Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#30621] - [3][http] Joomla HTTP cannot connect to insecure https sites

?
avatar PhilETaylor
PhilETaylor
12 Sep 2020

Steps to reproduce the issue

CURL Options passed to the GMAIL Authentication Plugin are not used by the http transport. This is the bug. But digging deeper in abstract:

dump this code into test.php in the root of your Joomla site

This example is based on the Gmail Authentication Plugin code, stripped back.

<?php

use Joomla\Registry\Registry;

define('_JEXEC', 1);
define('JPATH_BASE', __DIR__);

require_once JPATH_BASE.'/includes/defines.php';
require_once JPATH_BASE.'/includes/framework.php';

$app = JFactory::getApplication('site');


$curlParams = array(
    'transport.curl' => array(
        // DO NOT DO THIS ON A LIVE SITE - NEVER EVER FOLLOW ADVICE TO DO THIS !!!! 
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_SSL_VERIFYHOST => false,
        CURLOPT_PROXY_SSL_VERIFYPEER => false, // PHP7.3+
        CURLOPT_PROXY_SSL_VERIFYHOST => false,// PHP7.3+
    ),
);

$transportParams = new Registry($curlParams);

$http = JHttpFactory::getHttp($transportParams, 'curl');

try {
    $result = $http->get('https://self-signed.badssl.com');
} catch (\Exception $exception){
    echo '<pre>';
    var_dump($exception);
}

Navigate to http://yourdevdomain.dev/test.php

Expected result

No errors, the HTTP should use the curl transport and connect to the badssl.com site without exception or error.

Actual result

Exception thrown SSL certificate problem: self signed certificate

System information (as much as possible)

PHP 7.4 tested

avatar PhilETaylor PhilETaylor - open - 12 Sep 2020
avatar joomla-cms-bot joomla-cms-bot - change - 12 Sep 2020
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 12 Sep 2020
avatar PhilETaylor PhilETaylor - change - 12 Sep 2020
The description was changed
avatar PhilETaylor PhilETaylor - edited - 12 Sep 2020
avatar PhilETaylor PhilETaylor - change - 12 Sep 2020
The description was changed
avatar PhilETaylor PhilETaylor - edited - 12 Sep 2020
avatar PhilETaylor
PhilETaylor - comment - 12 Sep 2020

The problem is that passing 'transport.curl' to new Registry doesnt convert it to a nested array in the registry... whereas using ->set('transport.curl', is correctly setting it as a nested array

Code based on the SSL check when saving Joomla Global Config is like this, and works:

$options = new \Joomla\Registry\Registry;

$options->set('transport.curl',
    array(
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_SSL_VERIFYHOST => false,
//        CURLOPT_PROXY => null,
//        CURLOPT_PROXYUSERPWD => null,
    )
);

try {
    $response = JHttpFactory::getHttp($options, 'curl')->get('https://self-signed.badssl.com');
    echo $response->body;
} catch (\Exception $exception){
    echo '<pre>';
    var_dump($exception);
}
avatar PhilETaylor PhilETaylor - change - 12 Sep 2020
The description was changed
avatar PhilETaylor PhilETaylor - edited - 12 Sep 2020
avatar PhilETaylor
PhilETaylor - comment - 12 Sep 2020

Clearest case:

$options = new Registry(array(
    'transport.curl'  => array(
        CURLOPT_SSL_VERIFYPEER => 0
    ),
));


$options2 = new \Joomla\Registry\Registry;
$options2->set('transport.curl',
    array(
        CURLOPT_SSL_VERIFYPEER => false,
    )
);

var_dump($options);
echo '<hr/>';
var_dump($options2);

gives:

object(Joomla\Registry\Registry)#40 (3) { ["data":protected]=> object(stdClass)#56 (1) { ["transport.curl"]=> object(stdClass)#57 (1) { ["64"]=> int(0) } } ["initialized":protected]=> bool(true) ["separator"]=> string(1) "." }
object(Joomla\Registry\Registry)#58 (3) { ["data":protected]=> object(stdClass)#59 (1) { ["transport"]=> object(stdClass)#60 (1) { ["curl"]=> array(1) { [64]=> bool(false) } } } ["initialized":protected]=> bool(false) ["separator"]=> string(1) "." }

This clearly shows the difference between using the set method and passing an array to the constructor.

avatar SharkyKZ
SharkyKZ - comment - 12 Sep 2020

My guess this is more or less expected due to how Registry accesses data. Period is by default used as a separator so using it in array keys is going to be problematic. I think this is correct code in your case:

$curlParams = array(
	'transport' => array(
		'curl' => array(
		// DO NOT DO THIS ON A LIVE SITE - NEVER EVER FOLLOW ADVICE TO DO THIS !!!!
		CURLOPT_SSL_VERIFYPEER => false,
		CURLOPT_SSL_VERIFYHOST => false,
		CURLOPT_PROXY_SSL_VERIFYPEER => false, // PHP7.3+
		CURLOPT_PROXY_SSL_VERIFYHOST => false,// PHP7.3+
		),
	),
);
avatar PhilETaylor
PhilETaylor - comment - 12 Sep 2020

I knew someone was going to try and blame "my code" when in fact all the examples are lifted straight from Joomla 3.9 code code.

joomla-cms/plugins/authentication/gmail/gmail.php

Line 48 in b6f11d8

'transport.curl' => array(

joomla-cms/administrator/components/com_config/model/application.php

Line 137 in fe0589c

$options->set('transport.curl',

Setting the registry options by constructor or by the set method should result in the same result. They don't.

You are saying that in "my case" I should not be using transport.curl - however this is exactly what Joomla core code is doing in the Gmail Authentication Plugin.

"my case" was simply debugging core code. There is no "my code"...

avatar SharkyKZ SharkyKZ - change - 12 Sep 2020
Status New Closed
Closed_Date 0000-00-00 00:00:00 2020-09-12 18:39:14
Closed_By SharkyKZ
avatar SharkyKZ
SharkyKZ - comment - 12 Sep 2020

Registry is working fine. It's the code in Gmail plugin that's wrong. But if you disagree you can open an issue in https://github.com/joomla-framework/registry repository.

For the Gmail plugin issue see PR #30624.

avatar SharkyKZ SharkyKZ - close - 12 Sep 2020
avatar PhilETaylor
PhilETaylor - comment - 12 Sep 2020

If only there were unit tests ?

Registry is wrong. It’s constructor and it’s set method are acting different

Add a Comment

Login with GitHub to post a comment