User "Brion VIBBER" posted a comment on MediaWiki.r67684. Full URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/67684#c17426 Commit summary:
Fixes for r61911: * Do not follow redirects by default. This breaks on safe_mode, and may potentially open security vulnerabilities in callers which blacklist domain names. Instead, send followRedirects=true option in the HttpTest caller that needs it. * Added a check for the cURL security vulnerability CVE-2009-0037, which allowed redirects to file:/// and scp://. Refuse to follow redirects if a vulnerable client library is present. * Factored out the redirect compatibility test into public function canFollowRedirects() so that callers can provide this information to users. * In PhpHttpRequest, only follow redirects to HTTP URLs, do not fopen() arbitrary locations. This is not quite as bad as it sounds, since the lack of response headers prevents file:/// content from being returned to the caller. * Fixed vertical alignment in Http::request(), per style guide. * 304, 305 and 306 responses are not really redirects and cannot contain a Location header. Comment: Stumbled on this old change while poking something else; I'm not sure that that check should actually be there to begin with, I suspect it was meant to exclude file paths and such rather than to actually exclude https specifically. I've stuck a quick note in bug 29231 -- the addition of the check seems to have been in refactoring in r61352, and it probably should just be changed to check both 'http' and 'https'. As for the curl mode; we could probably handle the redirect following ourselves rather than letting CURL do it, so we can apply our own security checks on each fresh URL, so there'd be no need to check for the old broken versions. _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
