https://bugzilla.wikimedia.org/show_bug.cgi?id=29232
Web browser: ---
Bug #: 29232
Summary: Let Http / MWHttpRequest handle redirects safely on
any CURL version
Product: MediaWiki
Version: 1.19-svn
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: Unprioritized
Component: General/Unknown
AssignedTo: wikibugs-l@lists.wikimedia.org
ReportedBy: br...@wikimedia.org
Classification: Unclassified
Security checks added in r67684 disable redirect-following for HTTP requests
when using the CURL backend if the CURL version is an older version known to
improperly validate the redirects.
Since we have code to follow HTTP redirects in PhpHttpRequest already, it ought
to be simple to just bump some of the logic up a level and run that above the
abstraction layer, using it for CurlHttpRequest as well rather than using the
CURLOPT_FOLLOWLOCATION option.
This would allow our own protocol security checks to be applied consistently at
all times, and could also allow for a callback, eg for the caller to apply
their own domain checks at each stage.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
