php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63363 Curl silently accepts boolean true for SSL_VERIFYHOST
Submitted: 2012-10-25 16:41 UTC Modified: 2012-10-25 20:40 UTC
From: ircmaxell@php.net Assigned: ircmaxell
Status: Closed Package: *Network Functions
PHP Version: Irrelevant OS: All
Private report: No CVE-ID:
 [2012-10-25 16:41 UTC] ircmaxell@php.net
Description:
------------
The CURL option SSL_VERIFYHOST accepts a long value to indicate the verification 
that should be applied. The following values are valid:

0 - No verification
1 - Check a host is present in cert
2 - Check cert's host matches request's host

The problem is that a boolean true is cast to a long 1. Therefore, code that 
does the following:

curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true)

appears to be verifying the host. However, it's actually not.

This can create security issues that are very hard to find by reading code.



Test script:
---------------
<?php

$c = curl_init();
curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true);


Expected result:
----------------
The option is set to verify the host.

Actual result:
--------------
The option is set to 1, which does not verify the host.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-10-25 17:16 UTC] ircmaxell@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: ircmaxell
 [2012-10-25 18:51 UTC] jawed@php.net
Thx for creating the bug.

Here is the pull request against master:

https://github.com/php/php-src/pull/221

The change is minimal and the difference between ext/curl/interface.c from master 
to >5.4 is also minimal. This should be easy to cherry-pick from master.

- JJ
 [2012-10-25 20:40 UTC] ircmaxell@php.net
Fixed in master / 5.4 branch
 [2012-10-25 20:40 UTC] ircmaxell@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 19:01:51 2014 UTC