/**
  * Checks whether the given URL is blacklisted by checking its address and port number against the black/white lists.
  * The behaviour of this function can be classified as strict, as it returns true for URLs which are invalid or
  * could not be parsed, as well as those valid URLs which were found in the blacklist.
  *
  * @param string $urlstring the URL to check.
  * @return bool true if the URL is blacklisted or invalid and false if the URL is not blacklisted.
  */
 public function url_is_blocked($urlstring)
 {
     // If no config data is present, then all hosts/ports are allowed.
     if (!$this->is_enabled()) {
         return false;
     }
     // Try to parse the URL to get the 'host' and 'port' components.
     try {
         $url = new \moodle_url($urlstring);
         $parsed['scheme'] = $url->get_scheme();
         $parsed['host'] = $url->get_host();
         $parsed['port'] = $url->get_port();
     } catch (\moodle_exception $e) {
         // Moodle exception is thrown if the $urlstring is invalid. Treat as blocked.
         return true;
     }
     // The port will be empty unless explicitly set in the $url (uncommon), so try to infer it from the supported schemes.
     if (!$parsed['port'] && $parsed['scheme'] && isset($this->transportschemes[$parsed['scheme']])) {
         $parsed['port'] = $this->transportschemes[$parsed['scheme']];
     }
     if ($parsed['port'] && $parsed['host']) {
         // Check the host and port against the blacklist/whitelist entries.
         return $this->host_is_blocked($parsed['host']) || $this->port_is_blocked($parsed['port']);
     }
     return true;
 }
 public function test_moodle_url_get_host()
 {
     // Should return the host part only.
     $url = new moodle_url('http://www.example.org:447/my/file/is/here.txt?really=1');
     $this->assertSame('www.example.org', $url->get_host());
 }
 /**
  * Test a curl basic request with security enabled.
  */
 public function test_curl_basics_with_security_helper()
 {
     $this->resetAfterTest();
     // Test a request with a basic hostname filter applied.
     $testhtml = $this->getExternalTestFileUrl('/test.html');
     $url = new moodle_url($testhtml);
     $host = $url->get_host();
     set_config('curlsecurityblockedhosts', $host);
     // Blocks $host.
     // Create curl with the default security enabled. We expect this to be blocked.
     $curl = new curl();
     $contents = $curl->get($testhtml);
     $expected = $curl->get_security()->get_blocked_url_string();
     $this->assertSame($expected, $contents);
     $this->assertSame(0, $curl->get_errno());
     // Now, create a curl using the 'ignoresecurity' override.
     // We expect this request to pass, despite the admin setting having been set earlier.
     $curl = new curl(['ignoresecurity' => true]);
     $contents = $curl->get($testhtml);
     $this->assertSame('47250a973d1b88d9445f94db4ef2c97a', md5($contents));
     $this->assertSame(0, $curl->get_errno());
     // Now, try injecting a mock security helper into curl. This will override the default helper.
     $mockhelper = $this->getMockBuilder('\\core\\files\\curl_security_helper')->getMock();
     // Make the mock return a different string.
     $mockhelper->expects($this->any())->method('get_blocked_url_string')->will($this->returnValue('You shall not pass'));
     // And make the mock security helper block all URLs. This helper instance doesn't care about config.
     $mockhelper->expects($this->any())->method('url_is_blocked')->will($this->returnValue(true));
     $curl = new curl(['securityhelper' => $mockhelper]);
     $contents = $curl->get($testhtml);
     $this->assertSame('You shall not pass', $curl->get_security()->get_blocked_url_string());
     $this->assertSame($curl->get_security()->get_blocked_url_string(), $contents);
 }