Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-56873

Set more secure defaults for the cURL allow/deny lists

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. Install a fresh Moodle instance (the settings being tested are not included in upgrades).
      2. Log in as an admin.
      3. Navigate to Site administration > Security > HTTP security.
      4. CONFIRM there are 8 values set for "cURL blocked hosts list" and 2 set for "cURL allowed ports list" (and that they match the values listed as their defaults).
      5. Open your private files area.
      6. Press the "Add..." button.
      7. Using the URL downloader, try to download files from the following, and CONFIRM in all cases you receive an error of "The URL is blocked.":
      8. Using the URL downloader, try to download files from the following, and CONFIRM in both cases you are able to successfully retrieve images without error:
      9. Navigate back to Site administration > Security > HTTP security.
      10. Remove all values from "cURL blocked hosts list" and replace them with "*.moodle.com"
      11. Reopen the URL downloader in the Private files area.
      12. Attempt to download images from https://tracker.moodle.org and CONFIRM you see "The URL is blocked.".
      13. Attempt to download images from http://localhost/<siteurl> (your Moodle site's homepage) and CONFIRM you no longer receive the blocked error.
      14. Attempt to download images from 127.0.0.1:90 and CONFIRM you receive a "Failed to connect" error and not a blocked URL error.
      Show
      Install a fresh Moodle instance (the settings being tested are not included in upgrades). Log in as an admin. Navigate to Site administration > Security > HTTP security. CONFIRM there are 8 values set for "cURL blocked hosts list" and 2 set for "cURL allowed ports list" (and that they match the values listed as their defaults). Open your private files area. Press the "Add..." button. Using the URL downloader, try to download files from the following, and CONFIRM in all cases you receive an error of "The URL is blocked.": http://127.0.0.1 127.0.0.1 http://127.0.0.1:80 http://localhost http://localhost/ <siteurl> where siteurl is this Moodle site, eg http://localhost/stable_master/ (ie this site's homepage). http://192.168.1.1 http://169.254.169.254 https://moodle.org:90 Using the URL downloader, try to download files from the following, and CONFIRM in both cases you are able to successfully retrieve images without error: https://moodle.org https://cdn.pixabay.com/photo/2013/07/12/17/47/test-pattern-152459_960_720.png Navigate back to Site administration > Security > HTTP security. Remove all values from "cURL blocked hosts list" and replace them with "*.moodle.com" Reopen the URL downloader in the Private files area. Attempt to download images from https://tracker.moodle.org and CONFIRM you see "The URL is blocked.". Attempt to download images from http://localhost/ <siteurl> (your Moodle site's homepage) and CONFIRM you no longer receive the blocked error. Attempt to download images from 127.0.0.1:90 and CONFIRM you receive a "Failed to connect" error and not a blocked URL error.
    • Affected Branches:
      MOODLE_32_STABLE
    • Pull 3.9 Branch:
    • Pull 3.10 Branch:
      MDL-56873-310
    • Pull 3.11 Branch:
      MDL-56873-311
    • Pull Master Branch:
      MDL-56873-master
    • Story Points:
      0
    • Sprint:
      Internationals - 3.11 Sprint 7

      Description

      After MDL-48498 we have new settings for the HTTP security:

      cURL blocked hosts list
      ($CFG->curlsecurityblockedhosts)

      and

      cURL allowed ports list
      ($CFG->curlsecurityallowedport)

      They are both empty by default. It makes sense to keep them empty for upgraded sites that can already have RSS feeds pointing to local hosts or weird ports.

      However for new installations I recommend to set reasonable defaults blacklisting various local hosts and whitelisting 80 port only.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              michaelh Michael Hawkins
              Reporter:
              marina Marina Glancy
              Participants:
              Component watchers:
              Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona), Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan, Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              4 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 2 hours, 56 minutes
                  1d 2h 56m