Security checks added in r67684 disable redirect-following for HTTP requests when using the CURL backend if the CURL version is an older version known to improperly validate the redirects.
Since we have code to follow HTTP redirects in PhpHttpRequest already, it ought to be simple to just bump some of the logic up a level and run that above the abstraction layer, using it for CurlHttpRequest as well rather than using the CURLOPT_FOLLOWLOCATION option.
This would allow our own protocol security checks to be applied consistently at all times, and could also allow for a callback, eg for the caller to apply their own domain checks at each stage.
Version: 1.18.x
Severity: normal