dépôts / lhc / web / wiklou.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge "Improve docs for Title::getInternalURL/getCanonicalURL"
[lhc/web/wiklou.git] / includes / http / Http.php
diff --git a/includes/http/Http.php b/includes/http/Http.php
index c29f199..f0972dc 100644 (file)
--- a/includes/http/Http.php
+++ b/includes/http/Http.php
@@ -132,11 +132,14 @@ class Http {
        }
 
        /**
-        * Checks that the given URI is a valid one. Hardcoding the
-        * protocols, because we only want protocols that both cURL
-        * and php support.
+        * Check that the given URI is a valid one.
         *
-        * file:// should not be allowed here for security purpose (r67684)
+        * This hardcodes a small set of protocols only, because we want to
+        * deterministically reject protocols not supported by all HTTP-transport
+        * methods.
+        *
+        * "file://" specifically must not be allowed, for security purpose
+        * (see <https://www.mediawiki.org/wiki/Special:Code/MediaWiki/r67684>).
         *
         * @todo FIXME this is wildly inaccurate and fails to actually check most stuff
         *
Wiklou, le Wiki du Wiklou