$_SERVER['REMOTE_ADDR'] incorrectly used when performing validation [#764796]

The reCAPTCHA module uses $_SERVER['REMOTE_ADDR'] when performing the validation. It should instead use $user->hostname, which is the IP address of the client. This makes reCAPTCHA compatible with reverse proxies. Patch attached.

Comment	File	Size	Author
	recaptcha.module.patch	754 bytes	Nathan Goulding

Comments

Comment #1

Nathan Goulding commented 7 April 2010 at 20:49

Perhaps even better would be to use the function ip_address() instead which respects the X-Forwarded-For header and reverse-proxy settings.

Comment #2

Nathan Goulding commented 8 September 2010 at 14:28

Can this patch get applied please? This is a bug. I'm using a reverse proxy and reCAPTCHA doesn't work using $_SERVER['REMOTE_ADDR'].

Comment #3

robloach

he/him

commented 4 May 2011 at 16:44

Status:

Needs review

» Fixed

Thanks a lot for the patch, I've committed it to both Drupal 6 and 7 and it will be part of version 1.7:
http://drupalcode.org/project/recaptcha.git/commit/a602875
http://drupalcode.org/project/recaptcha.git/commit/81243b7

Comment #4

18 May 2011 at 16:51

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

$_SERVER['REMOTE_ADDR'] incorrectly used when performing validation

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Referenced by

News items

Our community

Documentation

Drupal code base

Governance of community