Page MenuHomePhabricator
Create Task
Maniphest T403326

hCaptcha: Do not display internal server error but add to Logstash
Open, MediumPublic
Actions

Description

Summary

The goal for is to avoid returning any sensitive server error when an unexpected error happens while interacting with hCaptcha server.

Background

Currently, when an error happen while interacting with hCaptcha server, we catch it and display it as a raw error message. These errors are not translated, do not provide much benefit to the user as those errors are mostly aimed at a developer audience, and could often disclose sensitive technical information such as the expiration of sitekey or any unwanted other details.

Technical notes

It would be safer to display an existing i18n message (eg: hcaptcha-load-error ) rather than the raw error message from hCaptcha server as we currently do in includes/hCaptcha/HCaptcha.php#198

Acceptance criteria

  • Replace internal server error with generic, translated message
  • Log the actual error from hCaptcha into logstash

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
[WIP] hCaptcha: Don't output internal server errormediawiki/extensions/ConfirmEditmaster+107 -4
Customize query in gerrit

Event Timeline

sguebo_WMF created this task.Aug 30 2025, 5:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 30 2025, 5:07 PM
sguebo_WMF triaged this task as Medium priority.Aug 30 2025, 5:08 PM
sguebo_WMF added a project: WE4.2 Bot detection (WE4.2 hCaptcha account creation trial).
sguebo_WMF updated the task description. (Show Details)
sguebo_WMF renamed this task from hCaptcha: Do not display server error but log it to hCaptcha: Do not display internal server error but add to Logstash.Aug 30 2025, 5:13 PM
sguebo_WMF updated the task description. (Show Details)
Novem_Linguae subscribed.Aug 31 2025, 1:07 AM
kostajh added a project: ConfirmEdit (CAPTCHA extension).Sep 1 2025, 10:47 AM
gerritbot added a comment.Sep 3 2025, 11:50 PM

Change #1184609 had a related patch set uploaded (by Samuel (WMF); author: Samuel (WMF)):

[mediawiki/extensions/ConfirmEdit@master] [WIP] hCaptcha: Don't output internal server error

https://gerrit.wikimedia.org/r/1184609

gerritbot added a project: Patch-For-Review.Sep 3 2025, 11:50 PM
gerritbot added a comment.Sep 27 2025, 3:48 AM

Change #1184609 abandoned by Samuel (WMF):

[mediawiki/extensions/ConfirmEdit@master] [WIP] hCaptcha: Don't output internal server error

https://gerrit.wikimedia.org/r/1184609

Maintenance_bot removed a project: Patch-For-Review.Sep 27 2025, 4:31 AM
sguebo_WMF removed sguebo_WMF as the assignee of this task.Sat, Jan 24, 4:43 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits