https://bugzilla.wikimedia.org/show_bug.cgi?id=29232
Web browser: --- Bug #: 29232 Summary: Let Http / MWHttpRequest handle redirects safely on any CURL version Product: MediaWiki Version: 1.19-svn Platform: All OS/Version: All Status: NEW Severity: normal Priority: Unprioritized Component: General/Unknown AssignedTo: wikibugs-l@lists.wikimedia.org ReportedBy: br...@wikimedia.org Classification: Unclassified Security checks added in r67684 disable redirect-following for HTTP requests when using the CURL backend if the CURL version is an older version known to improperly validate the redirects. Since we have code to follow HTTP redirects in PhpHttpRequest already, it ought to be simple to just bump some of the logic up a level and run that above the abstraction layer, using it for CurlHttpRequest as well rather than using the CURLOPT_FOLLOWLOCATION option. This would allow our own protocol security checks to be applied consistently at all times, and could also allow for a callback, eg for the caller to apply their own domain checks at each stage. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l