Don't set CURLOPT_CAINFO when sslverify is false when sending HTTP API requests through cURL. This avoids sending redundant information to cURL, and avoids a bug in Apple's SecureTransport library which causes a request to fail when a CA bundle is set but certificate verification is disabled.

This fixes issues with local HTTPS requests (eg. WP Cron) on OS X where cURL is using SecureTransport instead of OpenSSL. Fixes #33978 git-svn-id: https://develop.svn.wordpress.org/trunk@34639 602fd350-edb4-49c9-b593-d223f7449a82
2015-09-27 21:37:00 +00:00 · 2015-09-27 21:37:00 +00:00 · a0be6bbb12
commit a0be6bbb12
parent 5ff16465f2
2 changed files with 33 additions and 1 deletions
--- a/src/wp-includes/class-wp-http-curl.php
+++ b/src/wp-includes/class-wp-http-curl.php
@ -133,7 +133,11 @@ class WP_Http_Curl {
 		curl_setopt( $handle, CURLOPT_RETURNTRANSFER, true );
 		curl_setopt( $handle, CURLOPT_SSL_VERIFYHOST, ( $ssl_verify === true ) ? 2 : false );
 		curl_setopt( $handle, CURLOPT_SSL_VERIFYPEER, $ssl_verify );
-		curl_setopt( $handle, CURLOPT_CAINFO, $r['sslcertificates'] );
+
+		if ( $ssl_verify ) {
+			curl_setopt( $handle, CURLOPT_CAINFO, $r['sslcertificates'] );
+		}
+
 		curl_setopt( $handle, CURLOPT_USERAGENT, $r['user-agent'] );

 		/*
--- a/tests/phpunit/tests/http/base.php
+++ b/tests/phpunit/tests/http/base.php
@ -15,6 +15,8 @@ abstract class WP_HTTP_UnitTestCase extends WP_UnitTestCase {
 	var $redirection_script = 'http://api.wordpress.org/core/tests/1.0/redirection.php';
 	var $fileStreamUrl = 'http://s.w.org/screenshots/3.9/dashboard.png';

+	protected $http_request_args;
+
 	function setUp() {

 		if ( is_callable( array('WP_Http', '_getTransport') ) ) {
@ -42,6 +44,11 @@ abstract class WP_HTTP_UnitTestCase extends WP_UnitTestCase {
 		parent::tearDown();
 	}

+	function filter_http_request_args( array $args ) {
+		$this->http_request_args = $args;
+		return $args;
+	}
+
 	function test_redirect_on_301() {
 		// 5 : 5 & 301
 		$res = wp_remote_request($this->redirection_script . '?code=301&rt=' . 5, array('redirection' => 5) );
@ -282,6 +289,27 @@ abstract class WP_HTTP_UnitTestCase extends WP_UnitTestCase {

 	}

+	/**
+	 * Test HTTP requests where SSL verification is disabled but the CA bundle is still populated
+	 *
+	 * @ticket 33978
+	 */
+	function test_https_url_without_ssl_verification() {
+		$url = 'https://wordpress.org/';
+		$args = array(
+			'sslverify' => false,
+		);
+
+		add_filter( 'http_request_args', array( $this, 'filter_http_request_args' ) );
+
+		$res = wp_remote_head( $url, $args );
+
+		remove_filter( 'http_request_args', array( $this, 'filter_http_request_args' ) );
+
+		$this->assertNotEmpty( $this->http_request_args['sslcertificates'] );
+		$this->assertNotWPError( $res );
+	}
+
 	/**
 	 * Test HTTP Redirects with multiple Location headers specified
 	 *