From a0be6bbb12e6a514d9b2c29d4a05781144be0ab7 Mon Sep 17 00:00:00 2001
From: John Blackbourn <johnbillion@git.wordpress.org>
Date: Sun, 27 Sep 2015 21:37:00 +0000
Subject: [PATCH] Don't set `CURLOPT_CAINFO` when `sslverify` is false when
 sending HTTP API requests through cURL. This avoids sending redundant
 information to cURL, and avoids a bug in Apple's SecureTransport library
 which causes a request to fail when a CA bundle is set but certificate
 verification is disabled.

This fixes issues with local HTTPS requests (eg. WP Cron) on OS X where cURL is using SecureTransport instead of OpenSSL.

Fixes #33978


git-svn-id: https://develop.svn.wordpress.org/trunk@34639 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/class-wp-http-curl.php |  6 +++++-
 tests/phpunit/tests/http/base.php      | 28 ++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/class-wp-http-curl.php b/src/wp-includes/class-wp-http-curl.php
index b7382da320..d59ddecfad 100644
--- a/src/wp-includes/class-wp-http-curl.php
+++ b/src/wp-includes/class-wp-http-curl.php
@@ -133,7 +133,11 @@ class WP_Http_Curl {
 		curl_setopt( $handle, CURLOPT_RETURNTRANSFER, true );
 		curl_setopt( $handle, CURLOPT_SSL_VERIFYHOST, ( $ssl_verify === true ) ? 2 : false );
 		curl_setopt( $handle, CURLOPT_SSL_VERIFYPEER, $ssl_verify );
-		curl_setopt( $handle, CURLOPT_CAINFO, $r['sslcertificates'] );
+
+		if ( $ssl_verify ) {
+			curl_setopt( $handle, CURLOPT_CAINFO, $r['sslcertificates'] );
+		}
+
 		curl_setopt( $handle, CURLOPT_USERAGENT, $r['user-agent'] );
 
 		/*
diff --git a/tests/phpunit/tests/http/base.php b/tests/phpunit/tests/http/base.php
index d3ec48546f..14a58c4a0c 100644
--- a/tests/phpunit/tests/http/base.php
+++ b/tests/phpunit/tests/http/base.php
@@ -15,6 +15,8 @@ abstract class WP_HTTP_UnitTestCase extends WP_UnitTestCase {
 	var $redirection_script = 'http://api.wordpress.org/core/tests/1.0/redirection.php';
 	var $fileStreamUrl = 'http://s.w.org/screenshots/3.9/dashboard.png';
 
+	protected $http_request_args;
+
 	function setUp() {
 
 		if ( is_callable( array('WP_Http', '_getTransport') ) ) {
@@ -42,6 +44,11 @@ abstract class WP_HTTP_UnitTestCase extends WP_UnitTestCase {
 		parent::tearDown();
 	}
 
+	function filter_http_request_args( array $args ) {
+		$this->http_request_args = $args;
+		return $args;
+	}
+
 	function test_redirect_on_301() {
 		// 5 : 5 & 301
 		$res = wp_remote_request($this->redirection_script . '?code=301&rt=' . 5, array('redirection' => 5) );
@@ -282,6 +289,27 @@ abstract class WP_HTTP_UnitTestCase extends WP_UnitTestCase {
 
 	}
 
+	/**
+	 * Test HTTP requests where SSL verification is disabled but the CA bundle is still populated
+	 *
+	 * @ticket 33978
+	 */
+	function test_https_url_without_ssl_verification() {
+		$url = 'https://wordpress.org/';
+		$args = array(
+			'sslverify' => false,
+		);
+
+		add_filter( 'http_request_args', array( $this, 'filter_http_request_args' ) );
+
+		$res = wp_remote_head( $url, $args );
+
+		remove_filter( 'http_request_args', array( $this, 'filter_http_request_args' ) );
+
+		$this->assertNotEmpty( $this->http_request_args['sslcertificates'] );
+		$this->assertNotWPError( $res );
+	}
+
 	/**
 	 * Test HTTP Redirects with multiple Location headers specified
 	 *