Merge branch 'MDL-56873-master' of git://github.com/mickhawkins/moodle

2025-04-14 04:52:36 +02:00 · 2021-06-16 23:30:26 +02:00 · 2021-06-16 23:30:26 +02:00 · 9395d24ca9
commit 9395d24ca9
parent fb61c1d930 18a7f0134d
3 changed files with 27 additions and 4 deletions
--- a/admin/settings/security.php
+++ b/admin/settings/security.php
@ -154,12 +154,27 @@ if ($hassiteconfig) { // speedup for non-admins, add all caps used on this page
    $temp->add(new admin_setting_configcheckbox('allowframembedding', new lang_string('allowframembedding', 'admin'), new lang_string('allowframembedding_help', 'admin'), 0));

    // Settings elements used by the \core\files\curl_security_helper class.
+    $blockedhostsdefault = [
+        '127.0.0.1',
+        '192.168.0.0/16',
+        '10.0.0.0/8',
+        '172.16.0.0/12',
+        '0.0.0.0',
+        'localhost',
+        '169.254.169.254',
+        '0000::1',
+    ];
+    $allowedportsdefault = ['443', '80'];
+
+    // By default, block various common internal network or cloud provider hosts.
    $temp->add(new admin_setting_configmixedhostiplist('curlsecurityblockedhosts',
-               new lang_string('curlsecurityblockedhosts', 'admin'),
-               new lang_string('curlsecurityblockedhostssyntax', 'admin'), ""));
+        new lang_string('curlsecurityblockedhosts', 'admin'),
+        new lang_string('curlsecurityblockedhostssyntax', 'admin'), implode(PHP_EOL, $blockedhostsdefault)));
+
+    // By default, only allow web ports.
    $temp->add(new admin_setting_configportlist('curlsecurityallowedport',
-               new lang_string('curlsecurityallowedport', 'admin'),
-               new lang_string('curlsecurityallowedportsyntax', 'admin'), ""));
+        new lang_string('curlsecurityallowedport', 'admin'),
+        new lang_string('curlsecurityallowedportsyntax', 'admin'), implode(PHP_EOL, $allowedportsdefault)));

    // HTTP Header referrer policy settings.
    $referreroptions = [
--- a/lib/behat/classes/util.php
+++ b/lib/behat/classes/util.php
@ -125,6 +125,10 @@ class behat_util extends testing_util {
        // Set noreplyaddress to an example domain, as it should be valid email address and test site can be a localhost.
        set_config('noreplyaddress', 'noreply@example.com');

+        // Remove any default blocked hosts and port restrictions, to avoid blocking tests (eg those using local files).
+        set_config('curlsecurityblockedhosts', '');
+        set_config('curlsecurityallowedport', '');
+
        // Keeps the current version of database and dataroot.
        self::store_versions_hash();

--- a/lib/phpunit/classes/util.php
+++ b/lib/phpunit/classes/util.php
@ -467,6 +467,10 @@ class phpunit_util extends testing_util {
        // Disable all logging for performance and sanity reasons.
        set_config('enabled_stores', '', 'tool_log');

+        // Remove any default blocked hosts and port restrictions, to avoid blocking tests (eg those using local files).
+        set_config('curlsecurityblockedhosts', '');
+        set_config('curlsecurityallowedport', '');
+
        // We need to keep the installed dataroot filedir files.
        // So each time we reset the dataroot before running a test, the default files are still installed.
        self::save_original_data_files();