-
Bug
-
Resolution: Fixed
-
Major
-
3.9.8, 3.10.5, 3.11.1
-
MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_39_STABLE
-
MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_39_STABLE
-
MDL-72203-master-2 -
The original security issue MDL-71916 fix was released in 3.11.1 and it introduced an extra native cURL call inside curl_security_helper to check if the given URL triggers a redirect or not.
Shortly after the release, a couple of regressions were reported as a result of the integrated solution, as it could unintentionally cause some requests to fail (such as those using one-time access URLs/tokens, as they do not support being requested more than once). It was agreed to revert the fix in MDL-71916 and progress with implementing the alternative approach as outlined by Brendan there:
So I think we should tell curl to not follow redirects, and then if it comes back with a redirect header then we loop in php, call $this->check_securityhelper_blocklist again and then replace the curl again. This will mean we had to re-implement the logic around correctly handling a 301 / 304 307 differently. This way if there is no redirect then we don't waste a second call.
This issue is created to provide this alternative fix.