Currently someone could spoof the dns on a server and make you download a fake browscap file. The file isn't super sensitive, but it's always nice to avoid that if possible.

Thankfully, Gary is now providing the file via HTTPS: http://twitter.com/GaryInMiami/status/4724622463

We should use that. Major thanks to Gary!

Comments

Version:6.x-1.x-dev» 7.x-1.x-dev
Assigned:Unassigned» Devin Carlson
Status:Active» Needs review

The attached patch changes the URL used to access php_browscap.ini to the HTTPS version.

However, after reviewing drupal_http_request it seems like accessing URLs which use the HTTPS scheme requires PHP to be compiled with OpenSSL support (which may not be available on all web hosts).

This change would make OpenSSL support a requirement for using Browscap. Either that or a configurable settings should be added which allows an administrator to set whether Browscap uses HTTP or HTTPS when downloading browscap information.

StatusFileSize
new688 bytes

StatusFileSize
new1.3 KB

The non-https site is currently unavailable. If this is to be permanent, this needs to be committed soon I've updated the patch to try the https urls first and fall back to http if there is an error.

Version:7.x-1.x-dev» 6.x-1.x-dev
Status:Needs review» Patch (to be ported)

Thanks for the patch! The changes seems like a good compromise between providing additional security and the availability of HTTPS support.

Committed to 7.x-1.x with minor comment changes.

Status:Patch (to be ported)» Needs review
StatusFileSize
new1.85 KB

Backport of #4.

Status:Needs review» Fixed

Committed to 6.x-1.x.

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.