cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: "The Most Dangerous Code in the World"

From: Peter Sylvester <peter.sylvester_at_edelweb.fr>
Date: Sun, 28 Oct 2012 11:36:53 +0100

On 10/28/2012 10:28 AM, Yehezkel Horowitz wrote:
>> I thus suggest we simply ban 1 as a value in an upcoming release. This will fource users to use 2 instead and when copying such code back to older libcurl-using code that will improve the code running there as well!
>
> You can't force users to use 2, since if they are not reading the documents, they might also ignore the return code (I'm not sure which mistake is worse ;-).
>
>> See my attached patch that does exactly this. As this *will* cause one or two legitimate users get an error I'm very interested in further feedback.
> I suggest turning on the bit 'data->set.ssl.verifyhost' in case we got '1' as argument (yet return the error code) to keep the code secure.
>
>> The PHP guys discussed doing the change in there end, in this discussion:
>> http://thread.gmane.org/gmane.comp.php.devel/76531/focus=76546
>> ... but I saw nobody agreeing to that.
> Even if they will agree to do the change, it will take time till their users (which version?) will upgrade, so in the meanwhile we will have curl-php users that will still use TRUE (==1) as an argument to 'CURLOPT_SSL_VERIFYHOST'.
I thought making 1 identical to 2, and offering a 3 as a replacement, if someone really wants the
behavior. This would be an uncompatible change but probably work in most cases ??

Peter

>
> Yehezkel Horowitz
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-10-28