On Thu, Oct 25, 2012 at 7:26 AM, Anthony Ferrara <ircmax...@gmail.com>wrote:
> All, > > > On Thu, Oct 25, 2012 at 3:14 AM, Guillaume Rossolini < > g.rossol...@gmail.com> wrote: > >> On Thu, Oct 25, 2012 at 8:36 AM, Kris Craig <kris.cr...@gmail.com> wrote: >> > >> > What if, instead of changing the behavior, we have it throw a notice or >> > warning if a boolean value is passed here? Because this is such a >> common >> > error, I think it could be really beneficial in helping developers catch >> > this early. Thoughts? >> > >> > >> Yes please. My thoughts exactly. A notice or a warning really would be >> best >> in this case. >> Regards, >> > > I completely agree here. > > Right now, the current behavior LOOKS like it should verify the peer when > given a boolean. But in reality it doesn't. The boolean triggers insecure > behavior. Which is exactly the opposite of VERIFY_PEER (which accepts a > boolean parameter). > > Since this case does have fairly significant security implications, I > would suggest raising either a notice or a warning when a boolean true is > passed in. > > This should be pretty easy to do, by simply altering > http://lxr.php.net/xref/PHP_5_4/ext/curl/interface.c#1681 to put > VERIFYHOST as the first case statement, and checking if Z_TYPE_PP(zvalue) > == IS_BOOL, and then handling that case (letting it fall through > afterwards)... > > I would strongly support this. As using boolean true and expecting the > cast to go to 1 would be... well... rather an edge case. I'd believe that > most people don't realize that it takes an integer parameter. And if you're > relying on a cast, well, you're doing it wrong. It's like the people > relying on the string cast from an array producing "array". Sure, it may > cause a few minor issues for a few users. But the vast majority of the red > flags that it raises will be completely valid. And considering this has > security impact, I strongly feel that we should implement the > notice/warning... > > Anthony > If there are no objections, I'll go ahead and draft an RFC for the notice/docs idea later today. If anyone would like to co-author it with me, please drop me an email and I'll send you the wiki link once I've created the page. --Kris
