PHP cURL Google reCaptcha2标头注入

Question

i have some Trouble with cURL and Google reCaptcha2 to avoid "Robot" & "Spammer" Auto-Reg´s.

So i Chose google´s reCaptcha2 to check the User´s on WWW Site .

The Problem:

after checking the code, i found there is an Header Injection in 'curl_setopt_array' via '$curlConfig'

My Serverside reCaptcha using cURL because of PHP File getContent blocked by PHP Config.

My reCaptcha Code:

if (isset($_POST['g-recaptcha-response'])) {
$captcha = $_POST['g-recaptcha-response'];
$privatekey = '######### Priv Key ###############';
$url = 'https://www.google.com/recaptcha/api/siteverify';
$data = array(
    'secret' => $privatekey,
    'response' => $captcha,
    'remoteip' => $_SERVER['REMOTE_ADDR']
);



$curlConfig = array(
    CURLOPT_URL => $url,
    CURLOPT_POST => true,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_POSTFIELDS => $data
);

$ch = curl_init();
curl_setopt_array($ch, $curlConfig);
$response = curl_exec($ch);
curl_close($ch);}

So, as result we decode the data from json String back:

$jsonResponse = json_decode($response);
if ($jsonResponse->success == "true") { Good } else { Exit not good! }

The Injection ? Data= Array ? $Serve ?

thanks for help

Answer 1

i don't see any code injection vulnerabilities here, but you don't show us how you handle the event of no g-recaptcha-response being in the POST request at all. most likely, you don't handle that event, and all an hacker needs to do, to get past your captcha, is to not send the g-recaptcha-response field at all. instead of if (isset($_POST['g-recaptcha-response'])) , do something like if (empty($_POST['g-recaptcha-response'])) {http_response_code(400);die('no captcha answer provided!');}}