equal
deleted
inserted
replaced
|
1 CVE-2013-4545: Setting only CURLOPT_SSL_VERIFYHOST without |
|
2 CURLOPT_SSL_VERIFYPEER set should still verify that the host |
|
3 name fields in the server certificate is fine or return failure. |
|
4 |
|
5 Bug: http://curl.haxx.se/mail/lib-2013-10/0002.html |
|
6 Reported-by: Ishan SinghLevett |
|
7 |
|
8 Relevant upstream patch at: |
|
9 https://github.com/bagder/curl/commit/3c3622b6 |
|
10 |
|
11 --- lib/ssluse.c.orig 2013-11-14 15:22:45.714764527 -0800 |
|
12 +++ lib/ssluse.c 2013-11-14 15:25:10.416516780 -0800 |
|
13 @@ -2471,7 +2471,7 @@ |
|
14 * operations. |
|
15 */ |
|
16 |
|
17 - if(!data->set.ssl.verifypeer) |
|
18 + if(!data->set.ssl.verifypeer && !data->set.ssl.verifyhost) |
|
19 (void)servercert(conn, connssl, FALSE); |
|
20 else |
|
21 retcode = servercert(conn, connssl, TRUE); |