soap #69137 - Fix SSL verify when using a proxy #2152
Conversation
Name verification was failing because the OpenSSL extension was picking the proxy server's address when guessing which name to compare to the SSL certificate. This scenario is already handled for stream wrappers in http_fopen_wrapper.c. This patch applies the same fix to the SOAP extension: when a proxy is used, set peer_name explicitly on the stream context.
| @@ -241,6 +241,13 @@ static php_stream* http_connect(zval* this_ptr, php_url *phpurl, int use_ssl, ph | |||
| if (stream && *use_proxy && use_ssl) { | |||
| smart_str soap_headers = {0}; | |||
|
|
|||
| /* Set peer_name or name verification will try to use the proxy server name */ | |||
| if (context && (tmp = php_stream_context_get_option(context, "ssl", "peer_name")) != NULL) { | |||
There was a problem hiding this comment.
This condition seems to be the exact opposite of what the corresponding http_fopen_wrapper code does: https://github.com/php/php-src/blob/master/ext/standard/http_fopen_wrapper.c#L241 The http_fopen_wrapper variant looks right to me in that it still allows a manual peer_name override.
There was a problem hiding this comment.
I'm glad you caught that. I definitely had it backward. The patch we've been running uses the same logic as http_fopen_wrapper, but in preparing this PR, I pulled the wrong revision from our internal git mirror. I did run the test before submitting, and I've been looking into why it passed when it shouldn't have. The request to download the WSDL file (which uses streams instead of the SOAP HTTP client) was setting peer_name on the context and masking the bug. I've updated the test to avoid this by enabling WSDL caching and warming the cache with a separate SoapClient instance.
|
Test failures are unrelated. |
| @@ -2368,6 +2368,8 @@ PHP_METHOD(SoapClient, SoapClient) | |||
| Z_TYPE_P(tmp) == IS_RESOURCE) { | |||
| context = php_stream_context_from_zval(tmp, 1); | |||
| Z_ADDREF_P(tmp); | |||
| } else { | |||
| context = php_stream_context_alloc(); | |||
There was a problem hiding this comment.
Now that the condition includes !context || instead of context &&, is this part of the change still necessary?
There was a problem hiding this comment.
Without it, the stream in http_connect is created without a context, and the call to php_stream_context_set_option segfaults with a null pointer dereference.
* master: (24 commits) Turn IS_TYPE_COLLECTABLE zval flag into GC_COLLECTABLE zend_refcounted flag. This simplifies checks and allows reset this flag for "acyclic" arrays and objects. Fixed bug #73360 Unable to work in root with unicode chars Add tests for PDO::getAvailableDrivers Remove DBDO-specific field Save some more calls to strlen() on the CURLFile helper methods Revert "Fix test, this is kinda ugly, but at least for me on Windows there seems to be some messed up line endings" Save a call to strlen(), since we can figure out the length of this constant value with sizeof() at compile time Fix test, this is kinda ugly, but at least for me on Windows there seems to be some messed up line endings Fix bug #71241: array_replace_recursive mutates ref params Do not overwrite config.nice.bat if --with-config-profile is used on Windows Update UPGRADING wrt. imageresolution() Fixed test to accept MYSQLI_OPT_READ_TIMEOUT remove redundant includes fix Windows compilation Add php_random_int internal API Fix compiler warnings, always cast to zend_long from sqlite3_int64 when converting to a zval Ignore the return value of sqlite3->busyTimeout() if their "API Armor" is not enabled. news entry for pr php#2135 news entry for pr php#2152 news entry for #pr 2152 ...
Name verification was failing because the OpenSSL extension was picking the proxy server's address when guessing which name to compare to the SSL certificate. This scenario is already handled for stream wrappers in http_fopen_wrapper.c. This patch applies the same fix to the SOAP extension: when a proxy is used, set peer_name explicitly on the stream context.
https://bugs.php.net/bug.php?id=69137
Thanks to @arrisray for helping debug and fix a segfault in an earlier version of this patch.