Document our curl-tls-verification magic

author: jvoisin 2018-11-29 21:17:13 +0100
committer: jvoisin 2018-11-29 21:17:13 +0100
commit: cddd3065a9a6ffc3315366efe1afff5d94efae2b (patch)
tree: 6e62df3e494f8cf5a2b504ccc0f47ad91812d87f /doc/source
parent: 0b594cd3330366e8cb49c08dcc17ca92bbb8ddfb (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/doc/source/features.rst b/doc/source/features.rst
index dd35e2b..4f8edb9 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -439,9 +439,19 @@ Arbitrary file inclusion hardening
 """"""""""""""""""""""""""""""""""
 Arbitrary file inclusion is a common vulnerability, that might be detected
-by preventing the inclusion of anything that doens't match a strict set
+by preventing the inclusion of anything that doesn't match a strict set
 of file extensions in calls to ``include`` or ``require``.
+Enforcing certificate validation when using curl
+""""""""""""""""""""""""""""""""""""""""""""""""
+While it might be convenient to disable certificate validation on preproduction
+or during tests, it's `common <https://twitter.com/CiPHPerCoder/status/1056974646363516928>`__
+to see that people are disabling it on production too.
+We're detecting/preventing this by not allowing the ``CURLOPT_SSL_VERIFYPEER`` and
+``CURLOPT_SSL_VERIFYHOST`` options from being set to ``0``.
 *Cheap* SQL injections detection
 """"""""""""""""""""""""""""""""
author	jvoisin	2018-11-29 21:17:13 +0100
committer	jvoisin	2018-11-29 21:17:13 +0100
commit	cddd3065a9a6ffc3315366efe1afff5d94efae2b (patch)
tree	6e62df3e494f8cf5a2b504ccc0f47ad91812d87f /doc/source
parent	0b594cd3330366e8cb49c08dcc17ca92bbb8ddfb (diff)

diff --git a/doc/source/features.rst b/doc/source/features.rst index dd35e2b..4f8edb9 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst
@@ -439,9 +439,19 @@ Arbitrary file inclusion hardening
439	""""""""""""""""""""""""""""""""""	439	""""""""""""""""""""""""""""""""""
440		440
441	Arbitrary file inclusion is a common vulnerability, that might be detected	441	Arbitrary file inclusion is a common vulnerability, that might be detected
442	by preventing the inclusion of anything that doens't match a strict set	442	by preventing the inclusion of anything that doesn't match a strict set
443	of file extensions in calls to ``include`` or ``require``.	443	of file extensions in calls to ``include`` or ``require``.
444		444
		445
		446	Enforcing certificate validation when using curl
		447	""""""""""""""""""""""""""""""""""""""""""""""""
		448
		449	While it might be convenient to disable certificate validation on preproduction
		450	or during tests, it's `common <https://twitter.com/CiPHPerCoder/status/1056974646363516928>`__
		451	to see that people are disabling it on production too.
		452	We're detecting/preventing this by not allowing the ``CURLOPT_SSL_VERIFYPEER`` and
		453	``CURLOPT_SSL_VERIFYHOST`` options from being set to ``0``.
		454
445	Cheap SQL injections detection	455	Cheap SQL injections detection
446	""""""""""""""""""""""""""""""""	456	""""""""""""""""""""""""""""""""
447		457