Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-58057

Config values not properly cleaned in curl_security_helper

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.2.1
    • Fix Version/s: 3.2.2
    • Component/s: Files API
    • Labels:
    • Testing Instructions:
      Hide

      Testing instructions:

      1. Make sure developer mode is enabled
      2. Under http security, set the allowed ports to:
        80
        443
      3. Add a var_dump after this line here:
        https://github.com/moodle/moodle/blob/master/lib/classes/files/curl_security_helper.php#L169
      4. Now, add a file resource to a course and select the file using URL downloader.
      5. Pick an existing file, for example 'http://localhost/xxx.png'
      6. Look at the var dump in the dialogue, and confirm that you only see strings like this "80" and "443", i.e. with no gaps after the numbers like "443 " or "80 ".
      Show
      Testing instructions: Make sure developer mode is enabled Under http security, set the allowed ports to: 80 443 Add a var_dump after this line here: https://github.com/moodle/moodle/blob/master/lib/classes/files/curl_security_helper.php#L169 Now, add a file resource to a course and select the file using URL downloader. Pick an existing file, for example 'http://localhost/xxx.png' Look at the var dump in the dialogue, and confirm that you only see strings like this "80" and "443", i.e. with no gaps after the numbers like "443 " or "80 ".
    • Affected Branches:
      MOODLE_32_STABLE
    • Fixed Branches:
      MOODLE_32_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-58057-master

      Description

      Must have missed this one during development given the unit tests were passing. It doesn't even pop up when testing using the UI, but still should be addressed.

      Basically, there are left over carriage returns in the array elements of get_whitelisted_ports because I exploded on newline and forgot to trim. This function should behave the same exact way as get_blacklisted_hosts, which as you can see has the necessary array_map('trim',... already.

        Attachments

        1. screenshot-1.png
          screenshot-1.png
          11 kB
        2. screenshot-2.png
          screenshot-2.png
          14 kB
        3. screenshot-3.png
          screenshot-3.png
          15 kB

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  13/Mar/17