php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #70038 peer verification needs to be a global option
Submitted: 2015-07-10 09:23 UTC Modified: 2015-07-10 12:15 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: spam2 at rhsoft dot net Assigned:
Status: Open Package: Streams related
PHP Version: 5.6.10 OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2015-07-10 09:23 UTC] spam2 at rhsoft dot net
Description:
------------
it's nice that you can disable certificate-verification for file_get_contents stream_context_create() and pass the context as param

BUT BECAUSE EVERY function in php supports the stream-wrappers this is completly inconsistent (https://bugs.php.net/bug.php?id=68344) and not useable in real life applications which may run as clone in testing environments

you hardly want to place stream_context_create() all over your codebase and HONESTLY if 3rd party libraries are part of the game YOU CAN NOT DO that in many cases and so you NEED a GLOBAL configuration parameter to disable the verification via per-directory, php.ini or inside the application like if($config['debug_mode']) ini_set('peer_verification', 0);

it's unbelieveable that after the 5.4 disaster changing the default charset with no global option and re-write and re-test some undret thousand LOC now ith 5.6 "default_charset" two major releases that fallout was fixed while in the same major release the major mistake was repeated with peer verification


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-10 10:09 UTC] requinix@php.net
-Status: Open +Status: Feedback -Type: Bug +Type: Feature/Change Request
 [2015-07-10 10:09 UTC] requinix@php.net
What part of this can't be solved with stream_context_set_default()?
 [2015-07-10 10:18 UTC] spam2 at rhsoft dot net
-Status: Feedback +Status: Open
 [2015-07-10 10:18 UTC] spam2 at rhsoft dot net
https://bugs.php.net/bug.php?id=68344
 [2015-07-10 10:22 UTC] spam2 at rhsoft dot net
stream_context_set_default() is PHP code, you have to touch every application

a PHP_INI_ALL option could be set by the sysadmin for specific vhosts or directories *without* touching application code and that is an important difference if you have 3rd party applications you are not allowed to touch
 [2015-07-10 12:09 UTC] cmb@php.net
It seems to me that there are two not necessarily related issues:

 a) the possibility to change default stream context options
    without touching application code
 
 b) the ability to disable peer certificate validation for
    extensions not regading default stream context options,
    respectively to make those extension regard the default stream
    context options
    
I suggest to address these issues with separate tickets.
    
a) might already be solvable by setting auto_prepend_file[1]
appropriately. If that is not viable, a special ini setting might
be in order, but I wouldn't make it PHP_INI_ALL for security
reasons.

[1] <http://www.php.net/manual/en/ini.core.php#ini.auto-prepend-file>
 [2015-07-10 12:15 UTC] spam2 at rhsoft dot net
"auto_prepend_file" is a really dirty workaround

> but I wouldn't make it PHP_INI_ALL for security reasons

which security reasons?

if stream_context_set_default() would be respected as it should be you could change it already in the script and there is no point to not have that option for php.ini, httpd.conf and <VirtualHost> as well as <Directory>
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Oct 17 00:01:27 2019 UTC