php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #63363 Curl silently accepts boolean true for SSL_VERIFYHOST
Submitted: 2012-10-25 16:41 UTC Modified: 2012-10-25 20:40 UTC
From: ircmaxell@php.net Assigned: ircmaxell (profile)
Status: Closed Package: *Network Functions
PHP Version: Irrelevant OS: All
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ircmaxell@php.net
New email:
PHP Version: OS:

 

 [2012-10-25 16:41 UTC] ircmaxell@php.net 
Description:
------------
The CURL option SSL_VERIFYHOST accepts a long value to indicate the verification 
that should be applied. The following values are valid:

0 - No verification
1 - Check a host is present in cert
2 - Check cert's host matches request's host

The problem is that a boolean true is cast to a long 1. Therefore, code that 
does the following:

curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true)

appears to be verifying the host. However, it's actually not.

This can create security issues that are very hard to find by reading code.



Test script:
---------------
<?php

$c = curl_init();
curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true);


Expected result:
----------------
The option is set to verify the host.

Actual result:
--------------
The option is set to 1, which does not verify the host.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-10-25 17:16 UTC] ircmaxell@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: ircmaxell
 [2012-10-25 18:51 UTC] jawed@php.net 
Thx for creating the bug.

Here is the pull request against master:

https://github.com/php/php-src/pull/221

The change is minimal and the difference between ext/curl/interface.c from master 
to >5.4 is also minimal. This should be easy to cherry-pick from master.

- JJ
 [2012-10-25 20:40 UTC] ircmaxell@php.net 
Fixed in master / 5.4 branch
 [2012-10-25 20:40 UTC] ircmaxell@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jan 02 13:01:30 2025 UTC