PHP :: Bug #63363 :: Curl silently accepts boolean true for SSL

Bug #63363	Curl silently accepts boolean true for SSL_VERIFYHOST
Submitted:	2012-10-25 16:41 UTC	Modified:	2012-10-25 20:40 UTC
From:	ircmaxell@php.net	Assigned:	ircmaxell (profile)
Status:	Closed	Package:	*Network Functions
PHP Version:	Irrelevant	OS:	All
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	ircmaxell@php.net
New email:
PHP Version:		OS:

New/Additional Comment:

[2012-10-25 16:41 UTC] ircmaxell@php.net

Description:
------------
The CURL option SSL_VERIFYHOST accepts a long value to indicate the verification 
that should be applied. The following values are valid:

0 - No verification
1 - Check a host is present in cert
2 - Check cert's host matches request's host

The problem is that a boolean true is cast to a long 1. Therefore, code that 
does the following:

curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true)

appears to be verifying the host. However, it's actually not.

This can create security issues that are very hard to find by reading code.



Test script:
---------------
<?php

$c = curl_init();
curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true);


Expected result:
----------------
The option is set to verify the host.

Actual result:
--------------
The option is set to 1, which does not verify the host.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-10-25 17:16 UTC] ircmaxell@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: ircmaxell

[2012-10-25 18:51 UTC] jawed@php.net

Thx for creating the bug.

Here is the pull request against master:

https://github.com/php/php-src/pull/221

The change is minimal and the difference between ext/curl/interface.c from master 
to >5.4 is also minimal. This should be easy to cherry-pick from master.

- JJ

[2012-10-25 20:40 UTC] ircmaxell@php.net

Fixed in master / 5.4 branch

[2012-10-25 20:40 UTC] ircmaxell@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 21:01:30 2024 UTC