Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-76370

Public / private paths security report is inaccurate when using HTTP proxy

    XMLWordPrintable

Details

    Description

      Admin -> reports -> security report's core_publicpaths security check will misinterpret the CONNECT response of an outbound HTTP proxy as the destination's response

      You can reproduce by setting a HTTP proxy, tested against squid but should apply to all, like so:

      $CFG->proxyhost = 'outbound-proxy';
      $CFG->proxyport = 3128;
      $CFG->proxytype = 'HTTP';
      

      And loading the "Check all public / private paths" security check
      Note that every path shows a 200 no matter what the real response is

      This happens because the response, coming back from curl, looks like this:

      HTTP/1.1 200 Connection established
      HTTP/1.1 404 Not FoundĀ 
      

      And the code from line 233 on publicpaths.php just grabs the first line of response

      This can be fixed by using CURLOPT_SUPPRESS_CONNECT_HEADERS to make the first line the destination's response

      I did this in the form of adding `'suppress_connect_headers' => true` to line 214 of same file and confirmed report is now accurate

      In my testing and per curl docs this does not have any effect if a HTTP proxy is not used in that particular curl handle so should be safe to do so even without a proxy set

      Cheers

      Attachments

        1. (I) Passed -- (400)MDL-76370.png
          100 kB
          Kim Jared Lucas
        2. (I) Passed -- (401)MDL-76370.png
          103 kB
          Kim Jared Lucas
        3. (I) Passed -- (Master)MDL-76370.png
          97 kB
          Kim Jared Lucas

        Issue Links

          Activity

            People

              jaydn Jaydn Cunningham
              jaydn Jaydn Cunningham
              Brendan Heywood Brendan Heywood
              Paul Holden Paul Holden
              Kim Jared Lucas Kim Jared Lucas
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 3 hours, 22 minutes
                  3h 22m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.