Moodle

PARAM_URL/PARAM_LOCALURL does not accept http://localhost/ or other hosts on intranets

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 1.8
  • Fix Version/s: 1.8.4, 1.9
  • Component/s: Libraries
  • Labels:
    None
  • Affected Branches:
    MOODLE_18_STABLE
  • Fixed Branches:
    MOODLE_18_STABLE, MOODLE_19_STABLE

Description

Judging from inline comments this is a know issue:

// PARAM_URL requires a genuine TLD (I think) This breaks my testing
$temp_wwwroot = clean_param($form->wwwroot, PARAM_URL);
if ($temp_wwwroot !== $form->wwwroot) { trigger_error("We now parse the wwwroot with PARAM_URL. Your URL will need to have a valid TLD, etc."); error(get_string("invalidurl", 'mnet'),'peers.php'); exit; }
unset($temp_wwwroot);

I do not think that we need to clean the url that is submitted by amin, because mnet should be IMHO usable in intranets that are using compaly.local or company.lan domains too.

Issue Links

This issue will help resolve:
MDL-11880 Running on localhost, when you create a question from the quiz editing screen, you end up on the question bank screen Minor Closed
This issue is duplicated by:
MDL-9955 would be nice if PARAM_URL let through urls with localhost in them for those of us developing on a local server. Minor Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Martín Langhoff added a comment -

Agree that it should be usable on intranets. But if we use PARAM_RAW we would need some extra validation. PARAM_URL internally uses functions from lib/validateurlsyntax.php - perhaps we can add an option to relax domain checks.

Show
Martín Langhoff added a comment - Agree that it should be usable on intranets. But if we use PARAM_RAW we would need some extra validation. PARAM_URL internally uses functions from lib/validateurlsyntax.php - perhaps we can add an option to relax domain checks.
Hide
Permalink
Donal McMullan added a comment -

I'd be happy to implement a PARAM_URL_LOCAL (or similar) in the filters, that replicates PARAM_URL but does not require a valid TLD.
Please advise - cheers.

Donal

Show
Donal McMullan added a comment - I'd be happy to implement a PARAM_URL_LOCAL (or similar) in the filters, that replicates PARAM_URL but does not require a valid TLD. Please advise - cheers. Donal
Hide
Permalink
Petr Škoda (skodak) added a comment -

I have changed the PARAM_URL recently - it validates reasonably looking domain, though localhost does not pass through (but localhost.localdomain does).
I think this was fixed by that MDL-11462

Show
Petr Škoda (skodak) added a comment - I have changed the PARAM_URL recently - it validates reasonably looking domain, though localhost does not pass through (but localhost.localdomain does). I think this was fixed by that MDL-11462
Hide
Permalink
Tim Hunt added a comment -

This really is lower level bug than the summary suggests. I found this because of MDL-11880. It is clearly also causing a problem for mnet too. I think we need to fix this.

Options are to

1. hack validateUrlSyntax, which insists that the host name contains at least one dot, or

2. add an override outside validateUrlSyntax.

This is a third party library, but it was last updated in 2004. The URL in the comment at the top of the file does not lead ot a more up-to-date version, and a google search just finds Moodle and Mahara references, so I say hack the library. I think we just need to remove the variable $domain_secondary where it is defined, and where it is used in constructing the regexp.

Show
Tim Hunt added a comment - This really is lower level bug than the summary suggests. I found this because of MDL-11880. It is clearly also causing a problem for mnet too. I think we need to fix this. Options are to 1. hack validateUrlSyntax, which insists that the host name contains at least one dot, or 2. add an override outside validateUrlSyntax. This is a third party library, but it was last updated in 2004. The URL in the comment at the top of the file does not lead ot a more up-to-date version, and a google search just finds Moodle and Mahara references, so I say hack the library. I think we just need to remove the variable $domain_secondary where it is defined, and where it is used in constructing the regexp.
Hide
Permalink
Petr Škoda (skodak) added a comment -

my+1 for the hack in library + note there

Show
Petr Škoda (skodak) added a comment - my+1 for the hack in library + note there
Hide
Permalink
Tim Hunt added a comment -

The only thing that occurred to me - are the any potential security issues with letting evil people type local lan URLs into your Moodle? I can't immediately think of any.

Show
Tim Hunt added a comment - The only thing that occurred to me - are the any potential security issues with letting evil people type local lan URLs into your Moodle? I can't immediately think of any.
Hide
Permalink
Petr Škoda (skodak) added a comment -

I can not find any reasons either

Show
Petr Škoda (skodak) added a comment - I can not find any reasons either
Hide
Permalink
Tim Hunt added a comment -

Right, I'll take this bug, and try to get it fixed today.

Show
Tim Hunt added a comment - Right, I'll take this bug, and try to get it fixed today.
Hide
Permalink
Tim Hunt added a comment -

OK, fix checked in.

Show
Tim Hunt added a comment - OK, fix checked in.

People

Vote (0)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.