fix: [CURLRequest] skip hostname checks if options 'verify' false #8258
Conversation
kenjis
changed the title
kenjis
added
the
bug
|
Thank you! |
kenjis
added
the
docs needed
system/HTTP/CURLRequest.php
Outdated
| $curlOptions[CURLOPT_SSL_VERIFYPEER] = 1; | ||
| $curlOptions[CURLOPT_CAINFO] = $file; | ||
| if ($config['verify'] === 'yes') { | ||
| $curlOptions[CURLOPT_SSL_VERIFYPEER] = 1; |
There was a problem hiding this comment.
Why do you set 1?
It seems this parameter should be boolean.
CURLOPT_SSL_VERIFYPEER
false to stop cURL from verifying the peer's certificate. Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option.
https://www.php.net/manual/en/function.curl-setopt.php#refsect1-function.curl-setopt-parameters
kenjis
removed
the
docs needed
|
Thank you! |
|
I don't think it's breaking anything. It's just that that the label bug was added afterwards. |
|
I think this is a bug fix, so I added the label |
…alse. When CURLRequest options 'verify' is set to false, some CURLOPT_SSL_... options should be disabled in such a way as to allow requests to pass through in case the destination is for example on private networks. Avoids SSL errors: SSL: certificate subject name 'CA' does not match target host name 'localhost'
…_VERIFYPEER and CURLOPT_SSL_VERIFYHOST
NicolaeIotu
force-pushed
the
add-curlrequest-curlopt_ssl_verifyhost
branch
from
8207e01
to
e159bfd
Compare
|
Completed the switch to branch develop. |
system/HTTP/CURLRequest.php
Outdated
| $curlOptions[CURLOPT_CAINFO] = $file; | ||
| $curlOptions[CURLOPT_SSL_VERIFYPEER] = 1; | ||
| $curlOptions[CURLOPT_CAINFO] = $file; | ||
| if ($config['verify'] === 'yes') { |
There was a problem hiding this comment.
There might be something I don't understand, but how can we have yes as a value here?
The user guide says about verify option:
This option describes the SSL certificate verification behavior. If the verify option is true, it enables the SSL certificate verification and uses the default CA bundle provided by the operating system. If set to false it will disable the certificate verification (this is insecure, and allows man-in-the-middle attacks!). You can set it to a string that contains the path to a CA bundle to enable verification with a custom certificate. The default value is true:
Dunno why, but we use ssl_key instead of verify when it's a string. The ssl_key option is not documented at all.
I feel like something has to be changed here. Either the code or the documentation.
There was a problem hiding this comment.
I missed it! Thank you.
yes is wrong.
There was a problem hiding this comment.
Dunno why, but we use ssl_key instead of verify when it's a string.
This seems a bug.
We don't support ssl_key.
See https://docs.guzzlephp.org/en/stable/request-options.html#ssl-key
There was a problem hiding this comment.
Yeah... since we should be compatible with guzzle, we should use verify.
When fixed, this should be noted in the changelog with some additional description, because some users could dig into the code and set ssl_key just to make it work.
|
@NicolaeIotu We don't use |
|
So in case |
|
There is still two merge commits. Can you run |
NicolaeIotu
force-pushed
the
add-curlrequest-curlopt_ssl_verifyhost
branch
from
779d5c7
to
e159bfd
Compare
|
I'm doing some git action to revert my mistakes. Please ignore for a while. |
…RLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST
|
I think it's ok now. |
There was a problem hiding this comment.
We need a changelog update, which will inform users about these fixes: https://github.com/codeigniter4/CodeIgniter4/blob/develop/user_guide_src/source/changelogs/v4.4.4.rst
Both: Bugs and Breaking sections should be filled.
system/HTTP/CURLRequest.php
Outdated
| @@ -548,17 +548,21 @@ protected function setCURLOptions(array $curlOptions = [], array $config = []) | |||
|
|
|||
| // SSL Verification | |||
| if (isset($config['verify'])) { | |||
| if (is_string($config['verify'])) { | |||
| $file = realpath($config['ssl_key']) ?: $config['ssl_key']; | |||
| $configVerify = $config['verify']; | |||
There was a problem hiding this comment.
Please don't introduce an additional variable, it makes the code less readable - use $config['verify'].
There was a problem hiding this comment.
Just to clarify. Array element $config['verify'] is accessed 8 times. Isn't this less efficient than using a local variable?
There was a problem hiding this comment.
If the element of the array it's not changing value, you get a performance increase if assigning its value to a local variable and using that instead of accessing the array every time especially if the key is not an integer and the value of the element is required many times.
This is pretty much valid for all languages when data type is using hash tables and others alike.
In this case there is a performance increase if using the local variable, but it may be more important to make the code readable.
I forgot to ask. The breaking change is that $config['verify'] cannot take the value 'yes' anymore. This is the only breaking change?
There was a problem hiding this comment.
If the element of the array it's not changing value, you get a performance increase...
In this case, I'm pretty sure we would not see the difference. That's why I choose the readability.
I forgot to ask. The breaking change is that $config['verify'] cannot take the value 'yes' anymore. This is the only breaking change?
Was using the value yes was documented somewhere? If not this can be skipped.
The breaking change is not using the ssl_key array key anymore.
Revert to ['verify'] instead of
CHANGELOG.md
Outdated
| ## [v4.4.4](https://github.com/codeigniter4/CodeIgniter4/tree/v4.4.4) (Unreleased) | ||
| [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.4.3...v4.4.4) | ||
|
|
||
| ### Fixed Bugs | ||
|
|
||
| * fix: [CURLRequest] skip hostname checks if options 'verify' false by @NicolaeIotu in https://github.com/codeigniter4/CodeIgniter4/pull/8258 | ||
|
|
There was a problem hiding this comment.
I think that this file is handled automatically when we prepare the release. @kenjis can confirm or deny.
There was a problem hiding this comment.
Yes, it is generated by GitHub.
Please add in changelog in user guide.
https://github.com/codeigniter4/CodeIgniter4/blob/develop/user_guide_src/source/changelogs/v4.4.4.rst#breaking
There was a problem hiding this comment.
File user_guide_src/source/changelogs/v4.4.4.rst was updated.
Now I'll revert the changes to CHANGELOG.md.
Co-authored-by: Michal Sniatala <michal@sniatala.pl>
kenjis
added
the
breaking change
|
The last thing. Add short instruction how to change when upgrading in Although confusing with changelog, the changelog describes what has changed and the upgrading guide describes what users need to do when upgrading. |
|
@NicolaeIotu Thank you! |
|
@kenjis Thank you! |
Supersedes #8257
Description
When CURLRequest options 'verify' is set to false, some CURLOPT_SSL_... options should be disabled in such a way as to allow requests to pass through in case the destination is for example on private networks.
Avoids SSL errors: SSL: certificate subject name 'CA' does not match target host name 'localhost'
Checklist: