Opened 12 years ago

Closed 12 years ago

#5032 closed patch (fixed)

Allow cURL for safer status passthrough in mythweb

Reported by: myth@… Owned by: Rob Smith
Priority: minor Milestone: unknown
Component: mythweb Version: head
Severity: medium Keywords:
Cc: Ticket locked: no

Description

The status module uses the file_get_contents module to retrieve the status page from the backend's own port. This requires the allow_url_fopen PHP option to be set, which many view as a security risk for XSS.

The cURL lib is recommended as a safer alternative (which is quite common). This patch tries to use cURL, if installed, before trying the regular options.

I've applied this to 0.21-fixes on my wc, but it looks to me like it's the same patch for head of trunk.

Attachments (1)

curl.patch (860 bytes) - added by anonymous 12 years ago.

Download all attachments as: .zip

Change History (3)

Changed 12 years ago by anonymous

Attachment: curl.patch added

comment:1 Changed 12 years ago by Rob Smith

Owner: changed from xris to Rob Smith
Status: newaccepted

comment:2 Changed 12 years ago by Rob Smith

Resolution: fixed
Status: acceptedclosed

(In [17563]) Fixes #5032, this attempts to use cURL before file_get_contents to talk to the backend

Note: See TracTickets for help on using tickets.