From: ircmaxell Operating system: All PHP version: Irrelevant Package: *Network Functions Bug Type: Bug Bug description:Curl silently accepts boolean true for SSL_VERIFYHOST
Description: ------------ The CURL option SSL_VERIFYHOST accepts a long value to indicate the verification that should be applied. The following values are valid: 0 - No verification 1 - Check a host is present in cert 2 - Check cert's host matches request's host The problem is that a boolean true is cast to a long 1. Therefore, code that does the following: curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true) appears to be verifying the host. However, it's actually not. This can create security issues that are very hard to find by reading code. Test script: --------------- <?php $c = curl_init(); curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true); Expected result: ---------------- The option is set to verify the host. Actual result: -------------- The option is set to 1, which does not verify the host. -- Edit bug report at https://bugs.php.net/bug.php?id=63363&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=63363&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=63363&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=63363&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=63363&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=63363&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=63363&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=63363&r=needscript Try newer version: https://bugs.php.net/fix.php?id=63363&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=63363&r=support Expected behavior: https://bugs.php.net/fix.php?id=63363&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=63363&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=63363&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=63363&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=63363&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=63363&r=dst IIS Stability: https://bugs.php.net/fix.php?id=63363&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=63363&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=63363&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=63363&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=63363&r=mysqlcfg
