MDL-71916 lib: Check cURL redirects for blocked URLs before following

moodle · Jul 6, 2021 · 582b013 · 582b013
1 parent 09c13ae
commit 582b013
Showing 1 changed file with 25 additions and 3 deletions.
diff --git a/lib/classes/files/curl_security_helper.php b/lib/classes/files/curl_security_helper.php
@@ -60,9 +60,10 @@ class curl_security_helper extends curl_security_helper_base {
      * could not be parsed, as well as those valid URLs which were found in the blocklist.
      *
      * @param string $urlstring the URL to check.
+     * @param int $maxredirects Optional number of maximum redirects to follow - prevents infinite recursion.
      * @return bool true if the URL is blocked or invalid and false if the URL is not blocked.
      */
-    public function url_is_blocked($urlstring) {
+    public function url_is_blocked($urlstring, $maxredirects = 3) {
         // If no config data is present, then all hosts/ports are allowed.
         if (!$this->is_enabled()) {
             return false;
@@ -85,9 +86,30 @@ public function url_is_blocked($urlstring) {
         }
 
         if ($parsed['port'] && $parsed['host']) {
-            // Check the host and port against the allow/block entries.
-            return $this->host_is_blocked($parsed['host']) || $this->port_is_blocked($parsed['port']);
+            // Check the host and port against the allow/block entries, and that we have not run out of redirects.
+            if ($this->host_is_blocked($parsed['host']) || $this->port_is_blocked($parsed['port']) || $maxredirects < 1) {
+                return true;
+            }
+
+            // Check if the host has a redirect in place, without following it.
+            $ch = curl_init();
+            curl_setopt($ch, CURLOPT_URL, $urlstring);
+            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
+
+            curl_exec($ch);
+            $curlinfo = curl_getinfo($ch);
+            $redirecturl = $curlinfo['redirect_url'];
+
+            if (!$redirecturl) {
+                return false;
+            }
+
+            // Recursively check redirects, until final URL checked, redirects to a blocked host/port, or has too many redirects.
+            $maxredirects--;
+            return $this->url_is_blocked($redirecturl, $maxredirects);
         }
+
         return true;
     }