|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63363 Curl silently accepts boolean true for SSL_VERIFYHOST
Submitted: 2012-10-25 16:41 UTC Modified: 2012-10-25 20:40 UTC
From: Assigned: ircmaxell (profile)
Status: Closed Package: *Network Functions
PHP Version: Irrelevant OS: All
Private report: No CVE-ID: None
 [2012-10-25 16:41 UTC]
The CURL option SSL_VERIFYHOST accepts a long value to indicate the verification 
that should be applied. The following values are valid:

0 - No verification
1 - Check a host is present in cert
2 - Check cert's host matches request's host

The problem is that a boolean true is cast to a long 1. Therefore, code that 
does the following:

curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true)

appears to be verifying the host. However, it's actually not.

This can create security issues that are very hard to find by reading code.

Test script:

$c = curl_init();
curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true);

Expected result:
The option is set to verify the host.

Actual result:
The option is set to 1, which does not verify the host.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-10-25 17:16 UTC]
-Status: Open +Status: Assigned -Assigned To: +Assigned To: ircmaxell
 [2012-10-25 18:51 UTC]
Thx for creating the bug.

Here is the pull request against master:

The change is minimal and the difference between ext/curl/interface.c from master 
to >5.4 is also minimal. This should be easy to cherry-pick from master.

- JJ
 [2012-10-25 20:40 UTC]
Fixed in master / 5.4 branch
 [2012-10-25 20:40 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Fri Dec 08 20:01:28 2023 UTC