mahara-contributors team mailing list archive

[Aaron Wells <1397736@xxxxxxxxxxxxxxxxxx>]

I was re-reading my previous remark and I wondered, "Why don't we just
disallow raw IP addresses as URLs?"

But to clarify, that's not the issue. Even if a user enters a non-IP
URL, SafeCURL extracts the domain name from the URL, resolves it to an
IP address, and does some checking against that IP address.

So, if a Mahara user entered an RSS feed for a URL, and that URL was at
a domain name whose only DNS records were IPv6 (as an increasing number
will be in the days to come), SafeCURL would not be able to perform any
validation on it. So we'd either have to give an IPv6-based site a free
pass (in which case we're not really gaining any security) or we'd have
to reject all IPv6-based sites (which would be a horrible user
experience, because a user doesn't generally know the IP address of the
sites they visit).

** Changed in: mahara
       Status: In Progress => Won't Fix

** Changed in: mahara
       Status: Won't Fix => In Progress

** Changed in: mahara
       Status: In Progress => Won't Fix

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1397736

Title:
  Use SafeCURL in external RSS block

Status in Mahara:
  Won't Fix
Status in Mahara 1.10 series:
  Won't Fix
Status in Mahara 15.04 series:
  Won't Fix
Status in Mahara 15.10 series:
  Won't Fix
Status in Mahara 16.04 series:
  Won't Fix
Status in Mahara 16.10 series:
  Won't Fix

Bug description:
  For better security in the external RSS feed block, we should be using
  a library like SafeCURL to help guard against attacks.:
  https://github.com/fin1te/safecurl

  See also bug 1394820

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1397736/+subscriptions