Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-57983

Consider how curl security checks should be handled during site upgrade

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • 3.2
    • Administration
    • None
    • MOODLE_32_STABLE

      Originally discovered when working on MDL-57274, just creating this issue for discussion. In short, any curl security settings (blocked hosts, ports) are currently left in place during the core and non core upgrade calls and in the plugin update checker. This means that an admin may block '*.moodle.org' (for whatever reason) and break language pack upgrades and plugin update checks.

      My original proposal was to disable the security checks when upgrading (reinstating after upgrade), as my feeling was that these restrictions were in place to stop users from abusing things like the url downloader, and not to block things like core upgrades. However, I'm no expert on how users expect this setting to work, and when they expect it to be honoured, hence I'm raising this issue.

      Here's a test branch demonstrating the changes which would disable the checks during upgrade and when checking for plugin updates:

      https://github.com/moodle/moodle/compare/7a3b115d374...snake:MDL-57983-master

            Unassigned Unassigned
            jaked Jake Dallimore
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.