Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-56873

Set more secure defaults for the cURL allow/deny lists

XMLWordPrintable

    • MOODLE_311_STABLE, MOODLE_32_STABLE, MOODLE_400_STABLE
    • MOODLE_400_STABLE
    • MDL-56873-master
    • Hide
      1. Install a fresh Moodle instance (the settings being tested are not included in upgrades).
      2. Log in as an admin.
      3. Navigate to Site administration > Security > HTTP security.
      4. CONFIRM there are 8 values set for "cURL blocked hosts list" and 2 set for "cURL allowed ports list" (and that they match the values listed as their defaults).
      5. Open your private files area.
      6. Press the "Add..." button.
      7. Using the URL downloader, try to download files from the following, and CONFIRM in all cases you receive an error of "The URL is blocked.":
      8. Using the URL downloader, try to download files from the following, and CONFIRM in both cases you are able to successfully retrieve images without error:
      9. Navigate back to Site administration > Security > HTTP security.
      10. Remove all values from "cURL blocked hosts list" and replace them with "*.moodle.org"
      11. Reopen the URL downloader in the Private files area.
      12. Attempt to download url_blocked.png and CONFIRM you see "The URL is blocked.".
      13. Attempt to download images from http://localhost/<siteurl> (your Moodle site's homepage) and CONFIRM you no longer receive the blocked error.
      14. Attempt to download images from 127.0.0.1:90 and CONFIRM you see "The URL is blocked".
      15. Navigate back to Site administration > Security > HTTP security.
      16. Remove all values from "cURL allowed ports list".
      17. Using the URL downloader, attempt to download images from 127.0.0.1:90 and CONFIRM you receive a "Failed to connect" error and not a blocked URL error.
      Show
      Install a fresh Moodle instance (the settings being tested are not included in upgrades). Log in as an admin. Navigate to Site administration > Security > HTTP security. CONFIRM there are 8 values set for "cURL blocked hosts list" and 2 set for "cURL allowed ports list" (and that they match the values listed as their defaults). Open your private files area. Press the "Add..." button. Using the URL downloader, try to download files from the following, and CONFIRM in all cases you receive an error of "The URL is blocked.": http://127.0.0.1 127.0.0.1 http://127.0.0.1:80 http://localhost http://localhost/ <siteurl> where siteurl is this Moodle site, eg http://localhost/stable_master/ (ie this site's homepage). http://192.168.1.1 http://169.254.169.254 https://moodle.org:90 Using the URL downloader, try to download files from the following, and CONFIRM in both cases you are able to successfully retrieve images without error: https://moodle.org https://cdn.pixabay.com/photo/2013/07/12/17/47/test-pattern-152459_960_720.png Navigate back to Site administration > Security > HTTP security. Remove all values from "cURL blocked hosts list" and replace them with "*.moodle.org" Reopen the URL downloader in the Private files area. Attempt to download url_blocked.png and CONFIRM you see "The URL is blocked.". Attempt to download images from http://localhost/ <siteurl> (your Moodle site's homepage) and CONFIRM you no longer receive the blocked error. Attempt to download images from 127.0.0.1:90 and CONFIRM you see "The URL is blocked". Navigate back to Site administration > Security > HTTP security. Remove all values from "cURL allowed ports list". Using the URL downloader, attempt to download images from 127.0.0.1:90 and CONFIRM you receive a "Failed to connect" error and not a blocked URL error.
    • 0
    • Internationals - 3.11 Sprint 7, Internationals - 3.11 Sprint 8, Internationals - 3.11 Sprint 9, Internationals - 4.0 Sprint 1, HQ Team International Sprint 2

      After MDL-48498 we have new settings for the HTTP security:

      cURL blocked hosts list
      ($CFG->curlsecurityblockedhosts)

      and

      cURL allowed ports list
      ($CFG->curlsecurityallowedport)

      They are both empty by default. It makes sense to keep them empty for upgraded sites that can already have RSS feeds pointing to local hosts or weird ports.

      However for new installations I recommend to set reasonable defaults blacklisting various local hosts and whitelisting 80 port only.

        1. url_blocked.png
          url_blocked.png
          21 kB
        2. MDL-56873.jpg
          MDL-56873.jpg
          44 kB
        3. MDL-56873 (2).jpg
          MDL-56873 (2).jpg
          25 kB

            michaelh Michael Hawkins
            marina Marina Glancy
            Shamim Rezaie Shamim Rezaie
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Anna Carissa Sadia Anna Carissa Sadia
            Votes:
            4 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 days, 1 hour, 18 minutes
                2d 1h 18m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.