dépôts / lhc / web / wiklou.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
* Added WikiPage::getParserOutput() and changed Article::getParserOutput() to use it
[lhc/web/wiklou.git] / includes / HttpFunctions.php
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 2ec7ea1..cbdcd7a 100644 (file)
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -129,6 +129,8 @@ class Http {
         * protocols, because we only want protocols that both cURL
         * and php support.
         *
+        * file:// should not be allowed here for security purpose (r67684)
+        *
         * @fixme this is wildly inaccurate and fails to actually check most stuff
         *
         * @param $uri Mixed: URI to check for validity
@@ -855,7 +857,7 @@ class PhpHttpRequest extends MWHttpRequest {
                        # Check security of URL
                        $url = $this->getResponseHeader( "Location" );
 
-                       if ( substr( $url, 0, 7 ) !== 'http://' ) {
+                       if ( !Http::isValidURI( $url ) ) {
                                wfDebug( __METHOD__ . ": insecure redirection\n" );
                                break;
                        }
Wiklou, le Wiki du Wiklou