2012/10/25 crankypuss <fullm...@newsguy.com>

> On 10/24/2012 11:34 PM, Sherif Ramadan wrote:
>
>> On Thu, Oct 25, 2012 at 1:03 AM, JJ <ja...@php.net> wrote:
>>
>>> Hey all - I'd like start a discussion around pull request 221
>>> (https://github.com/php/php-**src/pull/221<https://github.com/php/php-src/pull/221>
>>> ).
>>>
>>> In short, there's a high volume of [incorrect] code out there which
>>> looks like:
>>>
>>> curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true);
>>>
>>> Instead of what, in all likelyhood, the code meant to do:
>>>
>>> curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
>>>
>>> This is due to the convert_to_long_ex call which converts "true" to
>>> 1L. CURLOPT_SSL_VERIFYHOST being set to 1L bypasses common name
>>> validation within libcurl.
>>>
>>> My solution was to check the type for CURLOPT_SSL_VERIFYHOST: if it is
>>> boolean and true, the opt value for libcurl is set to 2L.
>>>
>>> I understand that engineers should have the proper option value to
>>> begin with but weighing the impact of this (MITM attacks) against
>>> doing what they probably meant anyways is worth the presumption.
>>>
>>> Please discuss and adjust the patch if necessary.
>>>
>>> - JJ
>>>
>>> --
>>> PHP Internals - PHP Runtime Development Mailing List
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>>
>> While I think it's a good idea to set the value of the option to 2, as
>> is recommended for production in the documentation, I think the idea
>> of implicitly converting a bool(true) to 2L internally might lead to
>> unexpected behavior since some people might actually depend on normal
>> PHP behavior to cast a bool(true) to 1 (and that might be what they
>> actually intended).
>>
>> I understand there are people out there that don't read the
>> documentation and aren't aware of the difference between
>> curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); and curl_setopt($ch,
>> CURLOPT_SSL_VERIFYHOST, true); but still... I don't think this is a
>> good idea either.
>>
>> We should probably just elaborate on this point a bit more in the
>> documentation. Perhaps add a note and an example to illustrate. I
>> notice that people tend to pay more attention to examples than
>> anything else in the docs.
>>
>>
> Booleans ought to be 1 and 0.  Casting a boolean to 2 is just wrong, a way
> to fix badly written code a few people have written and in so doing risk
> the breakage of far more code that is correct.


Thats not completely true. Boolean 'false' is equal to 0 and Boolean 'true'
is something different than 0, that _may_ be 1 (and in most cases is), but
it's not limited too. Just said.


>
>
>
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


-- 
github.com/KingCrunch

Reply via email to