-
Improvement
-
Resolution: Fixed
-
Minor
-
4.0.5, 4.1
-
MOODLE_400_STABLE, MOODLE_401_STABLE
-
MOODLE_402_STABLE
-
MDL-76755-master -
-
1
-
Team Hedgehog Sprint 2.1
From Moodle 4.x you have set a default configuration filter for url GET requests through Site administration -> General -> Security -> HTTP security. The default filter is as below:
127.0.0.1
192.168.0.0/16
10.0.0.0/8
172.16.0.0/12
0.0.0.0
localhost
169.254.169.254
0000::1
While it does a pretty good job filtering out possible local networks and thus SSRF, it misses one particular thing: 127.0.0.1 is not always enough to block access to localhost, because on most operating system 127.0.0.0/8 will lead to localhost.
We should therefore improve the default values by replacing 127.0.0.1 with 127.0.0.0/8.
Don't hesitate to ask if you require more information.
Additional information
- These are defaults only and designed to help cover common scenarios "out of the box" (pre 4.0 there are no defaults specified). Therefore, updating this is considered an improvement.
- This change should modify the default, but not modify the value set on existing sites, since we cannot make assumptions about how they use IP ranges that aren't covered by their blocked hosts config (they may have a valid use case where they intentionally allow access to something in this range).
- Once this lands, we should raise a follow up issue as a backport request, because it would be great if we can can also improve the defaults on 4.0 and 4.1.
- has a non-specific relationship to
-
MDL-56873 Set more secure defaults for the cURL allow/deny lists
- Closed