Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 2.6.6, 2.7.3, 2.8.1
-
Component/s: Libraries
-
Labels:
-
Testing Instructions:
- Run lib/tests/filelib_test.php
-
Affected Branches:MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
-
Fixed Branches:MOODLE_27_STABLE, MOODLE_28_STABLE
-
Epic Link:
-
Sprint:BACKEND Sprint 19
-
Issue size:Large
Description
We have no real use for things like gopher:// links and such - so we should reduce our risk and only allow our curl class to work with http and https by default. We can make it an api function to allow other protocols for third party devs if required but it should not be the default.
In addition, even if we clean our own links before passing them to curl, curl could follow an external redirect to some vulnerable protocol.
Attachments
Issue Links
- Testing discovered
-
MDL-55777 Add envcheck for minimum recommended version of libcurl 7.19.4
-
- Closed
-