User "Brion VIBBER" posted a comment on MediaWiki.r67684. Full URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/67684#c17427 Commit summary:
Fixes for r61911: * Do not follow redirects by default. This breaks on safe_mode, and may potentially open security vulnerabilities in callers which blacklist domain names. Instead, send followRedirects=true option in the HttpTest caller that needs it. * Added a check for the cURL security vulnerability CVE-2009-0037, which allowed redirects to file:/// and scp://. Refuse to follow redirects if a vulnerable client library is present. * Factored out the redirect compatibility test into public function canFollowRedirects() so that callers can provide this information to users. * In PhpHttpRequest, only follow redirects to HTTP URLs, do not fopen() arbitrary locations. This is not quite as bad as it sounds, since the lack of response headers prevents file:/// content from being returned to the caller. * Fixed vertical alignment in Http::request(), per style guide. * 304, 305 and 306 responses are not really redirects and cannot contain a Location header. Comment: made a note on that in bug bug 29232. _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
