Skip to content

πŸ›‘οΈ Sentinel: [HIGH] Fix SSL verification configuration in stream context#600

Closed
rowan-m wants to merge 1 commit intomainfrom
sentinel/fix-verify-peer-ssl-context-2305671160518156015
Closed

πŸ›‘οΈ Sentinel: [HIGH] Fix SSL verification configuration in stream context#600
rowan-m wants to merge 1 commit intomainfrom
sentinel/fix-verify-peer-ssl-context-2305671160518156015

Conversation

@rowan-m
Copy link
Contributor

@rowan-m rowan-m commented Mar 22, 2026

🚨 Severity: HIGH

πŸ’‘ Vulnerability: In src/ReCaptcha/RequestMethod/Post.php, the verify_peer configuration option for the stream context was incorrectly placed within the http array instead of the ssl array. As a result, the option was ignored by PHP, potentially failing to explicitly enforce SSL certificate verification.

🎯 Impact: An attacker in a Man-in-the-Middle (MitM) position could intercept the communication between the application and the reCAPTCHA service if the server's PHP configuration or environment didn't already default to verifying peers (PHP < 5.6 or overridden defaults).

πŸ”§ Fix: Moved the verify_peer option from the http context array to the ssl context array where it is correctly interpreted by PHP's stream_context_create.

βœ… Verification: The unit test in tests/ReCaptcha/RequestMethod/PostTest.php has been updated to check for verify_peer in the ssl array instead of the http array, and the tests pass.

PR created automatically by Jules for task 2305671160518156015 started by @rowan-m

@google-labs-jules @rowan-m
πŸ›‘οΈ Sentinel: [HIGH] Fix SSL verification configuration in stream context
158c4d1 
The `verify_peer` option was mistakenly placed in the `http` array instead of the `ssl` array when configuring the stream context for POST requests to the reCAPTCHA service. This caused the option to be ignored by PHP. This commit moves `verify_peer` to the `ssl` context array to properly enforce SSL/TLS certificate validation. Tests have been updated to reflect the change.

Co-authored-by: rowan-m <108052+rowan-m@users.noreply.github.com>
@google-labs-jules
Copy link
Contributor

google-labs-jules bot commented Mar 22, 2026

πŸ‘‹ Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a πŸ‘€ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@coveralls
Copy link

coveralls commented Mar 22, 2026

Coverage Status

coverage: 100.0%. remained the same
when pulling 158c4d1 on sentinel/fix-verify-peer-ssl-context-2305671160518156015
into e2fd067 on main.

@rowan-m rowan-m closed this Mar 24, 2026
@rowan-m rowan-m deleted the sentinel/fix-verify-peer-ssl-context-2305671160518156015 branch March 24, 2026 10:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rowan-m @coveralls