Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63609
Return-Path: <johnjawed@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 55087 invoked from network); 25 Oct 2012 05:03:53 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Oct 2012 05:03:53 -0000
Authentication-Results: pb1.pair.com header.from=johnjawed@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=johnjawed@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.42 as permitted sender)
X-PHP-List-Original-Sender: johnjawed@gmail.com
X-Host-Fingerprint: 209.85.215.42 mail-la0-f42.google.com  
Received: from [209.85.215.42] ([209.85.215.42:56956] helo=mail-la0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 85/00-54750-838C8805 for <internals@lists.php.net>; Thu, 25 Oct 2012 01:03:53 -0400
Received: by mail-la0-f42.google.com with SMTP id e6so1062978lah.29
        for <internals@lists.php.net>; Wed, 24 Oct 2012 22:03:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:date:x-google-sender-auth:message-id:subject
         :from:to:content-type;
        bh=+p1gFQgNgU98MvZXoW2Oqm3MirDFirvFag97VpMhM1U=;
        b=AGXDGWuWslk6jWot+mVskeMPm3p7fWxtwwXPWUN0ZEw7jmA353zYTnNgpVjAU24eRx
         G42bqQDHdtvBWNQffgz6/pRKYBSUO6GGWNFR0uyr8s6uGKd41kiPiQH/rt0spLzEOJh4
         BUYA4tlJT1u/V1V5SL2KQMCJYz61Pto6eCH0Dfql/a75IS8PziTjMQal0HMssu+r5wqx
         DRl9y6Xdx/FieuL44W7kVn3bm/4c6X9BU9N3Ll5AoNx+ZChR/rGhsKrIpGOr1mr0V1yM
         siauI7FVJJKPdVnFAh3M6MA0KknFozew03/AJly7Ga4lQZ/uGKkNlU/d/JHFhF7HspQN
         9pNQ==
MIME-Version: 1.0
Received: by 10.112.99.8 with SMTP id em8mr7108814lbb.13.1351141428349; Wed,
 24 Oct 2012 22:03:48 -0700 (PDT)
Sender: johnjawed@gmail.com
Received: by 10.114.17.42 with HTTP; Wed, 24 Oct 2012 22:03:48 -0700 (PDT)
Date: Wed, 24 Oct 2012 22:03:48 -0700
X-Google-Sender-Auth: OEN93Xz9O_SU5XctfqonpvKN5o0
Message-ID: <CAB75mSX-cMqZPTfv2vc8fakD_pr31qPR+kO5_O=zYiVoy4xH2w@mail.gmail.com>
To: internals@lists.php.net
Content-Type: text/plain; charset=UTF-8
Subject: Changing the default value of "true" for CURLOPT_SSL_VERIFYHOST
From: jawed@php.net (JJ)

Hey all - I'd like start a discussion around pull request 221
(https://github.com/php/php-src/pull/221).

In short, there's a high volume of [incorrect] code out there which looks like:

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true);

Instead of what, in all likelyhood, the code meant to do:

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);

This is due to the convert_to_long_ex call which converts "true" to
1L. CURLOPT_SSL_VERIFYHOST being set to 1L bypasses common name
validation within libcurl.

My solution was to check the type for CURLOPT_SSL_VERIFYHOST: if it is
boolean and true, the opt value for libcurl is set to 2L.

I understand that engineers should have the proper option value to
begin with but weighing the impact of this (MITM attacks) against
doing what they probably meant anyways is worth the presumption.

Please discuss and adjust the patch if necessary.

- JJ