r101808 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r101807‎ \| r101808 \| r101809 >
Date:	14:04, 3 November 2011
Author:	mah
Status:	ok (Comments)
Tags:
Comment:	use isValidURI for redirect check
Modified paths:	/trunk/phase3/includes/HttpFunctions.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/HttpFunctions.php
—	—	@@ -855,7 +855,7 @@
856	856	# Check security of URL
857	857	$url = $this->getResponseHeader( "Location" );
858	858
859		~~- if ( substr( $url, 0, 7 ) !== 'http://' ) {~~
	859	+ if ( !HTTP::isValidURI( $url ) ) {
860	860	wfDebug( __METHOD__ . ": insecure redirection\n" );
861	861	break;
862	862	}

Revision	Commit summary	Author	Date
r101817	comment that isValidURI must reject file:// URI	hashar	15:06, 3 November 2011
r101905	Follow-up r101808. Use canonical class name.	platonides	22:58, 3 November 2011

Revision	Commit summary	Author	Date
r67684	Fixes for r61911:...	tstarling	06:39, 9 June 2010

#Comment by Hashar (talk | contribs) 14:37, 3 November 2011

Since http://Iam.notsecure.com/ is a valid URI, that would redirect people to an insecure site thus defeating the original purpose.

#Comment by MarkAHershberger (talk | contribs) 14:54, 3 November 2011

That url would have passed before this change.

#Comment by MarkAHershberger (talk | contribs) 14:57, 3 November 2011

To be clear, before this change, https://Iam.very.secure.com/ would not have worked.

#Comment by Hashar (talk | contribs) 15:07, 3 November 2011

Marking OK per IRC.

#Comment by Nikerabbit (talk | contribs) 15:20, 3 November 2011

The canonical name of this class is Http if I am not mistaken.

15:07, 3 November 2011 Hashar (talk | contribs) changed the status of r101808 [removed: fixme added: ok]
14:37, 3 November 2011 Hashar (talk | contribs) changed the status of r101808 [removed: new added: fixme]