Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-76755

Improve default coverage of "cURL blocked hosts list" by including 127.0.0.0/8

XMLWordPrintable

    • MOODLE_400_STABLE, MOODLE_401_STABLE
    • MOODLE_402_STABLE
    • MDL-76755-master
    • Hide

      Setup additional loopback

      To test this thoroughly you will need 127.0.0.1 and at least one other local loopback address available.

      If you're on MacOS, you may need to set another loopback. This can be done with: 

       

      sudo ifconfig lo0 alias 127.0.0.2 up

       

      Test that 127.0.0.2 is resolving by using ping 127.0.02  in your terminal.

      When you are finished testing you can remove the loopback with:

      sudo ifconfig lo0 -alias 127.0.0.2

      Setup file

      1. Copy the attached dog.jpeg file to your directory folder, where 127.0.0.1 and 127.0.0.2 both resolve. 
      2. Check it is resolving by going to http://127.0.0.1/dog.jpeg and http://127.0.0.2/dog.jpeg in your browser.

      Testing new default value

      1. Login as Admin
      2. Go to Site admin -> Security -> HTTP security
      3. Locate cURL blocked hosts list and CONFIRM that the default values read:
        127.0.0.0/8
        192.168.0.0/16
        10.0.0.0/8
        172.16.0.0/12
        0.0.0.0
        localhost
        169.254.169.254
        0000::1 

      Testing blocked hosts

      1. Login as Admin
      2. Click your avatar icon in the top-right of the screen and choose 'Private files'
      3. Click the 'File picker' icon
      4. Click on 'URL downloader'
      5. In the URL field enter 'http://127.0.0.2/dog.jpeg'
      6. CONFIRM that you don't receive an error and that you can see the dog.jpeg file in the chooser. (This step just for contrasting the result in step #14).
      7. Go to Site admin -> Security -> HTTP security
      8. Locate 'cURL blocked hosts list' and copy and past the default values to be the actual values in the field.
      9. Saves changes.
      10. Go back to your private files
      11. Click the 'File picker' icon
      12. Click on 'URL downloader'
      13. In the URL field enter 'http://127.0.0.2/dog.jpeg'
      14. CONFIRM that you receive an error that says 'The URL is blocked.'
      Show
      Setup additional loopback To test this thoroughly you will need 127.0.0.1 and at least one other local loopback address available. If you're on MacOS, you may need to set another loopback. This can be done with:    sudo ifconfig lo0 alias 127.0 . 0.2 up   Test that 127.0.0.2 is resolving by using ping 127.0.02   in your terminal. When you are finished testing you can remove the loopback with: sudo ifconfig lo0 -alias 127.0 . 0.2 Setup file Copy the attached dog.jpeg file to your directory folder, where 127.0.0.1 and 127.0.0.2 both resolve.  Check it is resolving by going to http://127.0.0.1/dog.jpeg and http://127.0.0.2/dog.jpeg in your browser. Testing new default value Login as Admin Go to Site admin -> Security -> HTTP security Locate cURL blocked hosts list and CONFIRM that the default values read: 127.0.0.0/8 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 0.0.0.0 localhost 169.254.169.254 0000::1   Testing blocked hosts Login as Admin Click your avatar icon in the top-right of the screen and choose 'Private files' Click the 'File picker' icon Click on 'URL downloader' In the URL field enter ' http://127.0.0.2/dog.jpeg' CONFIRM that you don't receive an error and that you can see the dog.jpeg file in the chooser. (This step just for contrasting the result in step #14). Go to Site admin -> Security -> HTTP security Locate 'cURL blocked hosts list' and copy and past the default values to be the actual values in the field. Saves changes. Go back to your private files Click the 'File picker' icon Click on 'URL downloader' In the URL field enter ' http://127.0.0.2/dog.jpeg' CONFIRM that you receive an error that says 'The URL is blocked.'
    • 1
    • Team Hedgehog Sprint 2.1

      From Moodle 4.x you have set a default configuration filter for url GET requests through Site administration -> General -> Security -> HTTP security. The default filter is as below:

      127.0.0.1
      192.168.0.0/16
      10.0.0.0/8
      172.16.0.0/12
      0.0.0.0
      localhost
      169.254.169.254
      0000::1

      While it does a pretty good job filtering out possible local networks and thus SSRF, it misses one particular thing: 127.0.0.1 is not always enough to block access to localhost, because on most operating system 127.0.0.0/8 will lead to localhost.

      We should therefore improve the default values by replacing 127.0.0.1 with 127.0.0.0/8. 

      Don't hesitate to ask if you require more information. 

      Additional information

      1. These are defaults only and designed to help cover common scenarios "out of the box" (pre 4.0 there are no defaults specified). Therefore, updating this is considered an improvement.
      2. This change should modify the default, but not modify the value set on existing sites, since we cannot make assumptions about how they use IP ranges that aren't covered by their blocked hosts config (they may have a valid use case where they intentionally allow access to something in this range).
      3. Once this lands, we should raise a follow up issue as a backport request, because it would be great if we can can also improve the defaults on 4.0 and 4.1.

        1. blocked host.mp4
          2.57 MB
          Ron Carl Alfon Yu
        2. default values.png
          176 kB
          Ron Carl Alfon Yu
        3. dog.jpeg
          45 kB
          David Woloszyn
        4. result_1.png
          117 kB
          Huong Nguyen
        5. result_2.png
          106 kB
          Huong Nguyen
        6. result_3.png
          111 kB
          Huong Nguyen

            david.woloszyn@moodle.com David Woloszyn
            truff Sebastien Cantos
            Stevani Andolo Stevani Andolo
            Huong Nguyen Huong Nguyen
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 6 hours
                6h

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.