go to bug id or search bugs for
The CURL option SSL_VERIFYHOST accepts a long value to indicate the verification
that should be applied. The following values are valid:
0 - No verification
1 - Check a host is present in cert
2 - Check cert's host matches request's host
The problem is that a boolean true is cast to a long 1. Therefore, code that
does the following:
curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true)
appears to be verifying the host. However, it's actually not.
This can create security issues that are very hard to find by reading code.
$c = curl_init();
curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true);
The option is set to verify the host.
The option is set to 1, which does not verify the host.
Add a Patch
Add a Pull Request
Thx for creating the bug.
Here is the pull request against master:
The change is minimal and the difference between ext/curl/interface.c from master
to >5.4 is also minimal. This should be easy to cherry-pick from master.
Fixed in master / 5.4 branch