Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-83979

Repository url should always use proxy

XMLWordPrintable

    • MOODLE_404_STABLE, MOODLE_405_STABLE, MOODLE_500_STABLE
    • MDL-83979-url-always-proxy-MOODLE_404_STABLE
    • MDL-83979-url-always-proxy-MOODLE_405_STABLE
    • MDL-83979-url-always-proxy
    • Hide
      Setup on Ubuntu
      1. Install a squid proxy server 

        sudo apt update && sudo apt install -y squid

      2. Tail the squid server's access logs. You'll need this later for testing e.g. 

        tail -f /var/log/squid/access.log

      Setup using Docker (e.g. for Mac users)
      1. Download this default squid.conf file to your computer. Take note of its path.
      2. Run an ubuntu/squid container using Docker. Replace "</path/to/your/local/squid.conf>" with the actual path to the squid.conf file that you downloaded earlier. 

        docker run -d --name squid-container -e TZ=UTC -p 3128:3128 -v </path/to/your/local/squid.conf>:/etc/squid/squid.conf ubuntu/squid:5.2-22.04_beta

      3. Tail the squid server's access logs: 

        docker logs -f squid-container

      Test
      1. Add the following configuration in your instance's config.php: 

        $CFG->proxyhost = 'localhost';
        		 
        $CFG->proxyport = 3128;
        		 
        $CFG->proxytype = 'HTTP';
        		 
        $CFG->proxybypass = '';
        		 
        $CFG->curlsecurityblockedhosts = '';
        		 
        $CFG->curlsecurityallowedport = '';

      2. As a user, log in and visit /user/files.php
      3. Open the file picker.
      4. Select URL downloader
      5. Enter http://127.0.0.1/ and press Download.
      6. Confirm you do NOT see 'Failed to connect to 127.0.0.1 port 80 after 0 ms: Connection refused'
      7. Observe the squid access log on your terminal.
      8. Confirm that you see an activity being logged on the squid proxy server.
        • Note: If your squid proxy server is configured okay, it may list the files on your server. If not, you'll most likely get a "HTTP/1.1 503 Service Unavailable" error. Regardless, what's important here is that we can confirm the request is being sent through the squid proxy server by seeing the squid access log being updated whenever we try to use the URL downloader repository.
      9. Close the file picker.
      10. Edit your config.php and change the value of "$CFG->proxybypass" to 

        $CFG->proxybypass = '127.0.0.1';

      11. Open the file picker again and select URL downloader.
      12. Enter http://127.0.0.1/ and press Download.
      13. Confirm that you still see activity being logged on the squid proxy server.
      Show
      Setup on Ubuntu Install a squid proxy server sudo apt update && sudo apt install -y squid Tail the squid server's access logs. You'll need this later for testing e.g. tail -f /var/log/squid/access.log Setup using Docker (e.g. for Mac users) Download this default squid.conf file to your computer. Take note of its path. Run an ubuntu/squid container using Docker. Replace " </path/to/your/local/squid.conf> " with the actual path to the squid.conf file that you downloaded earlier. docker run -d --name squid-container -e TZ=UTC -p 3128:3128 - v < /path/to/your/local/squid .conf>: /etc/squid/squid .conf ubuntu /squid :5.2-22.04_beta Tail the squid server's access logs: docker logs -f squid-container Test Add the following configuration in your instance's config.php: $CFG ->proxyhost = 'localhost' ; $CFG ->proxyport = 3128; $CFG ->proxytype = 'HTTP' ; $CFG ->proxybypass = '' ; $CFG ->curlsecurityblockedhosts = '' ; $CFG ->curlsecurityallowedport = '' ; As a user, log in and visit /user/files.php Open the file picker. Select URL downloader Enter http://127.0.0.1/ and press Download. Confirm you do NOT see 'Failed to connect to 127.0.0.1 port 80 after 0 ms: Connection refused' Observe the squid access log on your terminal. Confirm that you see an activity being logged on the squid proxy server. Note: If your squid proxy server is configured okay, it may list the files on your server. If not, you'll most likely get a " HTTP/1.1 503 Service Unavailable " error. Regardless, what's important here is that we can confirm the request is being sent through the squid proxy server by seeing the squid access log being updated whenever we try to use the URL downloader repository. Close the file picker. Edit your config.php and change the value of " $CFG->proxybypass " to $CFG ->proxybypass = '127.0.0.1' ; Open the file picker again and select URL downloader. Enter http://127.0.0.1/ and press Download. Confirm that you still see activity being logged on the squid proxy server.
    • Hide

      Code verified against automated checks.

      Checked MDL-83979 using repository: https://github.com/brendanheywood/moodle

      More information about this report

      Built on: Thu Dec 19 05:46:12 AM UTC 2024

      Show
      Code verified against automated checks. Checked MDL-83979 using repository: https://github.com/brendanheywood/moodle main (0 errors / 0 warnings) [branch: MDL-83979-url-always-proxy | CI Job ] More information about this report Built on: Thu Dec 19 05:46:12 AM UTC 2024
    • Hide

      Launching automatic jobs for branch MDL-83979-url-always-proxy

      Built on: Wed Dec 11 02:25:16 PM UTC 2024

      Show
      Launching automatic jobs for branch MDL-83979 -url-always-proxy https://ci.moodle.org/view/Testing/job/DEV.02%20-%20Developer-requested%20PHPUnit/17705/ PHPUnit (sqlsrv) https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/60291/ Behat (NonJS - boost and classic) https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/60292/ Behat (Firefox - boost) https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/60293/ Behat (Firefox - classic) https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/60294/ App tests (stable app version) Built on: Wed Dec 11 02:25:16 PM UTC 2024

      The repository url is by definition grabbing the contents of a url on behalf of a user so the data can't be trusted. If a site has a proxy then at the moment it honors proxybypass to decide if to use the proxy or not, but proxybypass is potentially susceptible to dns rebind attacks as well as simply being mis configured. We'd had this appear on a couple pen tests and it's always been minor but it keeps coming up so worth fixing.

        1. result.png
          result.png
          301 kB

            brendanheywood Brendan Heywood
            brendanheywood Brendan Heywood
            Jaydn Cunningham Jaydn Cunningham
            Jun Pataleta Jun Pataleta
            Stevani Andolo Stevani Andolo
            Votes:
            3 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 5 hours, 12 minutes
                5h 12m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.