Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
2.6.6, 2.7.3, 2.8.1
-
MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
-
MOODLE_27_STABLE, MOODLE_28_STABLE
-
- Run lib/tests/filelib_test.php
-
BACKEND Sprint 19
-
Large
Description
We have no real use for things like gopher:// links and such - so we should reduce our risk and only allow our curl class to work with http and https by default. We can make it an api function to allow other protocols for third party devs if required but it should not be the default.
In addition, even if we clean our own links before passing them to curl, curl could follow an external redirect to some vulnerable protocol.
Attachments
Issue Links
- Testing discovered
-
MDL-55777 Add envcheck for minimum recommended version of libcurl 7.19.4
-
- Closed
-