Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48495

Limit protocols supported by curl by default.

    XMLWordPrintable

    Details

    • Testing Instructions:
      1. Run lib/tests/filelib_test.php
    • Affected Branches:
      MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
    • Fixed Branches:
      MOODLE_27_STABLE, MOODLE_28_STABLE
    • Sprint:
      BACKEND Sprint 19
    • Issue size:
      Large

      Description

      We have no real use for things like gopher:// links and such - so we should reduce our risk and only allow our curl class to work with http and https by default. We can make it an api function to allow other protocols for third party devs if required but it should not be the default.

      In addition, even if we clean our own links before passing them to curl, curl could follow an external redirect to some vulnerable protocol.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  12/Jan/15