review.tizen.org Git - platform/upstream/curl.git/commit

author	Daniel Stenberg <daniel@haxx.se>
	Sat, 27 Oct 2012 10:31:39 +0000 (12:31 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Tue, 6 Nov 2012 18:46:53 +0000 (19:46 +0100)
commit	da82f59b697310229ccdf66104d5d65a44dfab98
tree	e7e96d9878ad6ea7536342fc12083b489d28bad0	tree \| snapshot
parent	ab1f80200a6d1bcbac167ede429be52f3ef838bc	commit \| diff

CURLOPT_SSL_VERIFYHOST: stop supporting the 1 value

After a research team wrote a document[1] that found several live source
codes out there in the wild that misused the CURLOPT_SSL_VERIFYHOST
option thinking it was a boolean, this change now bans 1 as a value and
will make libcurl return error for it.

1 was never a sensible value to use in production but was introduced
back in the days to help debugging. It was always documented clearly
this way.

1 was never supported by all SSL backends in libcurl, so this cleanup
makes the treatment of it unified.

The report's list of mistakes for this option were all PHP code and
while there's a binding layer between libcurl and PHP, the PHP team has
decided that they have an as thin layer as possible on top of libcurl so
they will not alter or specifically filter a 'TRUE' value for this
particular option. I sympathize with that position.

[1] = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/

docs/libcurl/curl_easy_setopt.3		diff \| blob \| history
lib/curl_darwinssl.c		diff \| blob \| history
lib/curl_schannel.c		diff \| blob \| history
lib/gtls.c		diff \| blob \| history
lib/nss.c		diff \| blob \| history
lib/ssluse.c		diff \| blob \| history
lib/url.c		diff \| blob \| history
lib/urldata.h		diff \| blob \| history