cURL / Mailing Lists / curl-library / Single Mail


RE: "The Most Dangerous Code in the World"

From: Yehezkel Horowitz <>
Date: Sun, 28 Oct 2012 11:28:59 +0200

> I thus suggest we simply ban 1 as a value in an upcoming release. This will fource users to use 2 instead and when copying such code back to older libcurl-using code that will improve the code running there as well!

You can't force users to use 2, since if they are not reading the documents, they might also ignore the return code (I'm not sure which mistake is worse ;-).

> See my attached patch that does exactly this. As this *will* cause one or two legitimate users get an error I'm very interested in further feedback.

I suggest turning on the bit 'data->set.ssl.verifyhost' in case we got '1' as argument (yet return the error code) to keep the code secure.

> The PHP guys discussed doing the change in there end, in this discussion:
> ... but I saw nobody agreeing to that.

Even if they will agree to do the change, it will take time till their users (which version?) will upgrade, so in the meanwhile we will have curl-php users that will still use TRUE (==1) as an argument to 'CURLOPT_SSL_VERIFYHOST'.

Yehezkel Horowitz

List admin:
Received on 2012-10-28