mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-04-13 20:42:22 +02:00
Code Issues Projects Releases Wiki Activity

MDL-61143 core_files: Don't append dot when checking domain names or IP addresses.

Browse Source 
Previously we appended a dot at the end of IP addresses and domain names in the
cURL security helper, but it causes issues with Google OAuth so this patch removes it.
This commit is contained in:
Cameron Ball 2018-01-10 14:57:29 +08:00 committed by Andrew Nicols
parent 6d019541ad
commit 9aa776a848
1 changed files with 2 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/classes/files/curl_security_helper.php
View File

@ -136,11 +136,7 @@ class curl_security_helper extends curl_security_helper_base {
// Only perform a reverse lookup if there is a point to it (i.e. we have rules to check against).
if ($blacklistedhosts['domain'] || $blacklistedhosts['domainwildcard']) {
// DNS reverse lookup - supports both IPv4 and IPv6 address formats.
$hostname = gethostbyaddr(
// The nature of DNS resolution means that if the hostname could not be found, the current search path
// is then appended - so foo may become foo.example.com if your search path contains example.com.
$host . substr($host, -1) !== '.' ? '.' : ''
);
$hostname = gethostbyaddr($host);
if ($hostname !== $host && $this->host_explicitly_blocked($hostname)) {
return true;
}
@ -153,11 +149,7 @@ class curl_security_helper extends curl_security_helper_base {
// Only perform a forward lookup if there are IP rules to check against.
if ($blacklistedhosts['ipv4'] || $blacklistedhosts['ipv6']) {
// DNS forward lookup - returns a list of only IPv4 addresses!
$hostips = $this->get_host_list_by_name(
// The nature of DNS resolution means that if the hostname could not be found, the current search path
// is then appended - so foo may become foo.example.com if your search path contains example.com.
$host . substr($host, -1) !== '.' ? '.' : ''
);
$hostips = $this->get_host_list_by_name($host);
// If we don't get a valid record, bail (so cURL is never called).
if (!$hostips) {