[Bug 29232] New: Let Http / MWHttpRequest handle redirects safely on any CURL version

bugzilla-daemon Wed, 01 Jun 2011 11:34:46 -0700

https://bugzilla.wikimedia.org/show_bug.cgi?id=29232


       Web browser: ---
             Bug #: 29232
           Summary: Let Http / MWHttpRequest handle redirects safely on
                    any CURL version
           Product: MediaWiki
           Version: 1.19-svn
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: Unprioritized
         Component: General/Unknown
        AssignedTo: [email protected]
        ReportedBy: [email protected]
    Classification: Unclassified


Security checks added in r67684 disable redirect-following for HTTP requests
when using the CURL backend if the CURL version is an older version known to
improperly validate the redirects.

Since we have code to follow HTTP redirects in PhpHttpRequest already, it ought
to be simple to just bump some of the logic up a level and run that above the
abstraction layer, using it for CurlHttpRequest as well rather than using the
CURLOPT_FOLLOWLOCATION option.

This would allow our own protocol security checks to be applied consistently at
all times, and could also allow for a callback, eg for the caller to apply
their own domain checks at each stage.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 29232] New: Let Http / MWHttpRequest handle redirects safely on any CURL version

Reply via email to