Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-75372

Add logging for urls which fail the curl security helper blocking

XMLWordPrintable

    • MOODLE_400_STABLE
    • MOODLE_403_STABLE
    • MDL-75372-url_blocked
    • Easy
    • Hide

      Admin

      1. On /admin/category.php?category=security add a hostname to the curlsecurityblockedhosts
      2. Create a course with assignment activity (Online text submission type) and enrol a user

      Subscribed user

      Make a submission to assginment for the course created in Admin 2 step:

      1. Insert or edit image
      2. Browse repositories
      3. URL downloader - enter a url from the site which hostname was added to the curlsecurityblockedhosts
        Assert that "Blocked URL" error is displayed.

      Admin

      Go to the Logs page /report/log/index.php:

      1. Filter for User and Create actions.
        Assert that "Blocked URL" event is in the list.
        Assert that the event is logged in the web server log files.

      A note

      If during submission user does not go through URL downloader workflow, ie enters the url directly, the url is not being checked against curlsecurityblockedhosts and will not trigger a "Blocked URL" event.

      Show
      Admin On /admin/category.php?category=security add a hostname to the curlsecurityblockedhosts Create a course with assignment activity (Online text submission type) and enrol a user Subscribed user Make a submission to assginment for the course created in Admin 2 step: Insert or edit image Browse repositories URL downloader - enter a url from the site which hostname was added to the curlsecurityblockedhosts Assert that "Blocked URL" error is displayed. Admin Go to the Logs page /report/log/index.php : Filter for User and Create actions. Assert that "Blocked URL" event is in the list. Assert that the event is logged in the web server log files. A note If during submission user does not go through URL downloader workflow, ie enters the url directly, the url is not being checked against curlsecurityblockedhosts and will not trigger a "Blocked URL" event.

      We've had a few examples of voodoo that have been quite hard to diagnose which we eventually traced back to this. 

            srdjan Srdjan Jankovic
            brendanheywood Brendan Heywood
            Brendan Heywood Brendan Heywood
            Ilya Tregubov Ilya Tregubov
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 45 minutes
                45m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.