Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-76370

Public / private paths security report is inaccurate when using HTTP proxy

    XMLWordPrintable

Details

    Description

      Admin -> reports -> security report's core_publicpaths security check will misinterpret the CONNECT response of an outbound HTTP proxy as the destination's response

      You can reproduce by setting a HTTP proxy, tested against squid but should apply to all, like so:

      $CFG->proxyhost = 'outbound-proxy';
      $CFG->proxyport = 3128;
      $CFG->proxytype = 'HTTP';
      

      And loading the "Check all public / private paths" security check
      Note that every path shows a 200 no matter what the real response is

      This happens because the response, coming back from curl, looks like this:

      HTTP/1.1 200 Connection established
      HTTP/1.1 404 Not FoundĀ 
      

      And the code from line 233 on publicpaths.php just grabs the first line of response

      This can be fixed by using CURLOPT_SUPPRESS_CONNECT_HEADERS to make the first line the destination's response

      I did this in the form of adding `'suppress_connect_headers' => true` to line 214 of same file and confirmed report is now accurate

      In my testing and per curl docs this does not have any effect if a HTTP proxy is not used in that particular curl handle so should be safe to do so even without a proxy set

      Cheers

      Attachments

        Issue Links

          Activity

            People

              jaydn Jaydn Cunningham
              jaydn Jaydn Cunningham
              Brendan Heywood Brendan Heywood
              Paul Holden Paul Holden
              Kim Jared Lucas Kim Jared Lucas
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 3 hours, 22 minutes
                  3h 22m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.