https://bugzilla.wikimedia.org/show_bug.cgi?id=40679
--- Comment #12 from Krinkle <krinklem...@gmail.com> 2012-10-02 05:33:57 UTC --- (In reply to comment #11) > The primary problem right now is that there exists a case where giving > PROTO_HTTPS to wfExpandUrl() does not give an HTTPS uri. This is a security > vulnerability, as well as the root for possible bugs. So the main question is: > why does wfExpandUrl do this, and what will happen if we change it? How is that a security vulnerability? wfExpandUrl is by no means a security measure, and PROTO_HTTPS is nowhere documented nor intended to generate https urls. The argument to wfExpandUrl means the "preferred protocol if there isn't any", not the "protocol that will be used in the url". To put it bluntly, if something relies on it returning on https, then it is plain wrong. If that is the topic of this bug, then afaik we can close this as an invalid bug. Please describe (or show) the code that is passing PROTO_HTTPS to wfExpandUrl. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
