Bug #65538

[rdlowrey]

Bug #65538

This patch provides support for stream wrapper usage in the "cafile" SSL context option. Previously this value was passed directly to the underlying OpenSSL libs and necessarily required an absolute filesystem path. The following behavior now functions as expected:

<?php
$clientCtx = stream_context_create(['ssl' => [
    'cafile' => 'phar://myphar/ca.pem',
]]);
$html = file_get_contents('https://github.com', false, $clientCtx);

Security Note

Note that all stream wrappers ARE NOT supported. This is intentional. Consider the security implications of allowing the following code (which users would almost certainly attempt if allowed to do so):

<?php
$clientCtx = stream_context_create(['ssl' => [
    'cafile' => 'http://curl.haxx.se/ca/cacert.pem',
]]);
$html = file_get_contents('https://github.com', false, $clientCtx);

The use of any stream wrapper that would be disallowed by the allow_url_fopen=0 php.ini directive will fail with an E_WARNING of the form shown below.

Warning: remote cafile streams are disabled for security purposes in %s on line %d

This prohibition IS NOT dependent upon the allow_url_fopen directive. Stream wrappers identifying themselves with the internal is_url flag are disallowed across the board even if allow_url_fopen=1.

Version Note

I intend to merge this for 5.6 and master as it's more a "feature request" than a bug IMO. If anyone really wants this backported for 5.4/5.5 I might be able to find the time to do so eventually.

[KalleZ]

Hmm, does this test really need pcntl to work? I can't spot any obvious reference to it

[rdlowrey]

It does not. All the old openssl tests depended on pcntl to fork but that dependency has since been removed. This is just a copy/paste artifact -- I'll remove it when I have a chance. Thanks for pointing this out 👍