[MediaWiki-commits] [Gerrit] Added SSL verification to PHPHttpRequest. - change (mediawiki/core)

Mon, 18 Mar 2013 14:48:24 -0700 

Parent5446 has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/54584


Change subject: Added SSL verification to PHPHttpRequest.
......................................................................

Added SSL verification to PHPHttpRequest.

PHP's stream context options support SSL
server verification as well a CN matching
and provision of CA info. Added options to
the stream context so that the $sslVerifyHost,
$sslVerifyCert, and $caInfo parameters now
work in non-CURL environments.

Change-Id: Iab2bda1ebcf20b625b019c91ae6352b5405dcc01
---
M includes/HttpFunctions.php
1 file changed, 20 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/84/54584/1

diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index dc65c67..433c29b 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -45,9 +45,9 @@
         *                          Otherwise it will use $wgHTTPProxy (if set)
         *                          Otherwise it will use the environment 
variable "http_proxy" (if set)
         *    - noProxy             Don't use any proxy at all. Takes 
precedence over proxy value(s).
-        *    - sslVerifyHost       (curl only) Verify hostname against 
certificate
-        *    - sslVerifyCert       (curl only) Verify SSL certificate
-        *    - caInfo              (curl only) Provide CA information
+        *    - sslVerifyHost       Verify hostname against certificate
+        *    - sslVerifyCert       Verify SSL certificate
+        *    - caInfo              Provide CA information
         *    - maxRedirects        Maximum number of redirects to follow 
(defaults to 5)
         *    - followRedirects     Whether to follow redirects (defaults to 
false).
         *                                  Note: this should only be used when 
the target URL is trusted,
@@ -860,7 +860,23 @@
 
                $options['timeout'] = $this->timeout;
 
-               $context = stream_context_create( array( 'http' => $options ) );
+               if ( $this->sslVerifyHost ) {
+                       $options['CN_match'] = $this->parsedUrl['host'];
+               }
+               if ( $this->sslVerifyCert ) {
+                       $options['verify_peer'] = true;
+               }
+
+               if ( is_dir( $this->caInfo ) ) {
+                       $options['capath'] = $this->caInfo;
+               } elseif ( is_file( $this->caInfo ) ) {
+                       $options['cafile'] = $this->caInfo;
+               } elseif ( $this->caInfo ) {
+                       throw new MWException( "Invalid CA info passed: 
{$this->caInfo}" );
+               }
+
+               $scheme = $this->parsedUrl['scheme'];
+               $context = stream_context_create( array( "$scheme" => $options 
) );
 
                $this->headerList = array();
                $reqCount = 0;

-- 
To view, visit https://gerrit.wikimedia.org/r/54584
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iab2bda1ebcf20b625b019c91ae6352b5405dcc01
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Parent5446 <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to