Workaround fopen lack of SubjectAltName support for instantCommons

Hacky work around, where on php < 5.6.0 where SubjectAltName is not
supported, if a request to commons.wikimedia.org fails, retry the
request but telling php fopen wrapper to treat it as if it came
from en.wikipedia.org for validation purposes, since as of
c02fab71422a that's what the common name of the cert will be.

In the ideal world, everyone would just have curl installed.

I know this is super hacky, but I'd really like instant commons to
work out of the box even without curl installed.

Note: I'm basing the php 5.6 part on documentation, I have not tested
this with a copy of that version of php.

Bug: T75199
Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f

diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index fec8adc..1c79485 100644 (file)
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -917,7 +917,13 @@ class PhpHttpRequest extends MWHttpRequest {
                }
 
                if ( $this->sslVerifyHost ) {
-                       $options['ssl']['CN_match'] = $this->parsedUrl['host'];
+                       // PHP 5.6.0 deprecates CN_match, in favour of peer_name which
+                       // actually checks SubjectAltName properly.
+                       if ( version_compare( PHP_VERSION, '5.6.0', '>=' ) ) {
+                               $options['ssl']['peer_name'] = $this->parsedUrl['host'];
+                       } else {
+                               $options['ssl']['CN_match'] = $this->parsedUrl['host'];
+                       }
                }
 
                if ( is_dir( $this->caInfo ) ) {
@@ -948,6 +954,19 @@ class PhpHttpRequest extends MWHttpRequest {
                        MediaWiki\restoreWarnings();
 
                        if ( !$fh ) {
+                               // HACK for instant commons.
+                               // If we are contacting (commons|upload).wikimedia.org
+                               // try again with CN_match for en.wikipedia.org
+                               // as php does not handle SubjectAltName properly
+                               // prior to "peer_name" option in php 5.6
+                               if ( isset( $options['ssl']['CN_match'] )
+                                       && ( $options['ssl']['CN_match'] === 'commons.wikimedia.org'
+                                               || $options['ssl']['CN_match'] === 'upload.wikimedia.org' )
+                               ) {
+                                       $options['ssl']['CN_match'] = 'en.wikipedia.org';
+                                       $context = stream_context_create( $options );
+                                       continue;
+                               }
                                break;
                        }