Hey all - I'd like start a discussion around pull request 221 (https://github.com/php/php-src/pull/221).
In short, there's a high volume of [incorrect] code out there which looks like: curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true); Instead of what, in all likelyhood, the code meant to do: curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); This is due to the convert_to_long_ex call which converts "true" to 1L. CURLOPT_SSL_VERIFYHOST being set to 1L bypasses common name validation within libcurl. My solution was to check the type for CURLOPT_SSL_VERIFYHOST: if it is boolean and true, the opt value for libcurl is set to 2L. I understand that engineers should have the proper option value to begin with but weighing the impact of this (MITM attacks) against doing what they probably meant anyways is worth the presumption. Please discuss and adjust the patch if necessary. - JJ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
