Currently someone could spoof the dns on a server and make you download a fake browscap file. The file isn't super sensitive, but it's always nice to avoid that if possible.

Thankfully, Gary is now providing the file via HTTPS: http://twitter.com/GaryInMiami/status/4724622463

We should use that. Major thanks to Gary!

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Devin Carlson’s picture

Version: 6.x-1.x-dev » 7.x-1.x-dev
Assigned: Unassigned » Devin Carlson
Status: Active » Needs review

The attached patch changes the URL used to access php_browscap.ini to the HTTPS version.

However, after reviewing drupal_http_request it seems like accessing URLs which use the HTTPS scheme requires PHP to be compiled with OpenSSL support (which may not be available on all web hosts).

This change would make OpenSSL support a requirement for using Browscap. Either that or a configurable settings should be added which allows an administrator to set whether Browscap uses HTTP or HTTPS when downloading browscap information.

Devin Carlson’s picture

FileSize
688 bytes
jzornig’s picture

FileSize
1.3 KB

The non-https site is currently unavailable. If this is to be permanent, this needs to be committed soon I've updated the patch to try the https urls first and fall back to http if there is an error.

Devin Carlson’s picture

Version: 7.x-1.x-dev » 6.x-1.x-dev
Status: Needs review » Patch (to be ported)

Thanks for the patch! The changes seems like a good compromise between providing additional security and the availability of HTTPS support.

Committed to 7.x-1.x with minor comment changes.

Devin Carlson’s picture

Status: Patch (to be ported) » Needs review
FileSize
1.85 KB

Backport of #4.

Devin Carlson’s picture

Status: Needs review » Fixed

Committed to 6.x-1.x.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.