From: Antonio Ospite <ao2@ao2.it>
Date: Wed, 3 Jun 2020 20:15:49 +0000 (+0200)
Subject: src/Tweeper.php: do not disable CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER
X-Git-Tag: v1.4.2~9
X-Git-Url: https://git.ao2.it/tweeper.git/commitdiff_plain/78888e26716cad65e8e9df11226384f5661cf657?ds=sidebyside;hp=-c

src/Tweeper.php: do not disable CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER

Do not disable CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER to
actually enforce certificate verification on TLS connections.

This was a relic of some early experimental code and should have not
made it to the stable release.

Moreover the value passed to CURLOPT_SSL_VERIFYHOST was also of the
wrong type, it should have been an integer rather than a boolean.
---

78888e26716cad65e8e9df11226384f5661cf657
diff --git a/src/Tweeper.php b/src/Tweeper.php
index aedde4d..7e277cf 100644
--- a/src/Tweeper.php
+++ b/src/Tweeper.php
@@ -123,8 +123,6 @@ class Tweeper {
       CURLOPT_FOLLOWLOCATION => TRUE,
       CURLOPT_COOKIEFILE => "",
       CURLOPT_RETURNTRANSFER => TRUE,
-      CURLOPT_SSL_VERIFYHOST => FALSE,
-      CURLOPT_SSL_VERIFYPEER => FALSE,
       CURLOPT_HTTPHEADER => array('Accept-language: en'),
       CURLOPT_USERAGENT => Tweeper::$userAgent,
     ));
@@ -146,8 +144,6 @@ class Tweeper {
       // Follow http redirects to get the real URL.
       CURLOPT_FOLLOWLOCATION => TRUE,
       CURLOPT_RETURNTRANSFER => TRUE,
-      CURLOPT_SSL_VERIFYHOST => FALSE,
-      CURLOPT_SSL_VERIFYPEER => FALSE,
       CURLOPT_USERAGENT => Tweeper::$userAgent,
     ));