** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-1000139
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or
** Changed in: mahara/15.04
Milestone: 15.04.8 => None
** Changed in: mahara/15.10
Milestone: 15.10.4 => None
** Changed in: mahara/16.04
Milestone: 16.04.2 => None
** Changed in: mahara/16.10
Milestone: 16.10.0 => None
** Changed in: mahara
Milestone: 16.04.1 => None
--
I was re-reading my previous remark and I wondered, "Why don't we just
disallow raw IP addresses as URLs?"
But to clarify, that's not the issue. Even if a user enters a non-IP
URL, SafeCURL extracts the domain name from the URL, resolves it to an
IP address, and does some checking against that IP
Abandoning this one. SafeCURL doesn't work with IPv6, which means we'd
either have to arbitrarily require only RSS feeds at IPv4-addressed
sites, or allow all IPv6 addresses, in which case we're not adding any
security.
So with that downside, it's not worth the extra risk and upkeep of
adding it.
Hm, well, we haven't seen any updates from the SafeCurl project since
Hugh posted those initial bug reports. On the other hand, it would still
improve our security versus what we've currently got. It just has
potentially a few unpatched holes.
So I think it's probably worth going ahead with this
Oh, I guess one thing we should check is whether SafeCURL will work with
PHP7, since it was written before PHP7 was released...
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all
** Changed in: mahara/16.04
Milestone: 16.04.1 => 16.04.2
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum
** Changed in: mahara/15.10
Milestone: 15.10.3 => 15.10.4
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum
** Changed in: mahara/15.04
Milestone: 15.04.7 => 15.04.8
** Changed in: mahara/1.10
Milestone: 1.10.10 => None
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara
** Changed in: mahara/1.10
Milestone: 1.10.9 => 1.10.10
** Changed in: mahara/15.04
Milestone: 15.04.6 => 15.04.7
** Changed in: mahara/15.10
Milestone: 15.10.2 => 15.10.3
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to
** Changed in: mahara/1.10
Milestone: 1.10.8 => 1.10.9
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum
** Changed in: mahara/15.04
Milestone: 15.04.5 => 15.04.6
** Changed in: mahara/15.10
Milestone: 15.10.1 => 15.10.2
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara
** No longer affects: mahara/1.9
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or
** No longer affects: mahara/1.8
** Changed in: mahara/1.9
Status: Confirmed => Won't Fix
** Changed in: mahara/1.9
Milestone: 1.9.9 => None
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions:
** Also affects: mahara/16.04
Importance: Undecided
Status: New
** Changed in: mahara/16.04
Milestone: None => 16.04.0
** Changed in: mahara/15.10
Milestone: 15.10.0 => 15.10.1
--
You received this bug notification because you are a member of Mahara
Contributors, which is
** Changed in: mahara/1.10
Milestone: 1.10.7 => 1.10.8
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum
** Changed in: mahara/15.04
Milestone: 15.04.4 => 15.04.5
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum
** Changed in: mahara/15.04
Milestone: 15.04.3 = 15.04.4
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum
** Changed in: mahara/1.10
Milestone: 1.10.6 = 1.10.7
** Changed in: mahara/1.9
Milestone: 1.9.8 = 1.9.9
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors
** Changed in: mahara/15.04
Milestone: 15.04.2 = 15.04.3
** Changed in: mahara/1.9
Milestone: 1.9.7 = 1.9.8
** Changed in: mahara/1.10
Milestone: 1.10.5 = 1.10.6
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
** Changed in: mahara/1.10
Milestone: 1.10.4 = 1.10.5
** Changed in: mahara/1.9
Milestone: 1.9.6 = 1.9.7
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors
** Changed in: mahara/15.04
Milestone: 15.04.1 = 15.04.2
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum
** Tags added: no-behat-needed
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing
** Also affects: mahara/15.10
Importance: Undecided
Status: New
** Changed in: mahara/15.10
Milestone: None = 15.10.0
** Changed in: mahara/15.10
Importance: Undecided = High
** Changed in: mahara/15.10
Status: New = Confirmed
** Changed in: mahara/15.04
Status:
** Changed in: mahara/1.8
Status: Confirmed = Won't Fix
** Changed in: mahara/1.8
Milestone: 1.8.7 = None
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara
** Changed in: mahara/1.10
Milestone: 1.10.3 = 1.10.4
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum
** Changed in: mahara/15.04
Milestone: 15.04.0 = 15.04.1
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum
** Information type changed from Public to Public Security
** Tags added: externalfeed
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on
** Changed in: mahara/1.10
Milestone: 1.10.2 = 1.10.3
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum
** Changed in: mahara/1.10
Assignee: (unassigned) = Aaron Wells (u-aaronw)
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or
** Changed in: mahara/15.04
Status: Confirmed = In Progress
** Changed in: mahara/15.04
Assignee: (unassigned) = Aaron Wells (u-aaronw)
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions:
Here are the issues that Hugh found with SafeCurl:
https://github.com/fin1te/safecurl/issues/14
https://github.com/fin1te/safecurl/issues/15
https://github.com/fin1te/safecurl/issues/16
https://github.com/fin1te/safecurl/issues/18
https://github.com/fin1te/safecurl/issues/19
--
You received
Patches:
https://reviews.mahara.org/4030
https://reviews.mahara.org/4031
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or
Hugh tells me that he's found some bugs in SafeCurl and has submitted
patches for those, so we may want to hold off on this one until those
bugs are patched.
** Changed in: mahara/1.10
Milestone: None = 1.10.2
** Changed in: mahara/1.8
Milestone: None = 1.8.7
** Changed in: mahara/1.9
34 matches
Mail list logo
