Curl silently accepts boolean true for SSL

Curl silently accepts boolean true for SSL_VERIFYHOST

Bug #63363	Curl silently accepts boolean true for SSL_VERIFYHOST
Submitted:	2012-10-25 16:41 UTC	Modified:	2012-10-25 20:40 UTC
From:	ircmaxell@php.net	Assigned:	ircmaxell (profile)
Status:	Closed	Package:	*Network Functions
PHP Version:	Irrelevant	OS:	All
Private report:	No	CVE-ID:	None

[2012-10-25 16:41 UTC] ircmaxell@php.net

Description:
------------
The CURL option SSL_VERIFYHOST accepts a long value to indicate the verification 
that should be applied. The following values are valid:

0 - No verification
1 - Check a host is present in cert
2 - Check cert's host matches request's host

The problem is that a boolean true is cast to a long 1. Therefore, code that 
does the following:

curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true)

appears to be verifying the host. However, it's actually not.

This can create security issues that are very hard to find by reading code.



Test script:
---------------
<?php

$c = curl_init();
curl_setopt($c, CURLOPT_SSL_VERIFYHOST, true);


Expected result:
----------------
The option is set to verify the host.

Actual result:
--------------
The option is set to 1, which does not verify the host.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-10-25 17:16 UTC] ircmaxell@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: ircmaxell

[2012-10-25 18:51 UTC] jawed@php.net

Thx for creating the bug.

Here is the pull request against master:

https://github.com/php/php-src/pull/221

The change is minimal and the difference between ext/curl/interface.c from master 
to >5.4 is also minimal. This should be easy to cherry-pick from master.

- JJ