cURL / Mailing Lists / curl-library / Single Mail


Re: "The Most Dangerous Code in the World"

From: Peter Sylvester <>
Date: Sun, 28 Oct 2012 11:36:53 +0100

On 10/28/2012 10:28 AM, Yehezkel Horowitz wrote:
>> I thus suggest we simply ban 1 as a value in an upcoming release. This will fource users to use 2 instead and when copying such code back to older libcurl-using code that will improve the code running there as well!
> You can't force users to use 2, since if they are not reading the documents, they might also ignore the return code (I'm not sure which mistake is worse ;-).
>> See my attached patch that does exactly this. As this *will* cause one or two legitimate users get an error I'm very interested in further feedback.
> I suggest turning on the bit 'data->set.ssl.verifyhost' in case we got '1' as argument (yet return the error code) to keep the code secure.
>> The PHP guys discussed doing the change in there end, in this discussion:
>> ... but I saw nobody agreeing to that.
> Even if they will agree to do the change, it will take time till their users (which version?) will upgrade, so in the meanwhile we will have curl-php users that will still use TRUE (==1) as an argument to 'CURLOPT_SSL_VERIFYHOST'.
I thought making 1 identical to 2, and offering a 3 as a replacement, if someone really wants the
behavior. This would be an uncompatible change but probably work in most cases ??


> Yehezkel Horowitz
> -------------------------------------------------------------------
> List admin:
> Etiquette:

List admin:
Received on 2012-10-28