Issues

ZF-8721: Zend_Service_ReCaptcha_Response breaks reCaptcha API doc recommendation

Issue Type: Bug Created: 2010-01-06T03:15:05.000+0000 Last Updated: 2012-11-28T12:00:09.000+0000 Status: Resolved Fix version(s): - 1.12.1 (18/Dec/12)

Reporter: Corentin Larose (zend@aquaprod.fr) Assignee: Christer Edvartsen (cogo) Tags: - Zend_Service_ReCaptcha

Related issues: Attachments:

Description

Quote from the reCaptcha API documentation: "The response from verify is a series of strings separated by \n. To read the string, split the line and read each field. New lines may be added in the future. Implementations should ignore these lines"

Zend_Service_ReCaptcha_Response::setFromHttpResponse() breaks this recommendation by strictly testing the line number of the response:

if (count($parts) !== 2) { $status = 'false'; $errorCode = ''; } else { list($status, $errorCode) = $parts; }

instead of testing it with an inequality, thus, test should be:

if (count($parts) < 2) { // modified line $status = 'false'; $errorCode = ''; } else { list($status, $errorCode) = $parts; }

Regards,

Corentin Larose

Comments

Posted by Corentin Larose (zend@aquaprod.fr) on 2010-01-06T03:16:41.000+0000

I finally thing that this issue should be a minor bug.

Posted by Jon Nott (jonnott) on 2011-12-14T10:19:01.000+0000

Additionally, exceptions are thrown if either the challenge or response fields are empty, in the following method:

protected function _post($challengeField, $responseField)

..but this means an exception occurs in you present a captcha to the user but they enter nothing. Surely the way ReCaptcha is intended to work would include an empty (response) field as simply another permutation of an incorrect response.

e.g. if a user doesn't enter a response at all, they'd expect to see the normal 'Incorrect. Try again.' message when the ReCaptcha is re-displayed. With these exceptions being thrown, the only way to recreate the intended behaviour (using Zend_Service_ReCaptcha in a stand-alone sense here) would be to catch these exceptions, and then in the catch block simulate the outcome by manually setting the appropriate error code.

I suggest these exceptions for 'missing' challenge/response fields are not needed, and contradict the expected behaviour of ReCaptcha..

Posted by Christer Edvartsen (cogo) on 2012-11-28T10:58:25.000+0000

[~jonnott]: I agree. I don't think the exceptions should be thrown when the challenge and/or response is missing. I can fix this but need to make sure the core guys think it's OK.

I will anyways fix the issue above.

Posted by Christer Edvartsen (cogo) on 2012-11-28T11:07:10.000+0000

[~jonnott] Could you create a separate issue on this tracker with what you mentioned, and assign it to me? This current issue will be closed soon.

Posted by Christer Edvartsen (cogo) on 2012-11-28T11:20:46.000+0000

Fixed in http://framework.zend.com/code/revision.php/…

Posted by Christer Edvartsen (cogo) on 2012-11-28T12:00:09.000+0000

Fixed in http://framework.zend.com/code/revision.php/…

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts