Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please remove CURLOPT_SSL_VERIFYHOST = false. #18

Open
danmarsden opened this issue Mar 18, 2022 · 2 comments
Open

Please remove CURLOPT_SSL_VERIFYHOST = false. #18

danmarsden opened this issue Mar 18, 2022 · 2 comments

Comments

@danmarsden
Copy link

This should not be possible using settings - especially with a payment related plugin. SSL verifyhost should always be required.

Please note - this is a blocker for approval.
@nawazsharif
Copy link
Collaborator

Changed all curl instead of curl_init

@danmarsden
Copy link
Author

hmm - this issue is not the same as changing to curl class ... you still have the ability to bypass the verification of the ssl cert - this is extremely bad security practice and should not be possible with a payment plugin.

https://github.com/eLearning-BS23/moodle-availability_sslcommerz/blob/main/checkout.php#L123

Please take another look and remove this setting - it should not be needed.

@AnowarCST AnowarCST reopened this Mar 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@danmarsden @AnowarCST @nawazsharif