Edit report at https://bugs.php.net/bug.php?id=63363&edit=1
ID: 63363
Updated by: ircmax...@php.net
Reported by: ircmax...@php.net
Summary: Curl silently accepts boolean true for
SSL_VERIFYHOST
-Status: Open
+Status: Assigned
Type: Bug
Package: *Network Functions
Operating System: All
PHP Version: Irrelevant
-Assigned To:
+Assigned To: ircmaxell
Block user comment: N
Private report: N
Previous Comments:
------------------------------------------------------------------------
[2012-10-25 16:41:21] ircmax...@php.net
Description:
------------
The CURL option SSL_VERIFYHOST accepts a long value to indicate the
verification
that should be applied. The following values are valid:
0 - No verification
1 - Check a host is present in cert
2 - Check cert's host matches request's host
The problem is that a boolean true is cast to a long 1. Therefore, code that
does the following:
curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true)
appears to be verifying the host. However, it's actually not.
This can create security issues that are very hard to find by reading code.
Test script:
---------------
<?php
$c = curl_init();
curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true);
Expected result:
----------------
The option is set to verify the host.
Actual result:
--------------
The option is set to 1, which does not verify the host.
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=63363&edit=1
