php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63795 CURL >= 7.28.1 no longer support value 1 for CURLOPT_SSL_VERIFYHOST
Submitted: 2012-12-18 02:26 UTC Modified: 2012-12-22 00:48 UTC
Votes:4
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:3 (100.0%)
From: blueness at gentoo dot org Assigned: pierrick
Status: Closed Package: cURL related
PHP Version: 5.4.9 OS: Linux
Private report: No CVE-ID:
 [2012-12-18 02:26 UTC] blueness at gentoo dot org
Description:
------------
When php 5.4.9 is built against curl-7.28.1, curl_multi_getcontent($stuff) does not return the full content of the web page but truncates some characters from the beginning.  See the following downstream bugs for more details:

https://sourceforge.net/p/curl/bugs/1172/

https://bugs.gentoo.org/show_bug.cgi?id=444788

In the gentoo bug, please look at comment #14 since it pin points the curl commit that deprecated CURLOPT_SSL_VERIFYHOST=1 and led to the breakage in php.

Test script:
---------------
    <?php
     
    $cm = curl_multi_init();
    $stuffs = curl_init();
    $curl_options = array(
            CURLOPT_URL => 'http://www.google.ca',
            CURLOPT_RETURNTRANSFER => 1,
            CURLOPT_SSL_VERIFYHOST => 0,    // these are the problem
            CURLOPT_SSL_VERIFYPEER => 0,    // toggle 0/1 to test
            CURLOPT_HEADER => 1
    );
    curl_setopt_array($stuffs, $curl_options);
    curl_multi_add_handle($cm, $stuffs);
    do { curl_multi_exec($cm, $running); } while($running > 0);
    $content = curl_multi_getcontent($stuffs);
    $info = curl_getinfo($stuffs);
    curl_multi_remove_handle($cm, $stuffs);
    curl_multi_close($cm);
    print_r($info);
    // cuts off too much, the header size is incorrect
    echo mb_substr($content, $info['header_size']);
     
    ?>


Expected result:
----------------
For the expected and actual results, please see

    https://bugs.gentoo.org/show_bug.cgi?id=444788

comments #10-13


Patches

no-patch-available (last revision 2012-12-18 02:27 UTC) by blueness at gentoo dot org)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-12-18 03:06 UTC] laruence@php.net
-Assigned To: +Assigned To: pierrick
 [2012-12-19 04:35 UTC] pierrick@php.net
This bug was introduced when the support of the value 1 for 
CURLOPT_SSL_VERIFYHOST was removed in 7.28.1.

In your code sample, you're using curl_setopt_array. How this function work 
internally is that it will loop over all your options and set them one by one on 
your curl handle using the libcurl curl_easy_setopt function. If one of this set 
fail, the function will break the iteration and will return false.

In your case, when you're using libcurl 7.28.1, curl_setopt_array will fail when 
it will try to set CURLOPT_SSL_VERIFYHOST to 1, and then will not set 
CURLOPT_HEADER. The result of your curl_exec function will then not include the 
headers. Then when you remove the begining of your string to remove your header, 
you're in fact removing the begining of your content since there is no header 
included in the original string.

If you move your CURLOPT_SSL_VERIFYHOST to the end of your array this should fix 
your problem. Can you confirm ?

I started a discussion on internal to see how we want to deal with this problem.
 [2012-12-22 00:48 UTC] pierrick@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

When using libcurl < 7.28.1, if someone try to set
CURLOPT_SSL_VERIFYHOST to 1 (or true), set the value to 1, but trigger
a notice to inform that this value is deprecated.

When using libcurl >= 7.28.1 if someone try to set
CURLOPT_SSL_VERIFYHOST to 1 (or true), set CURLOPT_SSL_VERIFYHOST to
2, trigger a notice to inform the user that this value is no longer
supported as of libcurl 7.28.1 but keep returning true.
 [2012-12-22 00:48 UTC] pierrick@php.net
-Summary: url-7.28.1 breaks PHP curl_getinfo and curl_multi_getcontent +Summary: CURL >= 7.28.1 no longer support value 1 for CURLOPT_SSL_VERIFYHOST -Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 09:02:28 2014 UTC