Edit report at https://bugs.php.net/bug.php?id=63363&edit=1
ID: 63363 Updated by: ircmax...@php.net Reported by: ircmax...@php.net Summary: Curl silently accepts boolean true for SSL_VERIFYHOST -Status: Open +Status: Assigned Type: Bug Package: *Network Functions Operating System: All PHP Version: Irrelevant -Assigned To: +Assigned To: ircmaxell Block user comment: N Private report: N Previous Comments: ------------------------------------------------------------------------ [2012-10-25 16:41:21] ircmax...@php.net Description: ------------ The CURL option SSL_VERIFYHOST accepts a long value to indicate the verification that should be applied. The following values are valid: 0 - No verification 1 - Check a host is present in cert 2 - Check cert's host matches request's host The problem is that a boolean true is cast to a long 1. Therefore, code that does the following: curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true) appears to be verifying the host. However, it's actually not. This can create security issues that are very hard to find by reading code. Test script: --------------- <?php $c = curl_init(); curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true); Expected result: ---------------- The option is set to verify the host. Actual result: -------------- The option is set to 1, which does not verify the host. ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=63363&edit=1