Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69205

Adding a new Check - test https and directory slash redirects

    XMLWordPrintable

Details

    • MOODLE_310_STABLE
    • Hide
      1. Set up a moodle with https
      2. Clone this patch and go to https://moodle.local/report/security/index.php?detail=core_httpwebserver

      There are 6 checks that happen on this page. I've outlined below how to fix/make each of them fail.

      For each check outlined below:

      1. Change your apache/nginx config
      2. Restart the web server to load in the new config
      3. Refresh the check page and check the resulting table. Any errors should show a red background in the results column. Passing tests will have a normal background.
      4. Make sure each test failed HTTP code does NOT match the expected HTTP code. Make sure the failed urls do NOT match the expected URLs.
      5. If the test passes, check that the HTTP code and URL do match the expected ones.

      urlthatdoesnotexist
      I don't know how to make this one fail, on http an invalid url is always giving me a 404. Maybe this test should be removed.

      dashboardnoslash
      to make this fail, add DirectorySlash Off to your /etc/apache2/apache2.conf

      <Directory /var/www/>
      		 
       DirectorySlash Off
      		 
       Options FollowSymLinks
      		 
       AllowOverride None
      		 
       Require all granted
      		 
      </Directory>

      directorylisting
      to make this fail, insert the Indexes option to the directory where your moodle is. eg. open the file /etc/apache2/apache2.conf and change

       

      <Directory /var/www/>
      		 
       Options FollowSymLinks
      		 
       AllowOverride None
      		 
       Require all granted
      		 
      </Directory>

      to

      <Directory /var/www/>
      		 
       Options Indexes FollowSymLinks
      		 
       AllowOverride None
      		 
       Require all granted
      		 
      </Directory>

      httpdashboardnoslash & httpurlnoredirect & httpurlthatdoesnotexist
      Comment out the redirect in apache2 virtualhosts file for me on ubuntu located at: /etc/apache2/sites-available/000-default.conf

      <VirtualHost moodle.local:80>
      		 
       #Redirect "/" "https://moodle.local/"
      		 
       ErrorDocument 403 /var/www/moodle/error/index.php
      		 
       DocumentRoot /var/www/moodle
      		 
      </VirtualHost>

      These http -> https tests could also be done by disabling the rewrite module if using that to do the rewrites. sudo a2dismod rewrite

       

       

      For a correctly configured moodle site and server, we should see the check return OK.

      Show
      Set up a moodle with https Clone this patch and go to https://moodle.local/report/security/index.php?detail=core_httpwebserver There are 6 checks that happen on this page. I've outlined below how to fix/make each of them fail. For each check outlined below: Change your apache/nginx config Restart the web server to load in the new config Refresh the check page and check the resulting table. Any errors should show a red background in the results column. Passing tests will have a normal background. Make sure each test failed HTTP code does NOT match the expected HTTP code. Make sure the failed urls do NOT match the expected URLs. If the test passes, check that the HTTP code and URL do match the expected ones. urlthatdoesnotexist I don't know how to make this one fail, on http an invalid url is always giving me a 404. Maybe this test should be removed. dashboardnoslash to make this fail, add DirectorySlash Off to your /etc/apache2/apache2.conf <Directory /var/www/> DirectorySlash Off Options FollowSymLinks AllowOverride None Require all granted </Directory> directorylisting to make this fail, insert the Indexes option to the directory where your moodle is. eg. open the file /etc/apache2/apache2.conf and change   <Directory /var/www/> Options FollowSymLinks AllowOverride None Require all granted </Directory> to <Directory /var/www/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> httpdashboardnoslash & httpurlnoredirect & httpurlthatdoesnotexist Comment out the redirect in apache2 virtualhosts file for me on ubuntu located at: /etc/apache2/sites-available/000-default.conf <VirtualHost moodle.local: 80 > #Redirect "/" "https://moodle.local/" ErrorDocument 403 /var/www/moodle/error/index.php DocumentRoot /var/www/moodle </VirtualHost> These http -> https tests could also be done by disabling the rewrite module if using that to do the rewrites. sudo a2dismod rewrite     For a correctly configured moodle site and server, we should see the check return OK.

    Description

      https://docs.moodle.org/dev/Check_API

      We want to put some new checks in core moodle to assert that the url is being rewritten properly. There are different server configurations and php level code that can affect this and when it's incorrect can prevent files from loading or result in 404 errors.

      All of this ONLY applies on https

      Do some low level curls and assert:

      • /my on http redirects to /my on https, OR /my/ on https
      • /my/ on http redirects to /my/ on https OR to the /login on https, but NOT /login on http
      • /dontexist on http redirects to /dontexist on https
      • /pluginfile/xxxxx/.js should not redirect to end in a slash

      If the site is not https (why???) then assert these instead:

      • /my -> /my/
      • /dontexist -> 404
      • /pluginfile/xxxxx/.js should not redirect to end in a slash

      Attachments

        Issue Links

          has been marked as being related by

          Improvement - An enhancement to an existing Moodle feature. MDL-71377 Add a security check around the X-MOODLEUSER header

          • Minor - Minor loss of function where workaround is possible
          • Open
          is blocked by

          Improvement - An enhancement to an existing Moodle feature. MDL-69333 Reduce ability to fingerprint a server with a htaccess-dist / nginx file / docs

          • Minor - Minor loss of function where workaround is possible
          • Closed

          Activity

            People

              brendanheywood Brendan Heywood
              kristianr Kristian Ringer
              Brendan Heywood Brendan Heywood
              Andrew Lyons Andrew Lyons
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 10 minutes
                  10m