MDL-36903 Verify the SSL certificate of available updates provider

From now on, Moodle verifies the available updates provider server. To make it work, either there must be a valid CA certificate available in the operating system, or the administrator has to upload the valid CA certificate to moodledata/moodleorgca.crt (PEM format) file manually.
2025-04-21 00:12:56 +02:00 · 2012-11-30 11:46:19 +01:00 · 2012-11-30 11:46:19 +01:00 · 4785c45dd8
commit 4785c45dd8
parent 47dfbd9eb3
2 changed files with 30 additions and 1 deletions
--- a/lang/en/plugin.php
+++ b/lang/en/plugin.php
@ -30,7 +30,9 @@ $string['availability'] = 'Availability';
 $string['checkforupdates'] = 'Check for available updates';
 $string['checkforupdateslast'] = 'Last check done on {$a}';
 $string['displayname'] = 'Plugin name';
+$string['err_response_curl'] = 'Unable to fetch available updates data - unexpected cURL error.';
 $string['err_response_format_version'] = 'Unexpected version of the response format. Please try to re-check for available updates.';
+$string['err_response_http_code'] = 'Unable to fetch available updates data - unexpected HTTP response code.';
 $string['filterall'] = 'Show all';
 $string['filtercontribonly'] = 'Show contributions only';
 $string['filtercontribonlyactive'] = 'Showing contributions only';
--- a/lib/pluginlib.php
+++ b/lib/pluginlib.php
@ -826,7 +826,11 @@ class available_update_checker {
        require_once($CFG->libdir.'/filelib.php');

        $curl = new curl(array('proxy' => true));
-        $response = $curl->post($this->prepare_request_url(), $this->prepare_request_params());
+        $response = $curl->post($this->prepare_request_url(), $this->prepare_request_params(), $this->prepare_request_options());
+        $curlerrno = $curl->get_errno();
+        if (!empty($curlerrno)) {
+            throw new available_update_checker_exception('err_response_curl', 'cURL error '.$curlerrno.': '.$curl->error);
+        }
        $curlinfo = $curl->get_info();
        if ($curlinfo['http_code'] != 200) {
            throw new available_update_checker_exception('err_response_http_code', $curlinfo['http_code']);
@ -1069,6 +1073,29 @@ class available_update_checker {
        return $params;
    }

+    /**
+     * Returns the list of cURL options to use when fetching available updates data
+     *
+     * @return array of (string)param => (string)value
+     */
+    protected function prepare_request_options() {
+        global $CFG;
+
+        $options = array(
+            'CURLOPT_SSL_VERIFYHOST' => 2,      // this is the default in {@link curl} class but just in case
+            'CURLOPT_SSL_VERIFYPEER' => true,
+        );
+
+        $cacertfile = $CFG->dataroot.'/moodleorgca.crt';
+        if (is_readable($cacertfile)) {
+            // Do not use CA certs provided by the operating system. Instead,
+            // use this CA cert to verify the updates provider.
+            $options['CURLOPT_CAINFO'] = $cacertfile;
+        }
+
+        return $options;
+    }
+
    /**
     * Returns the current timestamp
     *