MDL-78311 core: fix host parameter type cleaning by IPv4 address.

2025-01-29 19:50:14 +01:00 · 2023-11-27 10:30:53 +00:00 · 2023-11-27 10:30:53 +00:00 · a767e0a78c
commit a767e0a78c
parent f30110b5eb
2 changed files with 35 additions and 21 deletions
--- a/lib/classes/param.php
+++ b/lib/classes/param.php
@ -18,6 +18,7 @@ namespace core;

 use coding_exception;
 use core_text;
+use core\ip_utils;
 use invalid_parameter_exception;
 use moodle_exception;

@ -992,27 +993,7 @@ enum param: string {
     */
    protected function clean_param_value_host(mixed $param): string {
        // Allow FQDN or IPv4 dotted quad.
-        $param = preg_replace('/[^\.\d\w-]/', '', (string)$param);
-        // Match ipv4 dotted quad.
-        if (preg_match('/(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/', $param, $match)) {
-            // Confirm values are ok.
-            if (
-                $match[0] > 255
-                || $match[1] > 255
-                || $match[3] > 255
-                || $match[4] > 255
-            ) {
-                // Hmmm, what kind of dotted quad is this?
-                $param = '';
-            }
-        } else if (
-            preg_match('/^[\w\d\.-]+$/', $param) // Dots, hyphens, numbers.
-            && !preg_match('/^[\.-]/', $param) // No leading dots/hyphens.
-            && !preg_match('/[\.-]$/', $param) // No trailing dots/hyphens.
-        ) {
-            // All is ok - $param is respected.
-        } else {
-            // All is not ok...
+        if (!ip_utils::is_domain_name($param) && !ip_utils::is_ipv4_address($param)) {
            $param = '';
        }
        return $param;
--- a/lib/tests/moodlelib_test.php
+++ b/lib/tests/moodlelib_test.php
@ -581,6 +581,39 @@ class moodlelib_test extends \advanced_testcase {
        $this->assertSame('', clean_param(null, PARAM_TEXT));
    }

+    /**
+     * Data provider for {@see test_clean_param_host}
+     *
+     * @return array
+     */
+    public static function clean_param_host_provider(): array {
+        return [
+            'Valid (low octets)' => ['0.0.0.0', '0.0.0.0'],
+            'Valid (high octets)' => ['255.255.255.255', '255.255.255.255'],
+            'Invalid first octet' => ['256.1.1.1', ''],
+            'Invalid second octet' => ['1.256.1.1', ''],
+            'Invalid third octet' => ['1.1.256.1', ''],
+            'Invalid fourth octet' => ['1.1.1.256', ''],
+            'Valid host' => ['moodle.org', 'moodle.org'],
+            'Invalid host' => ['.example.com', ''],
+        ];
+    }
+
+    /**
+     * Testing cleaning parameters with PARAM_HOST
+     *
+     * @param string $param
+     * @param string $expected
+     *
+     * @dataProvider clean_param_host_provider
+     *
+     * @covers \core\param
+     * @covers \clean_param
+     */
+    public function test_clean_param_host(string $param, string $expected): void {
+        $this->assertEquals($expected, clean_param($param, PARAM_HOST));
+    }
+
    /**
     * @covers \core\param
     * @covers \clean_param