Merge pull request #53 from GrahamCampbell/patch-1

Avoid the getenv function when unsafe

Author: Seldaek

src/CaBundle.php

@@ -71,11 +71,11 @@ public static function getSystemCaRootBundlePath(LoggerInterface $logger = null)
 
         // If SSL_CERT_FILE env variable points to a valid certificate/bundle, use that.
         // This mimics how OpenSSL uses the SSL_CERT_FILE env variable.
-        $caBundlePaths[] = getenv('SSL_CERT_FILE');
+        $caBundlePaths[] = self::getEnvVariable('SSL_CERT_FILE');
 
         // If SSL_CERT_DIR env variable points to a valid certificate/bundle, use that.
         // This mimics how OpenSSL uses the SSL_CERT_FILE env variable.
-        $caBundlePaths[] = getenv('SSL_CERT_DIR');
+        $caBundlePaths[] = self::getEnvVariable('SSL_CERT_DIR');
 
         $caBundlePaths[] = ini_get('openssl.cafile');
         $caBundlePaths[] = ini_get('openssl.capath');
@@ -299,6 +299,19 @@ public static function reset()
         self::$useOpensslParse = null;
     }
 
+    private static function getEnvVariable($name)
+    {
+        if (isset($_SERVER[$name])) {
+            return (string) $_SERVER[$name];
+        }
+
+        if (PHP_SAPI === 'cli' && ($value = getenv($name)) !== false && $value !== null) {
+            return (string) $value;
+        }
+
+        return false;
+    }
+
     private static function caFileUsable($certFile, LoggerInterface $logger = null)
     {
         return $certFile && @is_file($certFile) && @is_readable($certFile) && static::validateCaFile($certFile, $logger);