Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63625
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 7618 invoked from network); 25 Oct 2012 14:26:15 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Oct 2012 14:26:15 -0000
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.42 as permitted sender)
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 209.85.215.42 mail-la0-f42.google.com  
Received: from [209.85.215.42] ([209.85.215.42:43124] helo=mail-la0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 51/D7-59506-50C49805 for <internals@lists.php.net>; Thu, 25 Oct 2012 10:26:14 -0400
Received: by mail-la0-f42.google.com with SMTP id e6so1690497lah.29
        for <internals@lists.php.net>; Thu, 25 Oct 2012 07:26:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=OXo9BtzO4NYR1ssEq+gmxhxoBLzPmGmZqZhaNarMF1E=;
        b=iVuHfHUxQmRZYZ43m2dG8WcfWKIsRqBNKWTYVLSnYMY+d44KDPdZTku183bKLb9uSF
         oAZ56TtbImD+FFNrdtRNjWE1expKyNbL+nbOUMgLQYF+OlUuB/2cjC1Y5VoVm+xhdAjH
         j0iSiN67aXmnadcEMQtk/S+eZ0+a9ZATWZMnJDs/iAUPNoUv8959jW85YfLXyc0WiU4j
         KA6z6dk9HhKGT5q39qmMNYH0Vq63AdhmqNRTlM+0uv0KkzoNBB03Wo5bceH6/Ql9yKd2
         qzuNKzd6W61lr9iNgzQ1ggpqwr+YnMQhL8MrIQ02Z++6FCbrp5YhGPDbajS7WEMz1GL1
         iT3Q==
MIME-Version: 1.0
Received: by 10.152.104.115 with SMTP id gd19mr17944984lab.13.1351175167380;
 Thu, 25 Oct 2012 07:26:07 -0700 (PDT)
Received: by 10.114.69.107 with HTTP; Thu, 25 Oct 2012 07:26:07 -0700 (PDT)
In-Reply-To: <CAOcr3R6_KbCtHY=VUNXBbLN6QPMPn0rYC9Cg-qy1HeTmTTW-0w@mail.gmail.com>
References: <CAB75mSX-cMqZPTfv2vc8fakD_pr31qPR+kO5_O=zYiVoy4xH2w@mail.gmail.com>
	<CAL+t6cF=e_55=v9bZVy7Tv=V3M4CUQLueu=b5Efa+MD0ewG_qA@mail.gmail.com>
	<CAB75mSVg10VURjFmOhNQk87CqVP9FOQmcSzzgfMUTEb6S7WvxQ@mail.gmail.com>
	<CAL+t6cEDORaPR5pauqDLL7vUxmL7=MiKQyD4YaLvsLXOg_kSRg@mail.gmail.com>
	<CAKOpQSwsNWkrN13LTJgWDqK+JVNZHCo==PJ7GFYAR5djE+TUMw@mail.gmail.com>
	<CAOcr3R6_KbCtHY=VUNXBbLN6QPMPn0rYC9Cg-qy1HeTmTTW-0w@mail.gmail.com>
Date: Thu, 25 Oct 2012 10:26:07 -0400
Message-ID: <CAAyV7nF3tFjx7KVupNQvqRiWF04fk-f3jmev4+HR3tjB2+Zc3w@mail.gmail.com>
To: Guillaume Rossolini <g.rossolini@gmail.com>
Cc: Kris Craig <kris.craig@gmail.com>, Sherif Ramadan <theanomaly.is@gmail.com>, JJ <jawed@php.net>, 
	internals@lists.php.net
Content-Type: multipart/alternative; boundary=f46d04088d23e18d4a04cce2fbaf
Subject: Re: [PHP-DEV] Changing the default value of "true" for CURLOPT_SSL_VERIFYHOST
From: ircmaxell@gmail.com (Anthony Ferrara)

--f46d04088d23e18d4a04cce2fbaf
Content-Type: text/plain; charset=ISO-8859-1

All,

On Thu, Oct 25, 2012 at 3:14 AM, Guillaume Rossolini
<g.rossolini@gmail.com>wrote:

> On Thu, Oct 25, 2012 at 8:36 AM, Kris Craig <kris.craig@gmail.com> wrote:
> >
> > What if, instead of changing the behavior, we have it throw a notice or
> > warning if a boolean value is passed here?  Because this is such a common
> > error, I think it could be really beneficial in helping developers catch
> > this early.  Thoughts?
> >
> >
> Yes please. My thoughts exactly. A notice or a warning really would be best
> in this case.
> Regards,
>

I completely agree here.

Right now, the current behavior LOOKS like it should verify the peer when
given a boolean. But in reality it doesn't. The boolean triggers insecure
behavior. Which is exactly the opposite of VERIFY_PEER (which accepts a
boolean parameter).

Since this case does have fairly significant security implications, I would
suggest raising either a notice or a warning when a boolean true is passed
in.

This should be pretty easy to do, by simply altering
http://lxr.php.net/xref/PHP_5_4/ext/curl/interface.c#1681 to put VERIFYHOST
as the first case statement, and checking if Z_TYPE_PP(zvalue) == IS_BOOL,
and then handling that case (letting it fall through afterwards)...

I would strongly support this. As using boolean true and expecting the cast
to go to 1 would be... well... rather an edge case. I'd believe that most
people don't realize that it takes an integer parameter. And if you're
relying on a cast, well, you're doing it wrong. It's like the people
relying on the string cast from an array producing "array". Sure, it may
cause a few minor issues for a few users. But the vast majority of the red
flags that it raises will be completely valid. And considering this has
security impact, I strongly feel that we should implement the
notice/warning...

Anthony

--f46d04088d23e18d4a04cce2fbaf--