1
0
Fork 0

Remove dangerous CN_match fallback

pull/4759/head
Jordi Boggiano 2016-01-16 16:26:14 +00:00
parent 80c96a2c01
commit 449f68deae
1 changed files with 1 additions and 28 deletions

View File

@ -35,7 +35,6 @@ class RemoteFilesystem
private $lastProgress; private $lastProgress;
private $options = array(); private $options = array();
private $disableTls = false; private $disableTls = false;
private $retryTls = true;
private $retryAuthFailure; private $retryAuthFailure;
private $lastHeaders; private $lastHeaders;
private $storeAuth; private $storeAuth;
@ -317,20 +316,6 @@ class RemoteFilesystem
} }
} }
// Check if the failure was due to a Common Name mismatch with remote SSL cert and retry once (excl normal retry)
if (
false === $result
&& $this->retryTls === true
&& preg_match('{did not match expected CN}i', $errorMessage)
&& preg_match("{Peer certificate CN=`(.*)' did not match}i", $errorMessage, $matches)
) {
$this->retryTls = false;
$expectedCommonName = $matches[1];
$this->io->write(" <warning>Retrying download from ".$originUrl." with SSL Cert Common Name (CN): ".$expectedCommonName."</warning>");
return $this->get($this->originUrl, $this->fileUrl, $additionalOptions, $this->fileName, $this->progress, $expectedCommonName);
}
if ($this->retry) { if ($this->retry) {
$this->retry = false; $this->retry = false;
@ -487,7 +472,7 @@ class RemoteFilesystem
throw new TransportException('RETRY'); throw new TransportException('RETRY');
} }
protected function getOptionsForUrl($originUrl, $additionalOptions, $validCommonName = '') protected function getOptionsForUrl($originUrl, $additionalOptions)
{ {
$tlsOptions = array(); $tlsOptions = array();
@ -499,18 +484,6 @@ class RemoteFilesystem
$host = parse_url($this->fileUrl, PHP_URL_HOST); $host = parse_url($this->fileUrl, PHP_URL_HOST);
} }
// This is sheer painful, but hopefully it'll be a footnote once SAN support
// reaches PHP 5.4 and 5.5...
// Side-effect: We're betting on the CN being either a wildcard or www, e.g. *.github.com or www.example.com.
if (strlen($validCommonName) > 0) {
if (
!preg_match('{'.$host.'$}i', $validCommonName)
|| (count(explode('.', $validCommonName)) - count(explode('.', $host))) > 1
) {
throw new TransportException('Unable to read or match the Common Name (CN) from the remote SSL certificate.');
}
$host = $validCommonName;
}
$tlsOptions['ssl']['CN_match'] = $host; $tlsOptions['ssl']['CN_match'] = $host;
$tlsOptions['ssl']['SNI_server_name'] = $host; $tlsOptions['ssl']['SNI_server_name'] = $host;
} }