Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-56873

Set more secure defaults for the cURL whitelist/blacklist

    XMLWordPrintable

    Details

    • Affected Branches:
      MOODLE_32_STABLE

      Description

      After MDL-48498 we have new settings for the HTTP security:

      cURL blocked hosts list
      ($CFG->curlsecurityblockedhosts)

      and

      cURL allowed ports list
      ($CFG->curlsecurityallowedport)

      They are both empty by default. It makes sense to keep them empty for upgraded sites that can already have RSS feeds pointing to local hosts or weird ports.

      However for new installations I recommend to set reasonable defaults blacklisting various local hosts and whitelisting 80 port only.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                marina Marina Glancy
                Participants:
                Component watchers:
                Andrew Nicols, Mathew May, Michael Hawkins, Shamim Rezaie, Simey Lameze, Amaia Anabitarte, Bas Brands, Carlos Escobedo, Sara Arjona (@sarjona), Víctor Déniz Falcón, Adrian Greeve, Mihail Geshoski, Peter Dias, Andrew Nicols, Mathew May, Michael Hawkins, Shamim Rezaie, Simey Lameze
              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated: