Search moodle.org's
Developer Documentation
Developer Documentation
- Bug fixes for general core bugs in 3.11.x will end 14 Nov 2022 (12 months plus 6 months extension).
- Bug fixes for security issues in 3.11.x will end 13 Nov 2023 (18 months plus 12 months extension).
- PHP version: minimum PHP 7.3.0 Note: minimum PHP version has increased since Moodle 3.10. PHP 7.4.x is supported too.
/lib/classes/files/ -> curl_security_helper.php (source)
Differences Between: [Versions 310 and 311] [Versions 39 and 311]
Contains a class providing functions used to check the allowed/blocked host/ports for curl.
| Author: | Jake Dallimore <jrhdallimore@gmail.com> |
| Copyright: | 2016 Jake Dallimore |
| License: | http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later |
| File Size: | 294 lines (12 kb) |
| Included or required: | 0 times |
| Referenced: | 0 times |
| Includes or requires: | 0 files |
Defines 1 class
curl_security_helper:: (11 methods):
url_is_blocked()
get_blocked_url_string()
host_is_blocked()
get_host_list_by_name()
port_is_blocked()
is_enabled()
address_explicitly_blocked()
host_explicitly_blocked()
get_blocked_hosts_by_category()
get_allowed_ports()
get_blocked_hosts()
Class: curl_security_helper - X-Ref
Host and port checking for curl.This class provides a means to check URL/host/port against the system-level cURL security entries.
It does not provide a means to add URLs, hosts or ports to the allowed/blocked lists; this is configured manually
via the site admin section of Moodle (See: 'Site admin' > 'Security' > 'HTTP Security').
This class is currently used by the 'curl' wrapper class in lib/filelib.php.
Depends on:
core\ip_utils (several functions)
moodlelib (clean_param)
| url_is_blocked($urlstring, $notused = null) X-Ref |
| Checks whether the given URL is blocked by checking its address and port number against the allow/block lists. The behaviour of this function can be classified as strict, as it returns true for URLs which are invalid or could not be parsed, as well as those valid URLs which were found in the blocklist. param: string $urlstring the URL to check. param: int $notused There used to be an optional parameter $maxredirects for a short while here, not used any more. return: bool true if the URL is blocked or invalid and false if the URL is not blocked. |
| get_blocked_url_string() X-Ref |
| Returns a string message describing a blocked URL. E.g. 'This URL is blocked'. return: string the string error. |
| host_is_blocked($host) X-Ref |
| Checks whether the host portion of a url is blocked. The host portion may be a FQDN, IPv4 address or a IPv6 address wrapped in square brackets, as per standard URL notation. E.g. images.example.com 127.0.0.1 [0.0.0.0.0.0.0.1] The method logic is as follows: 1. Check the host component against the list of IPv4/IPv6 addresses and ranges. - This will perform a DNS forward lookup if required. 2. Check the host component against the list of domain names and wildcard domain names. - This will perform a DNS reverse lookup if required. The behaviour of this function can be classified as strict, as it returns true for hosts which are invalid or could not be parsed, as well as those valid URLs which were found in the blocklist. param: string $host the host component of the URL to check against the blocklist. return: bool true if the host is both valid and blocked, false otherwise. |
| get_host_list_by_name($host) X-Ref |
| Retrieve all hosts for a domain name. param: string $param return: array An array of IPs associated with the host name. |
| port_is_blocked($port) X-Ref |
| Checks whether the given port is blocked, as determined by its absence on the ports allowlist. Ports are assumed to be blocked unless found in the allowlist. param: integer|string $port the port to check against the ports allowlist. return: bool true if the port is blocked, false otherwise. |
| is_enabled() X-Ref |
| Convenience method to check whether we have any entries in the host blocklist or ports allowlist admin settings. If no entries are found at all, the assumption is that the blocklist is disabled entirely. return: bool true if one or more entries exist, false otherwise. |
| address_explicitly_blocked($addr) X-Ref |
| Checks whether the input address is blocked by at any of the IPv4 or IPv6 address rules. param: string $addr the ip address to check. return: bool true if the address is covered by an entry in the blocklist, false otherwise. |
| host_explicitly_blocked($host) X-Ref |
| Checks whether the input hostname is blocked by any of the domain/wildcard rules. param: string $host the hostname to check return: bool true if the host is covered by an entry in the blocklist, false otherwise. |
| get_blocked_hosts_by_category() X-Ref |
| Helper to get all entries from the admin setting, as an array, sorted by classification. Classifications include 'ipv4', 'ipv6', 'domain', 'domainwildcard'. return: array of host/domain/ip entries from the 'curlsecurityblockedhosts' config. |
| get_allowed_ports() X-Ref |
| Helper that returns the allowed ports, as defined in the 'curlsecurityallowedport' setting. return: array the array of allowed ports. |
| get_blocked_hosts() X-Ref |
| Helper that returns the blocked hosts, as defined in the 'curlsecurityblockedhosts' setting. return: array the array of blocked host entries. |
