moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-06 09:26:35 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-72203 curl: Revert original fix of redirects to blocked URLs

Browse source 
This reverts the original fix introduced in MDL-71916. It introduced an
extra native cURL call inside curl_security_helper to check if the given
URL triggers a redirect to a blocked URL or not.

Shortly after the release, a couple of regressions were reported as a
result of the integrated solution. It was agreed to revert the fix and
progress with implementing an alternative approach.
This commit is contained in:
David Mudrák 2021-07-22 23:10:11 +02:00 committed by Michael Hawkins
parent 2c69199ca1
commit 5068469f6f
1 changed files with 3 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

28
lib/classes/files/curl_security_helper.php
View file

@ -60,10 +60,9 @@ class curl_security_helper extends curl_security_helper_base {
* could not be parsed, as well as those valid URLs which were found in the blocklist.
*
* @param string $urlstring the URL to check.
* @param int $maxredirects Optional number of maximum redirects to follow - prevents infinite recursion.
* @return bool true if the URL is blocked or invalid and false if the URL is not blocked.
*/
public function url_is_blocked($urlstring, $maxredirects = 3) {
public function url_is_blocked($urlstring) {
// If no config data is present, then all hosts/ports are allowed.
if (!$this->is_enabled()) {
return false;
@ -86,30 +85,9 @@ class curl_security_helper extends curl_security_helper_base {
}
if ($parsed['port'] && $parsed['host']) {
// Check the host and port against the allow/block entries, and that we have not run out of redirects.
if ($this->host_is_blocked($parsed['host']) || $this->port_is_blocked($parsed['port']) || $maxredirects < 1) {
return true;
}
// Check if the host has a redirect in place, without following it.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $urlstring);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_exec($ch);
$curlinfo = curl_getinfo($ch);
$redirecturl = $curlinfo['redirect_url'];
if (!$redirecturl) {
return false;
}
// Recursively check redirects, until final URL checked, redirects to a blocked host/port, or has too many redirects.
$maxredirects--;
return $this->url_is_blocked($redirecturl, $maxredirects);
// Check the host and port against the allow/block entries.
return $this->host_is_blocked($parsed['host']) || $this->port_is_blocked($parsed['port']);
}
return true;
}