All, On Thu, Oct 25, 2012 at 3:14 AM, Guillaume Rossolini <g.rossol...@gmail.com>wrote:
> On Thu, Oct 25, 2012 at 8:36 AM, Kris Craig <kris.cr...@gmail.com> wrote: > > > > What if, instead of changing the behavior, we have it throw a notice or > > warning if a boolean value is passed here? Because this is such a common > > error, I think it could be really beneficial in helping developers catch > > this early. Thoughts? > > > > > Yes please. My thoughts exactly. A notice or a warning really would be best > in this case. > Regards, > I completely agree here. Right now, the current behavior LOOKS like it should verify the peer when given a boolean. But in reality it doesn't. The boolean triggers insecure behavior. Which is exactly the opposite of VERIFY_PEER (which accepts a boolean parameter). Since this case does have fairly significant security implications, I would suggest raising either a notice or a warning when a boolean true is passed in. This should be pretty easy to do, by simply altering http://lxr.php.net/xref/PHP_5_4/ext/curl/interface.c#1681 to put VERIFYHOST as the first case statement, and checking if Z_TYPE_PP(zvalue) == IS_BOOL, and then handling that case (letting it fall through afterwards)... I would strongly support this. As using boolean true and expecting the cast to go to 1 would be... well... rather an edge case. I'd believe that most people don't realize that it takes an integer parameter. And if you're relying on a cast, well, you're doing it wrong. It's like the people relying on the string cast from an array producing "array". Sure, it may cause a few minor issues for a few users. But the vast majority of the red flags that it raises will be completely valid. And considering this has security impact, I strongly feel that we should implement the notice/warning... Anthony
