Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48495

Limit protocols supported by curl by default.

    XMLWordPrintable

Details

    • MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
    • MOODLE_27_STABLE, MOODLE_28_STABLE
      1. Run lib/tests/filelib_test.php
    • BACKEND Sprint 19
    • Large

    Description

      We have no real use for things like gopher:// links and such - so we should reduce our risk and only allow our curl class to work with http and https by default. We can make it an api function to allow other protocols for third party devs if required but it should not be the default.

      In addition, even if we clean our own links before passing them to curl, curl could follow an external redirect to some vulnerable protocol.

      Attachments

        Issue Links

          Activity

            People

              fred Frédéric Massart
              damyon Damyon Wiese
              David Monllaó David Monllaó
              Dan Poltawski Dan Poltawski
              Dave Cooper Dave Cooper
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Laurent David, Raquel Ortega, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                12/Jan/15