get_config('cacertinfo') will be null in default installs unless overridden, a default should be used

Bug #1084351 reported by Hugh Davenport on 2012-11-29
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Low
Unassigned

Bug Description

htdocs/lib/web.php line 3532

This config variable is both undocumented, and no default is given. I think that we should try and detect some reasonable default and give up if none possible. Documentation could also be good ;)

It appears to be only used in that one place, as a flag to set up more checks.

Aaron Wells (u-aaronw) on 2013-04-19
Changed in mahara:
milestone: 1.7.0 → 1.8.0
Aaron Wells (u-aaronw) on 2013-09-30
Changed in mahara:
milestone: 1.8rc1 → 1.8.0
Aaron Wells (u-aaronw) wrote :

What this config does is provides for PHP curl to verify the certificates of HTTPS servers that it connects to. Without this, it apparently just trusts anything.

We can perhaps copy the logic from https://tracker.moodle.org/browse/MDL-39356 , where Moodle recently implemented something similar. They appear to have included the cacert.pem from http://curl.haxx.se/docs/caextract.html

information type: Public → Public Security
Changed in mahara:
milestone: 1.8.0 → 1.8.1
Aaron Wells (u-aaronw) wrote :

Note that if we did fix this, there appear to be a few other places we'd want to update as well, such as the api/xmlrpc libraries. Searching for CURLOPT_SSL_VERIFYPEER helps turn up afew.

Aaron Wells (u-aaronw) wrote :

Here's a patch to document it, at least: https://reviews.mahara.org/2633

Aaron Wells (u-aaronw) wrote :

Patch 2633 was merged in to the master branch in time for inclusion in the 1.8.0 release. I'm leaving this bug open, though, because we still need to provide a default cacert.pem file like Moodle.

Changed in mahara:
milestone: 1.8.1 → 1.9.0
status: Triaged → Fix Released
status: Fix Released → Fix Committed
status: Fix Committed → In Progress
milestone: 1.9.0 → 1.8.2
no longer affects: mahara/1.8
no longer affects: mahara/1.9
Robert Lyon (robertl-9) on 2015-04-17
Changed in mahara:
milestone: 15.04.0 → 15.04.1
Aaron Wells (u-aaronw) on 2015-04-21
no longer affects: mahara/1.10
Changed in mahara:
milestone: 15.04.1 → 15.10.0
Aaron Wells (u-aaronw) on 2015-10-23
Changed in mahara:
milestone: 15.10.0 → 16.04.0
Aaron Wells (u-aaronw) on 2016-04-28
Changed in mahara:
milestone: 16.04.0 → 16.10.0
Robert Lyon (robertl-9) on 2016-10-20
Changed in mahara:
milestone: 16.10.0 → 16.10.1
Robert Lyon (robertl-9) on 2016-10-21
Changed in mahara:
milestone: 16.10.1 → 17.04.0
Robert Lyon (robertl-9) on 2017-03-29
Changed in mahara:
milestone: 17.04.0 → none
status: In Progress → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers