Details
-
Security Issue
-
Status: Unverified Fix (View Workflow)
-
Major
-
Resolution: Fixed
-
3.2.2
-
None
-
None
Description
The extension version check uses the file_downloader class where fsockopen() is used with a tls:// transport: https://github.com/phpbb/phpbb/blob/release-3.2.2/phpBB/phpbb/file_downloader.php#L45
It was introduced in this PR: https://github.com/phpbb/phpbb/pull/3929
Historically, the behavior of tls:// was to only allow TLS 1.0 connections. This was changed in PHP 5.6.0 to allow TLS 1.0, 1.1 or 1.2: https://github.com/php/php-src/commit/3a9829af2062527fb4e5cb11eb4ac3e045d0b370#diff-714485dc5d2ba8617ba0cb2dbfb7cd36R176
In PHP 5.6.7, this change was reverted for backward compatibility reasons: https://github.com/php/php-src/commit/10bc5fd4c4c8e1dd57bd911b086e9872a56300a0#diff-714485dc5d2ba8617ba0cb2dbfb7cd36R178
In above revert commit, you can also see that the ssl:// transport allows establishing TLS 1.0, 1.1 and 1.2 connection (and no SSLvX connections).
In PHP 7.2, the behavior was changed again. tls:// and ssl:// now do the same and allow TLS 1.0, 1.1 and 1.{{2 }}connections: https://github.com/php/php-src/commit/bec91e1117fd3527897cde2f8a26eab9a20fa3dc#diff-714485dc5d2ba8617ba0cb2dbfb7cd36R176
For this reason I think the file_downloader should be using ssl://. However, a side effect of that change would be that users with PHP version ∈ [5.6.0, 5.6.6] can only establish SSLv2 and SSLSv3 connections, and no TLS at all.
Pertinent PHP bug reports:
https://bugs.php.net/bug.php?id=69195
https://bugs.php.net/bug.php?id=69345