Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63612
Return-Path: <adam@adamharvey.name>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 63081 invoked from network); 25 Oct 2012 06:19:48 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Oct 2012 06:19:48 -0000
Authentication-Results: pb1.pair.com smtp.mail=adam@adamharvey.name; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=adam@adamharvey.name; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain adamharvey.name designates 209.85.219.42 as permitted sender)
X-PHP-List-Original-Sender: adam@adamharvey.name
X-Host-Fingerprint: 209.85.219.42 mail-oa0-f42.google.com  
Received: from [209.85.219.42] ([209.85.219.42:33371] helo=mail-oa0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8C/50-59506-30AD8805 for <internals@lists.php.net>; Thu, 25 Oct 2012 02:19:48 -0400
Received: by mail-oa0-f42.google.com with SMTP id j1so1384995oag.29
        for <internals@lists.php.net>; Wed, 24 Oct 2012 23:19:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=adamharvey.name; s=google;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type
         :content-transfer-encoding;
        bh=tmgv4nl21b0TR11MvnR5xV61WspdPS5dOI9eiNFNGZs=;
        b=Mnq6ztaGhxoXaxFt7rurpYDwfMMXHWpdPByyD9UVjw78vyIuR/gVeB4MscYCOxYGlE
         QosA5qzxerdrbvsyxhgEOBsqfpBqUh9Ae5CX8vRsv7KexRgVgDidKZbRh2xeepOQjCWU
         aZRosDEU9KLqYkyqRAbNUJk1R9bNhQ2cYNjg0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type
         :content-transfer-encoding:x-gm-message-state;
        bh=tmgv4nl21b0TR11MvnR5xV61WspdPS5dOI9eiNFNGZs=;
        b=C8JnsSl5rm19ZR1in9fvDMccqw720VEk9388JsJ7s4/ZorHg8kD9IDqGo4/+kWSM0N
         m7BMVMdKVjh+Ftx5olrebS+YFLtHWO4k+054jSgC0D26jH/r7yj3Uy0PWv0ZHTuXTouu
         ZPSaK0DcDGxGzxFGa1E6WVP5T8dBWQy7SFQ8fl6PHx/U+tdwmviDR2WVuLLDNfOoPkL3
         gx6JG6b2iYo3Phzu+ncva2G8UQr+3NatJB0/+EgKhRMfo+s0JcZHNMvm0Zo4TFSsmg1a
         eB1oCQ0JeTkNKKduEZgTXiRvtOLqp48tuZtCwn1Se1/NY2Mvc+o6FqjP77uATZVrVreT
         wF8A==
Received: by 10.182.146.46 with SMTP id sz14mr14643050obb.76.1351145984563;
 Wed, 24 Oct 2012 23:19:44 -0700 (PDT)
MIME-Version: 1.0
Sender: adam@adamharvey.name
Received: by 10.76.123.75 with HTTP; Wed, 24 Oct 2012 23:19:24 -0700 (PDT)
In-Reply-To: <CAB75mSVg10VURjFmOhNQk87CqVP9FOQmcSzzgfMUTEb6S7WvxQ@mail.gmail.com>
References: <CAB75mSX-cMqZPTfv2vc8fakD_pr31qPR+kO5_O=zYiVoy4xH2w@mail.gmail.com>
 <CAL+t6cF=e_55=v9bZVy7Tv=V3M4CUQLueu=b5Efa+MD0ewG_qA@mail.gmail.com> <CAB75mSVg10VURjFmOhNQk87CqVP9FOQmcSzzgfMUTEb6S7WvxQ@mail.gmail.com>
Date: Thu, 25 Oct 2012 14:19:24 +0800
X-Google-Sender-Auth: b3PlC0Ui2IPnLd7pB0Cg_9H71yA
Message-ID: <CADajX4ALHEzXDQQuqwjiOx5bdgUVG+4pXGAJ_Unano3z9S5ZSQ@mail.gmail.com>
To: JJ <jawed@php.net>
Cc: Sherif Ramadan <theanomaly.is@gmail.com>, internals@lists.php.net
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQnkbSjOiKQkOetiYfK3o3u6IBKpdCtY75zNjR7Tmbbio9n9rciGjsKmE4C7rAxHiJ4zeGr2
Subject: Re: [PHP-DEV] Changing the default value of "true" for CURLOPT_SSL_VERIFYHOST
From: aharvey@php.net (Adam Harvey)

On 25 October 2012 13:46, JJ <jawed@php.net> wrote:
> On Wed, Oct 24, 2012 at 10:34 PM, Sherif Ramadan
> <theanomaly.is@gmail.com> wrote:
>> I understand there are people out there that don't read the
>> documentation and aren't aware of the difference between
>> curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); and curl_setopt($ch,
>> CURLOPT_SSL_VERIFYHOST, true); but still... I don't think this is a
>> good idea either.
>
> I highly doubt code that sets CURLOPT_SSL_VERIFYHOST =3D> true meant to
> imply CURLOPT_SSL_VERIFYHOST =3D> 1...which essentially bypasses host
> verification.

They may have, even in spite of it being a bad idea, since that's how
boolean =E2=86=92 integer conversion works in PHP. I don't think we can ass=
ume
that every single person who's written that line of code didn't check
whether CURLOPT_SSL_VERIFYHOST was a boolean or integer option.

> According to libcurl, CURLOPT_SSL_VERIFYHOST =3D> 1 is "not ordinarily a
> useful setting".

I agree, but I don't think we can start arbitrarily changing well
defined type conversion behaviour for one corner case. The
CURLOPT_SSL_VERIFYHOST option has been documented as expecting integer
0, 1 or 2 since at least April 2002 (and probably quite a bit earlier
than that), complete with the meanings of each value =E2=80=94 there's only=
 so
much we can do to protect developers from themselves. (In fairness,
the wording strongly recommending using option 2 only came in last
August thanks to Ilia, but nobody should have been treating the option
as a boolean option to start with.)

Fundamentally, it's a bad API on the part of curl, but that's a
separate issue. There's nothing stopping somebody proposing a saner
API on top of libcurl (as Anthony did recently with the password
hashing API atop crypt()).

In summary, I'm against changing ext/curl here.

I do have a couple of specific comments on elements of the patch
itself in the event that the changed behaviour is wanted, but I'll
post those on GitHub, since it's probably a better UI for that sort of
granular discussion.

Adam