ("To use reCAPTCHA Mailhide, you have to sign up for a public and private key, " .
222		~~- "you can do so at <a href='http://mailhide.recaptcha.net/apikey'>http://mailhide.recaptcha.net/apikey</a>");~~
	234	+ "you can do so at <a href='http://www.google.com/recaptcha/mailhide/apikey'>http://www.google.com/recaptcha/mailhide/apikey</a>");
223	235	}
	236	+
224	237
225	238	$ky = pack('H*', $privkey);
226	239	$cryptmail = _recaptcha_aes_encrypt ($email, $ky);
227		-
228		~~- return "http://mailhide.recaptcha.net/d?k=" . $pubkey . "&c=" . _recaptcha_mailhide_urlbase64 ($cryptmail);~~
	240	+
	241	+ return "http://www.google.com/recaptcha/mailhide/d?k=" . $pubkey . "&c=" . _recaptcha_mailhide_urlbase64 ($cryptmail);
229	242	}
230	243
231	244	/**
—	—	@@ -237,7 +250,7 @@
238	251
239	252	if (strlen ($arr[0]) <= 4) {
240	253	$arr[0] = substr ($arr[0], 0, 1);
241		~~- } elseif (strlen ($arr[0]) <= 6) {~~
	254	+ } else if (strlen ($arr[0]) <= 6) {
242	255	$arr[0] = substr ($arr[0], 0, 3);
243	256	} else {
244	257	$arr[0] = substr ($arr[0], 0, 4);
—	—	@@ -249,14 +262,16 @@
250	263	* Gets html to display an email address given a public an private key.
251	264	* to get a key, go to:
252	265	*
253		~~- * http://mailhide.recaptcha.net/apikey~~
	266	+ * http://www.google.com/recaptcha/mailhide/apikey
254	267	*/
255	268	function recaptcha_mailhide_html($pubkey, $privkey, $email) {
256	269	$emailparts = _recaptcha_mailhide_email_parts ($email);
257	270	$url = recaptcha_mailhide_url ($pubkey, $privkey, $email);
258		-
	271	+
259	272	return htmlentities($emailparts[0]) . "<a href='" . htmlentities ($url) .
260	273	"' onclick=\"window.open('" . htmlentities ($url) . "', '', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=300'); return false;\" title=\"Reveal this e-mail address\">...</a>@" . htmlentities ($emailparts [1]);
261	274
262	275	}
263	276
	277	+
	278	+?>

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r98461	* (bug 31252) ReCaptcha HTTPS support, avoids mixed-content security warnings...	brion	21:31, 29 September 2011

Status & tagging log

01:33, 22 October 2011 Reedy (talk | contribs) changed the status of r98465 [removed: new added: ok]