From: Brian Wolff <bawolff+wn@gmail.com>
Date: Wed, 1 Jul 2015 08:15:39 +0000 (-0600)
Subject: Workaround fopen lack of SubjectAltName support for instantCommons
X-Git-Tag: 1.31.0-rc.0~10210^2
X-Git-Url: http://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/exercices/?a=commitdiff_plain;h=bb2adc239410563eeddd6f9017b62187c859fed6;p=lhc%2Fweb%2Fwiklou.git

Workaround fopen lack of SubjectAltName support for instantCommons

Hacky work around, where on php < 5.6.0 where SubjectAltName is not
supported, if a request to commons.wikimedia.org fails, retry the
request but telling php fopen wrapper to treat it as if it came
from en.wikipedia.org for validation purposes, since as of
c02fab71422a that's what the common name of the cert will be.

In the ideal world, everyone would just have curl installed.

I know this is super hacky, but I'd really like instant commons to
work out of the box even without curl installed.

Note: I'm basing the php 5.6 part on documentation, I have not tested
this with a copy of that version of php.

Bug: T75199
Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
---

diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index fec8adcbf6..1c794853a0 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -917,7 +917,13 @@ class PhpHttpRequest extends MWHttpRequest {
 		}
 
 		if ( $this->sslVerifyHost ) {
-			$options['ssl']['CN_match'] = $this->parsedUrl['host'];
+			// PHP 5.6.0 deprecates CN_match, in favour of peer_name which
+			// actually checks SubjectAltName properly.
+			if ( version_compare( PHP_VERSION, '5.6.0', '>=' ) ) {
+				$options['ssl']['peer_name'] = $this->parsedUrl['host'];
+			} else {
+				$options['ssl']['CN_match'] = $this->parsedUrl['host'];
+			}
 		}
 
 		if ( is_dir( $this->caInfo ) ) {
@@ -948,6 +954,19 @@ class PhpHttpRequest extends MWHttpRequest {
 			MediaWiki\restoreWarnings();
 
 			if ( !$fh ) {
+				// HACK for instant commons.
+				// If we are contacting (commons|upload).wikimedia.org
+				// try again with CN_match for en.wikipedia.org
+				// as php does not handle SubjectAltName properly
+				// prior to "peer_name" option in php 5.6
+				if ( isset( $options['ssl']['CN_match'] )
+					&& ( $options['ssl']['CN_match'] === 'commons.wikimedia.org'
+						|| $options['ssl']['CN_match'] === 'upload.wikimedia.org' )
+				) {
+					$options['ssl']['CN_match'] = 'en.wikipedia.org';
+					$context = stream_context_create( $options );
+					continue;
+				}
 				break;
 			}