Page MenuHomePhabricator

ConfirmEdit RecaptchaNoCaptcha Needs POST not GET
Closed, ResolvedPublic

Description

Using MediaWiki v. 1.32.4. Enabled RecaptchaNoCaptcha (from ConfirmEdit extension) Captcha type in the LocalSettings.php

In the Google reCAPTCHA account, it says

We detected that your site is not verifying reCAPTCHA solutions. This is required for the proper use of reCAPTCHA on your site. Please see our developer site for more information.

It pointed me to this page: https://developers.google.com/recaptcha/docs/verify#api-request

From there, I found that the API request method was set to GET instead of POST. I found two files where this was set to GET:
/ConfirmEdit/ReCaptchaNoCaptcha/includes/ReCaptchaNoCaptcha.php (line 113)
/ConfirmEdit/ReCaptchaNoCaptcha/ReCaptchaNoCaptcha.class.php (line 111)

Also, not sure if this is related, but new users can't seem to create accounts. I'm getting this error message when trying to sign up for our MediaWiki account:

There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Please resubmit the form.

Resubmitting the form returns the same message. Also, not sure if this is preventing existing users from logging in.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 23 2020, 6:25 PM
Valery_frick updated the task description. (Show Details)Oct 23 2020, 6:39 PM

Change 636149 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/ConfirmEdit@master] ReCaptchaNoCaptcha: Use POST to siteverify

https://gerrit.wikimedia.org/r/636149

Reedy added a subscriber: Reedy.Oct 24 2020, 11:30 PM

Just as a heads up, you're using an unsupported version of MediaWiki. 1.32 went "end of life" in January 2020, as per https://www.mediawiki.org/wiki/Version_lifecycle and https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-January/000245.html

From there, I found that the API request method was set to GET instead of POST. I found two files where this was set to GET:
/ConfirmEdit/ReCaptchaNoCaptcha/includes/ReCaptchaNoCaptcha.php (line 113)
/ConfirmEdit/ReCaptchaNoCaptcha/ReCaptchaNoCaptcha.class.php (line 111)

It sounds like you've got old unused files laying around. The second file won't be used anymore after rECOE5b7a36a52124: Clean up some phpcs problems

Change 635983 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/ConfirmEdit@REL1_35] ReCaptchaNoCaptcha: Use POST to siteverify

https://gerrit.wikimedia.org/r/635983

Change 635984 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/ConfirmEdit@REL1_31] ReCaptchaNoCaptcha: Use POST to siteverify

https://gerrit.wikimedia.org/r/635984

Change 635984 merged by jenkins-bot:
[mediawiki/extensions/ConfirmEdit@REL1_31] ReCaptchaNoCaptcha: Use POST to siteverify

https://gerrit.wikimedia.org/r/635984

Change 635983 merged by jenkins-bot:
[mediawiki/extensions/ConfirmEdit@REL1_35] ReCaptchaNoCaptcha: Use POST to siteverify

https://gerrit.wikimedia.org/r/635983

Change 636149 merged by jenkins-bot:
[mediawiki/extensions/ConfirmEdit@master] ReCaptchaNoCaptcha: Use POST to siteverify

https://gerrit.wikimedia.org/r/636149

Reedy closed this task as Resolved.Oct 28 2020, 11:04 PM
Reedy claimed this task.