Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-75372

Add logging for urls which fail the curl security helper blocking

XMLWordPrintable

    • MOODLE_400_STABLE
    • MOODLE_403_STABLE
    • MDL-75372-url_blocked
    • Easy
    • Hide

      Admin

      1. On /admin/category.php?category=security add a hostname to the curlsecurityblockedhosts
      2. Create a course with assignment activity (Online text submission type) and enrol a user

      Subscribed user

      Make a submission to assginment for the course created in Admin 2 step:

      1. Insert or edit image
      2. Browse repositories
      3. URL downloader - enter a url from the site which hostname was added to the curlsecurityblockedhosts
        Assert that "Blocked URL" error is displayed.

      Admin

      Go to the Logs page /report/log/index.php:

      1. Filter for User and Create actions.
        Assert that "Blocked URL" event is in the list.
        Assert that the event is logged in the web server log files.

      A note

      If during submission user does not go through URL downloader workflow, ie enters the url directly, the url is not being checked against curlsecurityblockedhosts and will not trigger a "Blocked URL" event.

      Show
      Admin On /admin/category.php?category=security add a hostname to the curlsecurityblockedhosts Create a course with assignment activity (Online text submission type) and enrol a user Subscribed user Make a submission to assginment for the course created in Admin 2 step: Insert or edit image Browse repositories URL downloader - enter a url from the site which hostname was added to the curlsecurityblockedhosts Assert that "Blocked URL" error is displayed. Admin Go to the Logs page /report/log/index.php : Filter for User and Create actions. Assert that "Blocked URL" event is in the list. Assert that the event is logged in the web server log files. A note If during submission user does not go through URL downloader workflow, ie enters the url directly, the url is not being checked against curlsecurityblockedhosts and will not trigger a "Blocked URL" event.

      We've had a few examples of voodoo that have been quite hard to diagnose which we eventually traced back to this. 

        1. MDL-75372.png
          939 kB
          Ron Carl Alfon Yu

            srdjan Srdjan Jankovic
            brendanheywood Brendan Heywood
            Brendan Heywood Brendan Heywood
            Ilya Tregubov Ilya Tregubov
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 45 minutes
                45m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.