Updates for new Buzz lib and PSR-7 requests & responses #168
Conversation
…ed version for dev unit testing
…ponses, and middleware over listeners
|
@richsage I see that Buzz now also require PHP 7.1+. While this is a bit aggressive they had also already moved to 5.4+ previously so the requirements were already out of sync. For now I'm going to propose moving this lib to PHP 7.1+ in this PR too, since supporting both old & new Buzz versions in the same branch would require a lot of duplicate logic. |
| // We'll need to set this per-request if `$client` was provided in constructor. | ||
| $this->clientOptions = array( | ||
| 'timeout' => $timeout, | ||
| 'verify_peer' => false, |
There was a problem hiding this comment.
this shall be verify if you check https://github.com/kriswallsmith/Buzz/blob/master/lib/Client/AbstractClient.php#L91
There was a problem hiding this comment.
Good spot @jhkchan. I see here this option is actually also being used to toggle CURLOPT_SSL_VERIFYHOST too. This means the result is actually a further weakening of security checks vs. the old setVerifyPeer(false) call.
But since the new Buzz doesn't let you separate the two, and I am assuming there was a reason for the old option call, changing to the new option seems like the only safe fix for now.
This will disable both peer and host SSL verification by cURL
| "psr/log": "^1.0" | ||
| }, | ||
| "require-dev": { | ||
| "phpunit/phpunit": "^5.7.27", | ||
| "symfony/symfony": "^2.0 || ^3.0" |
There was a problem hiding this comment.
Can we have || ^4.0 too, when we are on it, or are there too many breaks?
(Even better, to support Flex, remove symfony/symfony and restrict to the relevant components...)
Fixes #167