[MDL-48496] Do not show detailed error messages in the response from curl requests in rss_client - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.6.6, 2.7.3, 2.8.1
Fix Version/s: 2.7.4, 2.8.2
Component/s: Libraries
Labels:
- triaged

Affected Branches:
MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
Fixed Branches:
MOODLE_27_STABLE, MOODLE_28_STABLE
Epic Link:
Curl Security Improvements

Testing Instructions:

Hide

Test 1

Add a new Remote RSS Feeds block
Edit it to add a new feed

Provide a few URLs

Some leading to a valid/invalid RSS feed

Some leading to the discovery of a valid/invalid feed

Example of invalid one.

<html>

    <head>

        <link rel="alternate" title="La Une" href="dict://localhost:11211" type="application/rss+xml"/>

    </head>

    <body>

    </body>

</html>

Make sure that the error that is displayed when the feed is invalid is generic and does not provide any information on the system, the request, etc...

Test 2

Enable debug developer
Copy a RSS feed to your localhost (e.g. https://github.com/FMCorz.atom)
Set up the previous block to use that feed
Make sure it works
Rename the file on your localhost so that it becomes invalid
Purge your cache
Refresh the page where the block is and make sure you see an error with details
Disable debug developer
Purge your cache
Refresh the page where the block is and make sure nothing is displayed
Rename the file to what it should be
Purge your cache
Refresh the page where the block is and make sure the feed is working as expected

Show

Test 1 Add a new Remote RSS Feeds block Edit it to add a new feed Provide a few URLs Some leading to a valid/invalid RSS feed Some leading to the discovery of a valid/invalid feed Example of invalid one. <html> <head> <link rel="alternate" title="La Une" href="dict://localhost:11211" type="application/rss+xml"/> </head> <body> </body> </html> Make sure that the error that is displayed when the feed is invalid is generic and does not provide any information on the system, the request, etc... Test 2 Enable debug developer Copy a RSS feed to your localhost (e.g. https://github.com/FMCorz.atom ) Set up the previous block to use that feed Make sure it works Rename the file on your localhost so that it becomes invalid Purge your cache Refresh the page where the block is and make sure you see an error with details Disable debug developer Purge your cache Refresh the page where the block is and make sure nothing is displayed Rename the file to what it should be Purge your cache Refresh the page where the block is and make sure the feed is working as expected

Sprint:
BACKEND Sprint 19
Issue size:
Small

Description

As noted in MDL-48264, this can be used for attacks like port scanning the server from localhost.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

MDL-48496-26.mdk.patch
3 kB
10/Dec/14 6:28 PM
MDL-48496-27.mdk.patch
3 kB
10/Dec/14 6:27 PM
MDL-48496-28.mdk.patch
3 kB
10/Dec/14 6:27 PM
MDL-48496-master.mdk.patch
4 kB
10/Dec/14 6:29 PM

Issue Links

has a non-specific relationship to

MDL-48559 Web CRON should be disabled by default

Closed

has been marked as being related by

MDL-48521 Curl should not return error message in place of content

Development in progress

Activity

People

Assignee:: Frédéric Massart

Reporter:: Damyon Wiese

Peer reviewer:: Ankit Agarwal

Integrator:: Eloy Lafuente (stronk7)

Tester:: Rajesh Taneja

Participants:: Ankit Agarwal, CiBoT, Damyon Wiese, Dan Poltawski, Eloy Lafuente (stronk7), Frédéric Massart, Rajesh Taneja

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 05/Dec/14 5:13 AM

Updated:: 12/Dec/14 3:47 AM

Resolved:: 12/Dec/14 3:47 AM

Fix Release Date:: 12/Jan/15