Please sign in to comment.
CURLOPT_SSL_VERIFYHOST: stop supporting the 1 value
After a research team wrote a document that found several live source codes out there in the wild that misused the CURLOPT_SSL_VERIFYHOST option thinking it was a boolean, this change now bans 1 as a value and will make libcurl return error for it. 1 was never a sensible value to use in production but was introduced back in the days to help debugging. It was always documented clearly this way. 1 was never supported by all SSL backends in libcurl, so this cleanup makes the treatment of it unified. The report's list of mistakes for this option were all PHP code and while there's a binding layer between libcurl and PHP, the PHP team has decided that they have an as thin layer as possible on top of libcurl so they will not alter or specifically filter a 'TRUE' value for this particular option. I sympathize with that position.  = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/
- Loading branch information...
Showing with 31 additions and 30 deletions.