From: Tyler Anthony Romeo <tylerromeo@gmail.com>
Date: Mon, 18 Mar 2013 21:46:39 +0000 (-0400)
Subject: Added SSL verification to PHPHttpRequest.
X-Git-Tag: 1.31.0-rc.0~19340^2
X-Git-Url: http://git.cyclocoop.org/%24href?a=commitdiff_plain;h=1c927b1df2ac4dd22679ef32b1255182d2adfd5a;p=lhc%2Fweb%2Fwiklou.git

Added SSL verification to PHPHttpRequest.

PHP's stream context options support SSL server verification as well a CN matching and provision of
CA info.
Added options to the stream context so that the $sslVerifyHost, $sslVerifyCert, and $caInfo
parameters now work in non-CURL environments.

Change-Id: Iab2bda1ebcf20b625b019c91ae6352b5405dcc01
---

diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 1c9ad38bbf..a6ef99a9bf 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -46,9 +46,9 @@ class Http {
 	 *                          Otherwise it will use $wgHTTPProxy (if set)
 	 *                          Otherwise it will use the environment variable "http_proxy" (if set)
 	 *    - noProxy             Don't use any proxy at all. Takes precedence over proxy value(s).
-	 *    - sslVerifyHost       (curl only) Verify hostname against certificate
-	 *    - sslVerifyCert       (curl only) Verify SSL certificate
-	 *    - caInfo              (curl only) Provide CA information
+	 *    - sslVerifyHost       Verify hostname against certificate
+	 *    - sslVerifyCert       Verify SSL certificate
+	 *    - caInfo              Provide CA information
 	 *    - maxRedirects        Maximum number of redirects to follow (defaults to 5)
 	 *    - followRedirects     Whether to follow redirects (defaults to false).
 	 *		                    Note: this should only be used when the target URL is trusted,
@@ -885,7 +885,23 @@ class PhpHttpRequest extends MWHttpRequest {
 
 		$options['timeout'] = $this->timeout;
 
-		$context = stream_context_create( array( 'http' => $options ) );
+		if ( $this->sslVerifyHost ) {
+			$options['CN_match'] = $this->parsedUrl['host'];
+		}
+		if ( $this->sslVerifyCert ) {
+			$options['verify_peer'] = true;
+		}
+
+		if ( is_dir( $this->caInfo ) ) {
+			$options['capath'] = $this->caInfo;
+		} elseif ( is_file( $this->caInfo ) ) {
+			$options['cafile'] = $this->caInfo;
+		} elseif ( $this->caInfo ) {
+			throw new MWException( "Invalid CA info passed: {$this->caInfo}" );
+		}
+
+		$scheme = $this->parsedUrl['scheme'];
+		$context = stream_context_create( array( "$scheme" => $options ) );
 
 		$this->headerList = array();
 		$reqCount = 0;