We have no real use for things like gopher:// links and such - so we should reduce our risk and only allow our curl class to work with http and https by default. We can make it an api function to allow other protocols for third party devs if required but it should not be the default.
In addition, even if we clean our own links before passing them to curl, curl could follow an external redirect to some vulnerable protocol.
- Testing discovered
-
MDL-55777 Add envcheck for minimum recommended version of libcurl 7.19.4
- Closed