Opened 16 years ago
Closed 16 years ago
#5032 closed patch (fixed)
Allow cURL for safer status passthrough in mythweb
Reported by: | Owned by: | Rob Smith | |
---|---|---|---|
Priority: | minor | Milestone: | unknown |
Component: | mythweb | Version: | head |
Severity: | medium | Keywords: | |
Cc: | Ticket locked: | no |
Description
The status module uses the file_get_contents module to retrieve the status page from the backend's own port. This requires the allow_url_fopen PHP option to be set, which many view as a security risk for XSS.
The cURL lib is recommended as a safer alternative (which is quite common). This patch tries to use cURL, if installed, before trying the regular options.
I've applied this to 0.21-fixes on my wc, but it looks to me like it's the same patch for head of trunk.
Attachments (1)
Change History (3)
Changed 16 years ago by
Attachment: | curl.patch added |
---|
comment:1 Changed 16 years ago by
Owner: | changed from xris to Rob Smith |
---|---|
Status: | new → accepted |
comment:2 Changed 16 years ago by
Resolution: | → fixed |
---|---|
Status: | accepted → closed |
Note: See
TracTickets for help on using
tickets.
(In [17563]) Fixes #5032, this attempts to use cURL before file_get_contents to talk to the backend