Patch Exchange Autodiscover Code for Security Issue
The change removes the unauthenticated GET fallback attempt for the
Autodiscover process. Given that the Autodiscover code is functionally broken
and this fallback attempt wouldn't succeed unless an attacker faked a success
response, a good way to patch the security issue is to disable the attempt.
The change also updates the request content type, disables automatic
redirects, and allows for parsing namespaces to help the first two attempts
succeed. As this is not meant to be a functional patch but a security patch,
there are no further changes to the Autodiscover code.
2 files changed