[MDL-48495] Limit protocols supported by curl by default. - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.6.6, 2.7.3, 2.8.1
Fix Version/s: 2.7.4, 2.8.2
Component/s: Libraries
Labels:
- api_change
- triaged

Testing Instructions:
1. Run lib/tests/filelib_test.php
Affected Branches:
MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
Fixed Branches:
MOODLE_27_STABLE, MOODLE_28_STABLE
Epic Link:
Curl Security Improvements

Sprint:
BACKEND Sprint 19
Issue size:
Large

Description

We have no real use for things like gopher:// links and such - so we should reduce our risk and only allow our curl class to work with http and https by default. We can make it an api function to allow other protocols for third party devs if required but it should not be the default.

In addition, even if we clean our own links before passing them to curl, curl could follow an external redirect to some vulnerable protocol.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

MDL-48495-26.mdk.patch
4 kB
06/Dec/14 2:28 AM
MDL-48495-27.mdk.patch
4 kB
06/Dec/14 2:28 AM
MDL-48495-28.mdk.patch
4 kB
06/Dec/14 2:28 AM
MDL-48495-master.mdk.patch
4 kB
06/Dec/14 2:28 AM

Issue Links

Testing discovered

MDL-55777 Add envcheck for minimum recommended version of libcurl 7.19.4

Closed

Activity

People

Assignee:: Frédéric Massart

Reporter:: Damyon Wiese

Peer reviewer:: David Monllaó

Integrator:: Dan Poltawski

Tester:: Dave Cooper

Participants:: CiBoT, Damyon Wiese, Dan Poltawski, Dave Cooper, David Monllaó, Eloy Lafuente (stronk7), Frédéric Massart, Marina Glancy, Petr Skoda

Component watchers:: Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 05/Dec/14 5:08 AM

Updated:: 31/Aug/16 1:45 AM

Resolved:: 19/Dec/14 4:56 AM

Fix Release Date:: 12/Jan/15