Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-56873

Set more secure defaults for the cURL allow/deny lists

    XMLWordPrintable

    Details

    • Affected Branches:
      MOODLE_32_STABLE

      Description

      After MDL-48498 we have new settings for the HTTP security:

      cURL blocked hosts list
      ($CFG->curlsecurityblockedhosts)

      and

      cURL allowed ports list
      ($CFG->curlsecurityallowedport)

      They are both empty by default. It makes sense to keep them empty for upgraded sites that can already have RSS feeds pointing to local hosts or weird ports.

      However for new installations I recommend to set reasonable defaults blacklisting various local hosts and whitelisting 80 port only.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              marina Marina Glancy
              Participants:
              Component watchers:
              Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              4 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated: