Do only follow HTTP and HTTPS redirects
We do not want to follow redirects to other protocols since they might allow an adversary to bypass network restrictions. (i.e. a redirect to ftp:// might be used to access files of a FTP server which might be in a secure zone and not be reachable from the net but from the ownCloud server) Get final redirect manually using get_headers() Migrate to HTTPHelper class and add unit tests
Showing
- apps/files/ajax/newfile.php 7 additions, 2 deletionsapps/files/ajax/newfile.php
- lib/private/files/storage/dav.php 4 additions, 0 deletionslib/private/files/storage/dav.php
- lib/private/httphelper.php 177 additions, 0 deletionslib/private/httphelper.php
- lib/private/server.php 12 additions, 0 deletionslib/private/server.php
- lib/private/user/http.php 2 additions, 0 deletionslib/private/user/http.php
- lib/private/util.php 6 additions, 94 deletionslib/private/util.php
- lib/public/iservercontainer.php 6 additions, 0 deletionslib/public/iservercontainer.php
- tests/lib/httphelper.php 88 additions, 0 deletionstests/lib/httphelper.php
Loading
Please register or sign in to comment