Mahara

get_config('cacertinfo') will be null in default installs unless overridden, a default should be used

Bug #1084351 reported by Hugh Davenport on 2012-11-29

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mahara	Confirmed	Low	Unassigned

Bug Description

htdocs/lib/web.php line 3532

This config variable is both undocumented, and no default is given. I think that we should try and detect some reasonable default and give up if none possible. Documentation could also be good ;)

It appears to be only used in that one place, as a flag to set up more checks.

Aaron Wells (u-aaronw) on 2013-04-19

Changed in mahara:
milestone:	1.7.0 → 1.8.0

Aaron Wells (u-aaronw) on 2013-09-30

Changed in mahara:
milestone:	1.8rc1 → 1.8.0

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2013-10-22:

What this config does is provides for PHP curl to verify the certificates of HTTPS servers that it connects to. Without this, it apparently just trusts anything.

We can perhaps copy the logic from https://tracker.moodle.org/browse/MDL-39356 , where Moodle recently implemented something similar. They appear to have included the cacert.pem from http://curl.haxx.se/docs/caextract.html

information type:	Public → Public Security
Changed in mahara:
milestone:	1.8.0 → 1.8.1

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2013-10-22:

Note that if we did fix this, there appear to be a few other places we'd want to update as well, such as the api/xmlrpc libraries. Searching for CURLOPT_SSL_VERIFYPEER helps turn up afew.

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2013-10-22:

Here's a patch to document it, at least: https://reviews.mahara.org/2633

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2013-12-16:

Patch 2633 was merged in to the master branch in time for inclusion in the 1.8.0 release. I'm leaving this bug open, though, because we still need to provide a default cacert.pem file like Moodle.

Changed in mahara:
milestone:	1.8.1 → 1.9.0
status:	Triaged → Fix Released
status:	Fix Released → Fix Committed
status:	Fix Committed → In Progress
milestone:	1.9.0 → 1.8.2

Kristina Hoeppner (kris-hoeppner) on 2014-08-24

no longer affects:	mahara/1.8
no longer affects:	mahara/1.9

Robert Lyon (robertl-9) on 2015-04-17

Changed in mahara:
milestone:	15.04.0 → 15.04.1

Aaron Wells (u-aaronw) on 2015-04-21

no longer affects:	mahara/1.10
Changed in mahara:
milestone:	15.04.1 → 15.10.0

Aaron Wells (u-aaronw) on 2015-10-23

Changed in mahara:
milestone:	15.10.0 → 16.04.0

Aaron Wells (u-aaronw) on 2016-04-28

Changed in mahara:
milestone:	16.04.0 → 16.10.0

Robert Lyon (robertl-9) on 2016-10-20

Changed in mahara:
milestone:	16.10.0 → 16.10.1

Robert Lyon (robertl-9) on 2016-10-21

Changed in mahara:
milestone:	16.10.1 → 17.04.0

Robert Lyon (robertl-9) on 2017-03-29

Changed in mahara:
milestone:	17.04.0 → none
status:	In Progress → Confirmed

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.