Browse files

Note about RestfulService SSL verification in upgrading guide

  • Loading branch information...
1 parent 14dcc82 commit 43fb566388e4eb0c1970e1c2aeee71bb279ebcdc @chillu chillu committed Feb 18, 2013
Showing with 12 additions and 0 deletions.
  1. +12 −0 docs/en/changelogs/
@@ -22,6 +22,7 @@
* Deny URL access if `Controller::$allowed_actions` is undefined
* Removed support for "*" rules in `Controller::$allowed_actions`
* Removed support for overriding rules on parent classes through `Controller::$allowed_actions`
+ * `RestfulService` verifies SSL peers by default
* Editing of relation table data (`$many_many_extraFields`) in `GridField`
* Optional integration with ImageMagick as a new image manipulation backend
* Support for PHP 5.4's built-in webserver
@@ -174,6 +175,17 @@ in order to reduce the boilerplate code required to get a model editable in the
Note: GridField is already relying on the permission checks performed
through the CMS controllers, providing a simple level of security.
+### RestfulService verifies SSL peers by default
+This makes the implementation "secure by default", by removing
+the call to `curl_setopt(CURLOPT_SSL_VERIFYPEER, false)`.
+Failing to validate SSL peers makes HTTP requests vulnerable to man in the middle attacks.
+The underlying `curl` library relies on the operating system for the resulting CA certificate
+verification. On some systems (mainly Windows), these certificates are not available on
+a standard PHP installation, and need to be added manually through `CURLOPT_CAINFO`.
+Although it is not recommended, you can restore the old insecure behaviour with
+the following configuration: `RestfulService::set_default_curl_option(CURLOPT_SSL_VERIFYPEER, false)`.
### Other
* `TableListField`, `ComplexTableField`, `TableField`, `HasOneComplexTableField`, `HasManyComplexTableField` and `ManyManyComplexTableField` have been removed from the core and placed into a module called "legacytablefields" located at

0 comments on commit 43fb566

Please sign in to comment.