Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48495

Limit protocols supported by curl by default.

XMLWordPrintable

    • MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
    • MOODLE_27_STABLE, MOODLE_28_STABLE
      1. Run lib/tests/filelib_test.php
    • BACKEND Sprint 19
    • Large

      We have no real use for things like gopher:// links and such - so we should reduce our risk and only allow our curl class to work with http and https by default. We can make it an api function to allow other protocols for third party devs if required but it should not be the default.

      In addition, even if we clean our own links before passing them to curl, curl could follow an external redirect to some vulnerable protocol.

            fred Frédéric Massart
            damyon Damyon Wiese
            David Monllaó David Monllaó
            Dan Poltawski Dan Poltawski
            Dave Cooper Dave Cooper
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.