Last modified: 2014-03-25 14:09:30 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T31232, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 29232 - Let Http / MWHttpRequest handle redirects safely on any CURL version
Let Http / MWHttpRequest handle redirects safely on any CURL version
Status: REOPENED
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
1.18.x
All All
: Normal normal (vote)
: Future release
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-01 18:34 UTC by Brion Vibber
Modified: 2014-03-25 14:09 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Brion Vibber 2011-06-01 18:34:34 UTC 
Security checks added in r67684 disable redirect-following for HTTP requests when using the CURL backend if the CURL version is an older version known to improperly validate the redirects.

Since we have code to follow HTTP redirects in PhpHttpRequest already, it ought to be simple to just bump some of the logic up a level and run that above the abstraction layer, using it for CurlHttpRequest as well rather than using the CURLOPT_FOLLOWLOCATION option.

This would allow our own protocol security checks to be applied consistently at all times, and could also allow for a callback, eg for the caller to apply their own domain checks at each stage.
Comment 1 Mark A. Hershberger 2011-08-04 01:22:17 UTC 
Vulnerability report: http://cve.mitre.org/cgi-bin/cvename.cgi?name=﷒0﷓
Vulnerability in curl was fixed in 7.19.3, released 2009-01-19 (http://curl.haxx.se/changes.html)
Minimum version of PHP we support is 5.2.3, released 2007-05-31 (http://www.php.net/ChangeLog-5.php#5.2.3)

I'll try to get this fixed in time for release.
Comment 2 Mark A. Hershberger 2011-08-10 22:41:27 UTC 
unassigning myself so I don't practgice cookie-licking
Comment 3 Mark A. Hershberger 2011-10-28 01:47:15 UTC 
for 1.18 tarball we should either fix this or add something to the release notes.
Comment 4 Mark A. Hershberger 2011-11-02 21:19:48 UTC 
Reading over brion's comments more carefully (and making a stab at implementation), I see that this is more significant than a release notes thing.

The following bit definitely won't be implemented in time for 1.18.

> This would allow our own protocol security checks to be applied consistently at
> all times, and could also allow for a callback, eg for the caller to apply
> their own domain checks at each stage.

And the vulnerability report in comment #1 was fixed in Tim's original implementation (duh!).
Comment 5 Krinkle 2012-05-05 17:15:18 UTC 
(mass change)
* 1.18.0 and 1.19.0 have been released already.
* Moving open bugs targeted for 1.18.0 or 1.19.0 to Mysterious future.
* Please re-target them to 1.19.x or 1.20.0 if needed.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links