-
New Feature
-
Resolution: Fixed
-
Minor
-
4.1
-
MOODLE_401_STABLE
-
MOODLE_401_STABLE
-
MDL-72486-unproxied-logging -
When making a call to the outside world code should use either new curl() or download_file_content instead of the raw php versions of file_get_contents or similar. Or worst case manually add support to whatever you are doing for the moodle proxy.
It is probably very rare for developers to have a proxy setup, so generally code which doesn't do this correctly gets found in prod when it breaks, and its often edge cases which don't have good test coverage as unit testing calls to the real world aren't deterministic and so not ideal tests.
As a result moodle has many of these subtle security bugs, often in third party libraries which have not been touched in order to use the moodle proxy.
So proposing to have some sort of debugging or logging mode which adds instrumentation to php to capture as many of these edge cases and report on them. Ideally this is something that could be on whenever debugging is on and it will log an issue if an outside url is requested even if the proxy isn't configured. It might also need a separate mode for prod use which just logs all such calls to help track down the origin, as this can be quite difficult to reverse engineer.