/** * Test a curl basic request with security enabled. */ public function test_curl_basics_with_security_helper() { $this->resetAfterTest(); // Test a request with a basic hostname filter applied. $testhtml = $this->getExternalTestFileUrl('/test.html'); $url = new moodle_url($testhtml); $host = $url->get_host(); set_config('curlsecurityblockedhosts', $host); // Blocks $host. // Create curl with the default security enabled. We expect this to be blocked. $curl = new curl(); $contents = $curl->get($testhtml); $expected = $curl->get_security()->get_blocked_url_string(); $this->assertSame($expected, $contents); $this->assertSame(0, $curl->get_errno()); // Now, create a curl using the 'ignoresecurity' override. // We expect this request to pass, despite the admin setting having been set earlier. $curl = new curl(['ignoresecurity' => true]); $contents = $curl->get($testhtml); $this->assertSame('47250a973d1b88d9445f94db4ef2c97a', md5($contents)); $this->assertSame(0, $curl->get_errno()); // Now, try injecting a mock security helper into curl. This will override the default helper. $mockhelper = $this->getMockBuilder('\\core\\files\\curl_security_helper')->getMock(); // Make the mock return a different string. $mockhelper->expects($this->any())->method('get_blocked_url_string')->will($this->returnValue('You shall not pass')); // And make the mock security helper block all URLs. This helper instance doesn't care about config. $mockhelper->expects($this->any())->method('url_is_blocked')->will($this->returnValue(true)); $curl = new curl(['securityhelper' => $mockhelper]); $contents = $curl->get($testhtml); $this->assertSame('You shall not pass', $curl->get_security()->get_blocked_url_string()); $this->assertSame($curl->get_security()->get_blocked_url_string(), $contents); }