Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63610 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 57525 invoked from network); 25 Oct 2012 05:34:11 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Oct 2012 05:34:11 -0000 Authentication-Results: pb1.pair.com smtp.mail=theanomaly.is@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=theanomaly.is@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.42 as permitted sender) X-PHP-List-Original-Sender: theanomaly.is@gmail.com X-Host-Fingerprint: 209.85.215.42 mail-la0-f42.google.com Received: from [209.85.215.42] ([209.85.215.42:64551] helo=mail-la0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 21/60-54750-25FC8805 for ; Thu, 25 Oct 2012 01:34:10 -0400 Received: by mail-la0-f42.google.com with SMTP id e6so1086244lah.29 for ; Wed, 24 Oct 2012 22:34:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=hqORVNCc6WDmc4do53gasQ4ZP//PLzSDiTlxwlh8Oxw=; b=eC1k0oYfnvCIT3RDmVO5oHjCkY6gxH1VaHW59YbpHdXooVNjvm93arqom6BvFFkvif Fh+a4grFx6aK+Apz6yf482y6f9MxHUNTtFM1Z03IOCDIrDRkd4g3bmGTlbI22nVqsSeZ MxvQS/CbBBMrdjdEPkOExvv0RZY5juR+aVpJ5JvbV6ZF/fL/UQNUUGB0PohcCFT0D+u8 UI/RvbURkbyzmVMMG3gxV4ZVPLQByEIqL+OKhYep/dV3Hn+pU+ZwYw8Oo8W7jqdUaPek 3J1AdwA6oPGnO7whvxknXcOOs6GzVS6wqB0NqGG4AcuyoAEqEcd7yYyyGtXAHrBaT/mM sj9w== MIME-Version: 1.0 Received: by 10.112.26.67 with SMTP id j3mr7391866lbg.39.1351143247106; Wed, 24 Oct 2012 22:34:07 -0700 (PDT) Received: by 10.112.102.231 with HTTP; Wed, 24 Oct 2012 22:34:07 -0700 (PDT) In-Reply-To: References: Date: Thu, 25 Oct 2012 01:34:07 -0400 Message-ID: To: JJ Cc: internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] Changing the default value of "true" for CURLOPT_SSL_VERIFYHOST From: theanomaly.is@gmail.com (Sherif Ramadan) On Thu, Oct 25, 2012 at 1:03 AM, JJ wrote: > Hey all - I'd like start a discussion around pull request 221 > (https://github.com/php/php-src/pull/221). > > In short, there's a high volume of [incorrect] code out there which looks like: > > curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true); > > Instead of what, in all likelyhood, the code meant to do: > > curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); > > This is due to the convert_to_long_ex call which converts "true" to > 1L. CURLOPT_SSL_VERIFYHOST being set to 1L bypasses common name > validation within libcurl. > > My solution was to check the type for CURLOPT_SSL_VERIFYHOST: if it is > boolean and true, the opt value for libcurl is set to 2L. > > I understand that engineers should have the proper option value to > begin with but weighing the impact of this (MITM attacks) against > doing what they probably meant anyways is worth the presumption. > > Please discuss and adjust the patch if necessary. > > - JJ > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > While I think it's a good idea to set the value of the option to 2, as is recommended for production in the documentation, I think the idea of implicitly converting a bool(true) to 2L internally might lead to unexpected behavior since some people might actually depend on normal PHP behavior to cast a bool(true) to 1 (and that might be what they actually intended). I understand there are people out there that don't read the documentation and aren't aware of the difference between curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); and curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true); but still... I don't think this is a good idea either. We should probably just elaborate on this point a bit more in the documentation. Perhaps add a note and an example to illustrate. I notice that people tend to pay more attention to examples than anything else in the docs.