Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
Currently someone could spoof the dns on a server and make you download a fake browscap file. The file isn't super sensitive, but it's always nice to avoid that if possible.
Thankfully, Gary is now providing the file via HTTPS: http://twitter.com/GaryInMiami/status/4724622463
We should use that. Major thanks to Gary!
Comment | File | Size | Author |
---|---|---|---|
#5 | browscap-https-672104-5.patch | 1.85 KB | Devin Carlson |
#3 | browscap-https.patch | 1.3 KB | jzornig |
#2 | use-https-672104-1.patch | 688 bytes | Devin Carlson |
Comments
Comment #1
Devin Carlson CreditAttribution: Devin Carlson commentedThe attached patch changes the URL used to access
php_browscap.ini
to the HTTPS version.However, after reviewing drupal_http_request it seems like accessing URLs which use the HTTPS scheme requires PHP to be compiled with OpenSSL support (which may not be available on all web hosts).
This change would make OpenSSL support a requirement for using Browscap. Either that or a configurable settings should be added which allows an administrator to set whether Browscap uses HTTP or HTTPS when downloading browscap information.
Comment #2
Devin Carlson CreditAttribution: Devin Carlson commentedComment #3
jzornig CreditAttribution: jzornig commentedThe non-https site is currently unavailable. If this is to be permanent, this needs to be committed soon I've updated the patch to try the https urls first and fall back to http if there is an error.
Comment #4
Devin Carlson CreditAttribution: Devin Carlson commentedThanks for the patch! The changes seems like a good compromise between providing additional security and the availability of HTTPS support.
Committed to 7.x-1.x with minor comment changes.
Comment #5
Devin Carlson CreditAttribution: Devin Carlson commentedBackport of #4.
Comment #6
Devin Carlson CreditAttribution: Devin Carlson commentedCommitted to 6.x-1.x.