From 4f422fb2f6e59f08455746a4346e4ab35cc79a0e Mon Sep 17 00:00:00 2001 From: Djamil Legato Date: Sun, 18 Sep 2016 15:58:22 -0700 Subject: [PATCH 1/5] GPM: SSL verify peer and method (auto|fopen|curl) are now settings --- system/config/system.yaml | 2 + system/src/Grav/Common/GPM/Response.php | 105 +++++++++++++++--------- 2 files changed, 67 insertions(+), 40 deletions(-) diff --git a/system/config/system.yaml b/system/config/system.yaml index 4f1384ca4e..4d8ab76ae1 100644 --- a/system/config/system.yaml +++ b/system/config/system.yaml @@ -129,3 +129,5 @@ session: gpm: releases: stable # Set to either 'stable' or 'testing' proxy_url: # Configure a manual proxy URL for GPM (eg 127.0.0.1:3128) + method: 'auto' # Either 'curl', 'fopen' or 'auto'. 'auto' will try fopen first and if not available cURL + verify_peer: false # Sometimes on some systems (Windows most commonly) GPM is unable to connect because the SSL certificate cannot be verified. Disabling this setting might help. diff --git a/system/src/Grav/Common/GPM/Response.php b/system/src/Grav/Common/GPM/Response.php index 5e7e8e9a36..6df84f56e1 100644 --- a/system/src/Grav/Common/GPM/Response.php +++ b/system/src/Grav/Common/GPM/Response.php @@ -41,6 +41,7 @@ class Response CURLOPT_FOLLOWLOCATION => true, CURLOPT_TIMEOUT => 15, CURLOPT_HEADER => false, + //CURLOPT_SSL_VERIFYPEER => false, // this is set in the constructor since it's a setting /** * Example of callback parameters from within your own class */ @@ -48,11 +49,17 @@ class Response //CURLOPT_PROGRESSFUNCTION => [$this, 'progress'] ], 'fopen' => [ - 'method' => 'GET', - 'user_agent' => 'Grav GPM', - 'max_redirects' => 5, - 'follow_location' => 1, - 'timeout' => 15, + 'method' => 'GET', + 'user_agent' => 'Grav GPM', + 'max_redirects' => 5, + 'follow_location' => 1, + 'timeout' => 15, + /* // this is set in the constructor since it's a setting + 'ssl' => [ + 'verify_peer' => false, + 'verify_peer_name' => false, + ], + */ /** * Example of callback parameters from within your own class */ @@ -101,8 +108,59 @@ public static function get($uri = '', $options = [], $callback = null) } catch (\Exception $e) { } - $options = array_replace_recursive(self::$defaults, $options); - $method = 'get' . ucfirst(strtolower(self::$method)); + $config = Grav::instance()['config']; + $overrides = []; + + // SSL Verify Peer and Proxy Setting + $settings = [ + 'method' => $config->get('system.gpm.method', self::$method), + 'verify_peer' => $config->get('system.gpm.verify_peer', true), + // `system.proxy_url` is for fallback + // introduced with 1.1.0-beta.1 probably safe to remove at some point + 'proxy_url' => $config->get('system.gpm.proxy_url', $config->get('system.proxy_url', false)), + ]; + + $overrides = array_replace_recursive([], $overrides, [ + 'curl' => [ + CURLOPT_SSL_VERIFYPEER => $settings['verify_peer'] + ], + 'fopen' => [ + 'ssl' => [ + 'verify_peer' => $settings['verify_peer'], + 'verify_peer_name' => $settings['verify_peer'], + ] + ] + ]); + + // Proxy Setting + if ($settings['proxy_url']) { + $proxy = parse_url($settings['proxy_url']); + $fopen_proxy = ($proxy['scheme'] ?: 'http') . '://' . $proxy['host'] . (isset($proxy['port']) ? ':' . $proxy['port'] : ''); + + $overrides = array_replace_recursive([], $overrides, [ + 'curl' => [ + CURLOPT_PROXY => $proxy['host'], + CURLOPT_PROXYTYPE => 'HTTP' + ], + 'fopen' => [ + 'proxy' => $fopen_proxy, + 'request_fulluri' => true + ] + ]); + + if (isset($proxy['port'])) { + $overrides['curl'][CURLOPT_PROXYPORT] = $proxy['port']; + } + + if (isset($proxy['user']) && isset($proxy['pass'])) { + $fopen_auth = $auth = base64_encode($proxy['user'] . ':' . $proxy['pass']); + $overrides['curl'][CURLOPT_PROXYUSERPWD] = $proxy['user'] . ':' . $proxy['pass']; + $overrides['fopen']['header'] = "Proxy-Authorization: Basic $fopen_auth"; + } + } + + $options = array_replace_recursive(self::$defaults, $options, $overrides); + $method = 'get' . ucfirst(strtolower($settings['method'])); self::$callback = $callback; return static::$method($uri, $options, $callback); @@ -199,21 +257,6 @@ private static function getFopen() $options = $args[1]; $callback = $args[2]; - // if proxy set add that - $config = Grav::instance()['config']; - $proxy_url = $config->get('system.gpm.proxy_url', $config->get('system.proxy_url')); - if ($proxy_url) { - $parsed_url = parse_url($proxy_url); - - $options['fopen']['proxy'] = ($parsed_url['scheme'] ?: 'http') . '://' . $parsed_url['host'] . (isset($parsed_url['port']) ? ':' . $parsed_url['port'] : ''); - $options['fopen']['request_fulluri'] = true; - - if (isset($parsed_url['user']) && isset($parsed_url['pass'])) { - $auth = base64_encode($parsed_url['user'] . ':' . $parsed_url['pass']); - $options['fopen']['header'] = "Proxy-Authorization: Basic $auth"; - } - } - if ($callback) { $options['fopen']['notification'] = ['self', 'progress']; } @@ -276,24 +319,6 @@ private static function curlExecFollow($ch, $options, $callback) ); } - // if proxy set add that - $config = Grav::instance()['config']; - $proxy_url = $config->get('system.gpm.proxy_url', $config->get('system.proxy_url')); - if ($proxy_url) { - $parsed_url = parse_url($proxy_url); - - $options['curl'][CURLOPT_PROXY] = $parsed_url['host']; - $options['curl'][CURLOPT_PROXYTYPE] = 'HTTP'; - - if (isset($parsed_url['port'])) { - $options['curl'][CURLOPT_PROXYPORT] = $parsed_url['port']; - } - - if (isset($parsed_url['user']) && isset($parsed_url['pass'])) { - $options['curl'][CURLOPT_PROXYUSERPWD] = $parsed_url['user'] . ':' . $parsed_url['pass']; - } - } - // no open_basedir set, we can proceed normally if (!ini_get('open_basedir')) { curl_setopt_array($ch, $options['curl']); From 8a8fa9bb4133a935f71917caca0a9554e9529693 Mon Sep 17 00:00:00 2001 From: Djamil Legato Date: Sun, 18 Sep 2016 16:12:16 -0700 Subject: [PATCH 2/5] Added Admin blueprints settings --- system/blueprints/config/system.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/system/blueprints/config/system.yaml b/system/blueprints/config/system.yaml index 8c5b93fdf6..3159c9abb0 100644 --- a/system/blueprints/config/system.yaml +++ b/system/blueprints/config/system.yaml @@ -982,6 +982,27 @@ form: label: PLUGIN_ADMIN.PROXY_URL help: PLUGIN_ADMIN.PROXY_URL_HELP + gpm.method: + type: toggle + label: PLUGIN_ADMIN.GPM_METHOD + highlight: auto + help: PLUGIN_ADMIN.GPM_METHOD_HELP + options: + auto: PLUGIN_ADMIN.AUTO + fopen: PLUGIN_ADMIN.FOPEN + curl: PLUGIN_ADMIN.CURL + + gpm.verify_peer: + type: toggle + label: PLUGIN_ADMIN.VERIFY_PEER + highlight: 1 + help: PLUGIN_ADMIN.VERIFY_PEER_HELP + options: + 1: PLUGIN_ADMIN.YES + 0: PLUGIN_ADMIN.NO + validate: + type: bool + reverse_proxy_setup: type: toggle label: PLUGIN_ADMIN.REVERSE_PROXY From bd1393c312705d3016bb1eceb1f1d69cf7e3fdb8 Mon Sep 17 00:00:00 2001 From: Djamil Legato Date: Sun, 18 Sep 2016 18:31:23 -0700 Subject: [PATCH 3/5] Fixed default verify_peer value --- system/config/system.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/config/system.yaml b/system/config/system.yaml index 4d8ab76ae1..9e55166fee 100644 --- a/system/config/system.yaml +++ b/system/config/system.yaml @@ -130,4 +130,4 @@ gpm: releases: stable # Set to either 'stable' or 'testing' proxy_url: # Configure a manual proxy URL for GPM (eg 127.0.0.1:3128) method: 'auto' # Either 'curl', 'fopen' or 'auto'. 'auto' will try fopen first and if not available cURL - verify_peer: false # Sometimes on some systems (Windows most commonly) GPM is unable to connect because the SSL certificate cannot be verified. Disabling this setting might help. + verify_peer: true # Sometimes on some systems (Windows most commonly) GPM is unable to connect because the SSL certificate cannot be verified. Disabling this setting might help. From ac123443951ea9893a3bf15831123d56b112ff2c Mon Sep 17 00:00:00 2001 From: Djamil Legato Date: Sun, 18 Sep 2016 18:54:17 -0700 Subject: [PATCH 4/5] Fixed lang references for verify_peer --- system/blueprints/config/system.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/system/blueprints/config/system.yaml b/system/blueprints/config/system.yaml index 3159c9abb0..007c9f52a2 100644 --- a/system/blueprints/config/system.yaml +++ b/system/blueprints/config/system.yaml @@ -994,9 +994,9 @@ form: gpm.verify_peer: type: toggle - label: PLUGIN_ADMIN.VERIFY_PEER + label: PLUGIN_ADMIN.GPM_VERIFY_PEER highlight: 1 - help: PLUGIN_ADMIN.VERIFY_PEER_HELP + help: PLUGIN_ADMIN.GPM_VERIFY_PEER_HELP options: 1: PLUGIN_ADMIN.YES 0: PLUGIN_ADMIN.NO From 0ce57eb240b6c86e1aca4680194bf1bcd9b54922 Mon Sep 17 00:00:00 2001 From: Djamil Legato Date: Mon, 19 Sep 2016 08:14:34 -0700 Subject: [PATCH 5/5] Minor fixes for improper comments default values --- system/src/Grav/Common/GPM/Response.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/system/src/Grav/Common/GPM/Response.php b/system/src/Grav/Common/GPM/Response.php index 6df84f56e1..bcbba94fab 100644 --- a/system/src/Grav/Common/GPM/Response.php +++ b/system/src/Grav/Common/GPM/Response.php @@ -41,7 +41,7 @@ class Response CURLOPT_FOLLOWLOCATION => true, CURLOPT_TIMEOUT => 15, CURLOPT_HEADER => false, - //CURLOPT_SSL_VERIFYPEER => false, // this is set in the constructor since it's a setting + //CURLOPT_SSL_VERIFYPEER => true, // this is set in the constructor since it's a setting /** * Example of callback parameters from within your own class */ @@ -56,8 +56,8 @@ class Response 'timeout' => 15, /* // this is set in the constructor since it's a setting 'ssl' => [ - 'verify_peer' => false, - 'verify_peer_name' => false, + 'verify_peer' => true, + 'verify_peer_name' => true, ], */ /**