[MDL-76370] Public / private paths security report is inaccurate when using HTTP proxy - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.9.18, 3.11.11, 4.0.5
Fix Version/s: 4.0.7, 4.1.2
Component/s: Administration
Labels:

Affected Branches:
MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE
Fixed Branches:
MOODLE_400_STABLE, MOODLE_401_STABLE
Pull from Repository:
https://github.com/jaydn/moodle
Pull 4.0 Branch:
~~MDL-76370~~-publicpaths-proxying-MOODLE_400_STABLE
Pull 4.0 Diff URL:
https://github.com/moodle/moodle/compare/MOODLE_400_STABLE...jaydn:moodle:MDL-76370-publicpaths-proxying-MOODLE_400_STABLE
Pull 4.1 Branch:
~~MDL-76370~~-publicpaths-proxying-MOODLE_401_STABLE
Pull 4.1 Diff URL:
https://github.com/moodle/moodle/compare/MOODLE_401_STABLE...jaydn:moodle:MDL-76370-publicpaths-proxying-MOODLE_401_STABLE
Pull Master Branch:
~~MDL-76370~~-publicpaths-proxying
Pull Master Diff URL:
https://github.com/moodle/moodle/compare/master...jaydn:moodle:MDL-76370-publicpaths-proxying
Testing Instructions:
Hide

Setup a Squid HTTP proxy

Use this squid.conf to allow any traffic out

http_access allow all

http_port 3128

docker run -p 3128:3128 -v /path/to/squid.conf:/etc/squid/squid.conf ubuntu/squid:5.2-22.04_beta

Configure Moodle

Configure a wwwroot that is https

$CFG->wwwroot = 'https://yoursite';

Set proxy like this

$CFG->proxyhost = 'yoursquid';

$CFG->proxyport = 3128;

$CFG->proxytype = 'HTTP';

Browse to https://yoursite/report/security/index.php?detail=core_publicpaths

Confirm that "doesnotexist" row does not show a 200 in "Actual" column
Show
Setup a Squid HTTP proxy Use this squid.conf to allow any traffic out http_access allow all http_port 3128 docker run -p 3128 : 3128 -v /path/to/squid.conf:/etc/squid/squid.conf ubuntu/squid: 5.2 - 22 .04_beta Configure Moodle Configure a wwwroot that is https $CFG ->wwwroot = 'https://yoursite' ; Set proxy like this $CFG ->proxyhost = 'yoursquid' ; $CFG ->proxyport = 3128; $CFG ->proxytype = 'HTTP' ; Browse to https://yoursite/report/security/index.php?detail=core_publicpaths Confirm that "doesnotexist" row does not show a 200 in "Actual" column

Description

Admin -> reports -> security report's core_publicpaths security check will misinterpret the CONNECT response of an outbound HTTP proxy as the destination's response

You can reproduce by setting a HTTP proxy, tested against squid but should apply to all, like so:

$CFG->proxyhost = 'outbound-proxy';

$CFG->proxyport = 3128;

$CFG->proxytype = 'HTTP';

And loading the "Check all public / private paths" security check
Note that every path shows a 200 no matter what the real response is

This happens because the response, coming back from curl, looks like this:

HTTP/1.1 200 Connection established

HTTP/1.1 404 Not Found

And the code from line 233 on publicpaths.php just grabs the first line of response

This can be fixed by using CURLOPT_SUPPRESS_CONNECT_HEADERS to make the first line the destination's response

I did this in the form of adding `'suppress_connect_headers' => true` to line 214 of same file and confirmed report is now accurate

In my testing and per curl docs this does not have any effect if a HTTP proxy is not used in that particular curl handle so should be safe to do so even without a proxy set

Cheers

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

(I) Passed -- (400)MDL-76370.png
08/Feb/23 1:02 PM
100 kB
Kim Jared Lucas
(I) Passed -- (401)MDL-76370.png
08/Feb/23 1:02 PM
103 kB
Kim Jared Lucas
(I) Passed -- (Master)MDL-76370.png
08/Feb/23 1:02 PM
97 kB
Kim Jared Lucas

Issue Links

has been marked as being related by

MDL-77137 curl multi method does not honour proxybypass option

Waiting for peer review

Activity

People

Assignee:: Jaydn Cunningham

Reporter:: Jaydn Cunningham

Peer reviewer:: Brendan Heywood

Integrator:: Paul Holden

Tester:: Kim Jared Lucas

Participants:: Brendan Heywood, CiBoT, Eloy Lafuente (stronk7), Jaydn Cunningham, Jun Pataleta, Kim Jared Lucas, Paul Holden, Simey Lameze

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 18/Nov/22 3:52 PM

Updated:: 10/Mar/23 2:50 AM

Resolved:: 10/Feb/23 11:18 PM

Fix Release Date:: 13/Mar/23

Time Tracking

Estimated:

Remaining:

Logged:

3h 22m