Bug #117852 for Captcha-reCAPTCHA: check_answer_v2() does not check host name in a certificate

Thu Sep 15 02:39:57 2016 ppisar [...] redhat.com - Ticket created

Subject:

check_answer_v2() does not check host name in a certificate

check_answer_v2() method resets PERL_LWP_SSL_VERIFY_HOSTNAME variable to 0. This effectively disables host name check and undermines TLS security. I think the line should be removed and kept on user's decision whether he wants to disable security. Default behavior should be secure.

Thu Sep 15 02:49:39 2016 ppisar [...] redhat.com - Correspondence added

From:

ppisar [...] redhat.com

See the attached patch.

Subject:

Captcha-reCAPTCHA-0.98-Do-not-disable-host-name-verification.patch

From 1f19166dc41c979fb7336d1f365c4b2c7a4764f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> Date: Thu, 15 Sep 2016 08:45:08 +0200 Subject: [PATCH] Do not disable host name verification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch stops disabling LWP SSL host name verification. CPAN RT#117852 Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com> --- lib/Captcha/reCAPTCHA.pm | 3 --- 1 file changed, 3 deletions(-) diff --git a/lib/Captcha/reCAPTCHA.pm b/lib/Captcha/reCAPTCHA.pm index 3169295..7229538 100644 --- a/lib/Captcha/reCAPTCHA.pm +++ b/lib/Captcha/reCAPTCHA.pm @@ -431,9 +431,6 @@ sub check_answer_v2 { croak "To check answer, the user response token must be provided" unless $response; - # For sites that don't use SSL - $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0; - my $request = { secret => $privkey, response => $response, -- 2.7.4

Thu Sep 15 08:26:06 2016 SUNNYP [...] cpan.org - Taken

Thu Sep 15 08:26:22 2016 SUNNYP [...] cpan.org - Correspondence added

OK This will be fixed in version 0.99

Thu Sep 15 08:26:22 2016 The RT System itself - Status changed from 'new' to 'open'

Thu Sep 15 08:26:27 2016 SUNNYP [...] cpan.org - Status changed from 'open' to 'resolved'