Page MenuHomePhabricator
Create Task
Maniphest T31232

Let Http / MWHttpRequest handle redirects safely on any CURL version
Open, MediumPublic
Actions

Description

Security checks added in r67684 disable redirect-following for HTTP requests when using the CURL backend if the CURL version is an older version known to improperly validate the redirects.

Since we have code to follow HTTP redirects in PhpHttpRequest already, it ought to be simple to just bump some of the logic up a level and run that above the abstraction layer, using it for CurlHttpRequest as well rather than using the CURLOPT_FOLLOWLOCATION option.

This would allow our own protocol security checks to be applied consistently at all times, and could also allow for a callback, eg for the caller to apply their own domain checks at each stage.

Version: 1.18.x
Severity: normal

Details

Reference
bz29232

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:36 PM
bzimport added projects: Future-Release, MediaWiki-General.
bzimport set Reference to bz29232.
bzimport added a subscriber: Unknown Object (MLST).
brion created this task.Jun 1 2011, 6:34 PM
MarkAHershberger added a comment.Aug 4 2011, 1:22 AM

Vulnerability report: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037
Vulnerability in curl was fixed in 7.19.3, released 2009-01-19 (http://curl.haxx.se/changes.html)
Minimum version of PHP we support is 5.2.3, released 2007-05-31 (http://www.php.net/ChangeLog-5.php#5.2.3)

I'll try to get this fixed in time for release.

MarkAHershberger added a comment.Aug 10 2011, 10:41 PM

unassigning myself so I don't practgice cookie-licking

MarkAHershberger added a comment.Oct 28 2011, 1:47 AM

for 1.18 tarball we should either fix this or add something to the release notes.

MarkAHershberger added a comment.Nov 2 2011, 9:19 PM

Reading over brion's comments more carefully (and making a stab at implementation), I see that this is more significant than a release notes thing.

The following bit definitely won't be implemented in time for 1.18.

This would allow our own protocol security checks to be applied consistently at
all times, and could also allow for a callback, eg for the caller to apply
their own domain checks at each stage.

And the vulnerability report in comment #1 was fixed in Tim's original implementation (duh!).

Krinkle added a comment.May 5 2012, 5:15 PM

(mass change)

  • 1.18.0 and 1.19.0 have been released already.
  • Moving open bugs targeted for 1.18.0 or 1.19.0 to Mysterious future.
  • Please re-target them to 1.19.x or 1.20.0 if needed.
Phabricator_maintenance removed a project: Future-Release.Aug 12 2016, 4:54 PM
Phabricator_maintenance removed a subscriber: wikibugs-l-list.
Dereckson updated the task description. (Show Details)Apr 1 2018, 2:34 PM
Krinkle edited projects, added MediaWiki-libs-HTTP; removed MediaWiki-General.Dec 14 2018, 7:20 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL