/** * Checks whether the given URL is blacklisted by checking its address and port number against the black/white lists. * The behaviour of this function can be classified as strict, as it returns true for URLs which are invalid or * could not be parsed, as well as those valid URLs which were found in the blacklist. * * @param string $urlstring the URL to check. * @return bool true if the URL is blacklisted or invalid and false if the URL is not blacklisted. */ public function url_is_blocked($urlstring) { // If no config data is present, then all hosts/ports are allowed. if (!$this->is_enabled()) { return false; } // Try to parse the URL to get the 'host' and 'port' components. try { $url = new \moodle_url($urlstring); $parsed['scheme'] = $url->get_scheme(); $parsed['host'] = $url->get_host(); $parsed['port'] = $url->get_port(); } catch (\moodle_exception $e) { // Moodle exception is thrown if the $urlstring is invalid. Treat as blocked. return true; } // The port will be empty unless explicitly set in the $url (uncommon), so try to infer it from the supported schemes. if (!$parsed['port'] && $parsed['scheme'] && isset($this->transportschemes[$parsed['scheme']])) { $parsed['port'] = $this->transportschemes[$parsed['scheme']]; } if ($parsed['port'] && $parsed['host']) { // Check the host and port against the blacklist/whitelist entries. return $this->host_is_blocked($parsed['host']) || $this->port_is_blocked($parsed['port']); } return true; }
public function test_moodle_url_get_host() { // Should return the host part only. $url = new moodle_url('http://www.example.org:447/my/file/is/here.txt?really=1'); $this->assertSame('www.example.org', $url->get_host()); }
/** * Test a curl basic request with security enabled. */ public function test_curl_basics_with_security_helper() { $this->resetAfterTest(); // Test a request with a basic hostname filter applied. $testhtml = $this->getExternalTestFileUrl('/test.html'); $url = new moodle_url($testhtml); $host = $url->get_host(); set_config('curlsecurityblockedhosts', $host); // Blocks $host. // Create curl with the default security enabled. We expect this to be blocked. $curl = new curl(); $contents = $curl->get($testhtml); $expected = $curl->get_security()->get_blocked_url_string(); $this->assertSame($expected, $contents); $this->assertSame(0, $curl->get_errno()); // Now, create a curl using the 'ignoresecurity' override. // We expect this request to pass, despite the admin setting having been set earlier. $curl = new curl(['ignoresecurity' => true]); $contents = $curl->get($testhtml); $this->assertSame('47250a973d1b88d9445f94db4ef2c97a', md5($contents)); $this->assertSame(0, $curl->get_errno()); // Now, try injecting a mock security helper into curl. This will override the default helper. $mockhelper = $this->getMockBuilder('\\core\\files\\curl_security_helper')->getMock(); // Make the mock return a different string. $mockhelper->expects($this->any())->method('get_blocked_url_string')->will($this->returnValue('You shall not pass')); // And make the mock security helper block all URLs. This helper instance doesn't care about config. $mockhelper->expects($this->any())->method('url_is_blocked')->will($this->returnValue(true)); $curl = new curl(['securityhelper' => $mockhelper]); $contents = $curl->get($testhtml); $this->assertSame('You shall not pass', $curl->get_security()->get_blocked_url_string()); $this->assertSame($curl->get_security()->get_blocked_url_string(), $contents); }