When a curl::request() fails, the method returns the error message. This is not ideal as it means that developers could easily confuse error messages and valid content if they do not check curl::$errno.
This issue should:
- return false when the request has failed
- update the usage of curl everywhere to handle this new return value
- provide upgrade instructions for developers
I do not think this is a security issue as it really depends on how the developer has implement its code, however it makes sense to fix in master to prevent further risks.
Reported by ankit_frenz on MDL-48496.
- has a non-specific relationship to
-
MDL-48496 Do not show detailed error messages in the response from curl requests in rss_client
-
- Closed
-