Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63618 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 81361 invoked from network); 25 Oct 2012 10:15:02 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Oct 2012 10:15:02 -0000 Authentication-Results: pb1.pair.com smtp.mail=php-php-dev@m.gmane.org; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=fullmoon@newsguy.com; sender-id=softfail Received-SPF: pass (pb1.pair.com: domain m.gmane.org designates 80.91.229.3 as permitted sender) X-PHP-List-Original-Sender: php-php-dev@m.gmane.org X-Host-Fingerprint: 80.91.229.3 plane.gmane.org Received: from [80.91.229.3] ([80.91.229.3:56086] helo=plane.gmane.org) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2D/23-59506-42119805 for ; Thu, 25 Oct 2012 06:15:01 -0400 Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1TRKSt-00061C-U1 for internals@lists.php.net; Thu, 25 Oct 2012 12:15:03 +0200 Received: from 169.sub-75-228-161.myvzw.com ([75.228.161.169]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 25 Oct 2012 12:15:03 +0200 Received: from fullmoon by 169.sub-75-228-161.myvzw.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 25 Oct 2012 12:15:03 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: internals@lists.php.net Date: Thu, 25 Oct 2012 04:09:44 -0600 Lines: 56 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Gmane-NNTP-Posting-Host: 169.sub-75-228-161.myvzw.com User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 In-Reply-To: X-Archive: encrypt Subject: Re: [PHP-DEV] Changing the default value of "true" for CURLOPT_SSL_VERIFYHOST From: fullmoon@newsguy.com (crankypuss) On 10/24/2012 11:34 PM, Sherif Ramadan wrote: > On Thu, Oct 25, 2012 at 1:03 AM, JJ wrote: >> Hey all - I'd like start a discussion around pull request 221 >> (https://github.com/php/php-src/pull/221). >> >> In short, there's a high volume of [incorrect] code out there which looks like: >> >> curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true); >> >> Instead of what, in all likelyhood, the code meant to do: >> >> curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); >> >> This is due to the convert_to_long_ex call which converts "true" to >> 1L. CURLOPT_SSL_VERIFYHOST being set to 1L bypasses common name >> validation within libcurl. >> >> My solution was to check the type for CURLOPT_SSL_VERIFYHOST: if it is >> boolean and true, the opt value for libcurl is set to 2L. >> >> I understand that engineers should have the proper option value to >> begin with but weighing the impact of this (MITM attacks) against >> doing what they probably meant anyways is worth the presumption. >> >> Please discuss and adjust the patch if necessary. >> >> - JJ >> >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: http://www.php.net/unsub.php >> > > While I think it's a good idea to set the value of the option to 2, as > is recommended for production in the documentation, I think the idea > of implicitly converting a bool(true) to 2L internally might lead to > unexpected behavior since some people might actually depend on normal > PHP behavior to cast a bool(true) to 1 (and that might be what they > actually intended). > > I understand there are people out there that don't read the > documentation and aren't aware of the difference between > curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); and curl_setopt($ch, > CURLOPT_SSL_VERIFYHOST, true); but still... I don't think this is a > good idea either. > > We should probably just elaborate on this point a bit more in the > documentation. Perhaps add a note and an example to illustrate. I > notice that people tend to pay more attention to examples than > anything else in the docs. > Booleans ought to be 1 and 0. Casting a boolean to 2 is just wrong, a way to fix badly written code a few people have written and in so doing risk the breakage of far more code that is correct.