Comment 1 for bug 1394820

I was just discussing this with Hugh. Limiting the allowed URLs to specific protocols, IP addresses, and ports, is fairly easy.

What's more difficult, is preventing redirection to bad URLs. That's because we use the PHP curl module's "CURLOPT_FOLLOWLOCATION" setting, which automatically follows redirects in the link.

So there are two possible solutions:

1. (Quick and dirty) Disable CURLOPT_FOLLOWLOCATION for RSS blocks. This is less desirable because it will also reduce functionality. A user might, for instance, have an RSS feed at https://www.example.com/atom.xml but they're used to entering it as http://example.com and letting the server redirect it to the right place.

2. We could add some code to be smarter than CURLOPT_FOLLOWLOCATION. One suitable library is the "safecurl" project, which is meant to be a drop-in replacement for the PHP curl_exec() command. https://github.com/fin1te/safecurl