MDL-72203 curl: Improve redirect unit testing and update upgrade.txt

lib/upgrade.txt was updated to reflect the fact that all cURL redirects will be emulated.
moodle · Jul 27, 2021 · dc19dd6 · dc19dd6
1 parent 986a6f6
commit dc19dd6
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/lib/tests/filelib_test.php b/lib/tests/filelib_test.php
@@ -337,6 +337,39 @@ public function test_curl_redirects() {
         @unlink($tofile);
     }
 
+    /**
+     * Test that redirects to blocked hosts are blocked.
+     */
+    public function test_curl_blocked_redirect() {
+        $this->resetAfterTest();
+
+        $testurl = $this->getExternalTestFileUrl('/test_redir.php');
+
+        // Block a host.
+        // Note: moodle.com is the URL redirected to when test_redir.php has the param extdest=1 set.
+        set_config('curlsecurityblockedhosts', 'moodle.com');
+
+        // Redirecting to a non-blocked host should resolve.
+        $curl = new curl();
+        $contents = $curl->get("{$testurl}?redir=2");
+        $response = $curl->getResponse();
+        $this->assertSame('200 OK', reset($response));
+        $this->assertSame(0, $curl->get_errno());
+
+        // Redirecting to the blocked host should fail.
+        $curl = new curl();
+        $blockedstring = $curl->get_security()->get_blocked_url_string();
+        $contents = $curl->get("{$testurl}?redir=1&extdest=1");
+        $this->assertSame($blockedstring, $contents);
+        $this->assertSame(0, $curl->get_errno());
+
+        // Redirecting to the blocked host after multiple successful redirects should also fail.
+        $curl = new curl();
+        $contents = $curl->get("{$testurl}?redir=3&extdest=1");
+        $this->assertSame($blockedstring, $contents);
+        $this->assertSame(0, $curl->get_errno());
+    }
+
     public function test_curl_relative_redirects() {
         // Test relative location redirects.
         $testurl = $this->getExternalTestFileUrl('/test_relative_redir.php');

diff --git a/lib/upgrade.txt b/lib/upgrade.txt
@@ -1,6 +1,10 @@
 This files describes API changes in core libraries and APIs,
 information provided here is intended especially for developers.
 
+=== 3.11.2 ===
+* For security reasons, filelib has been updated so all requests now use emulated redirects.
+  For this reason, manually disabling emulateredirects will no longer have any effect (and will generate a debugging message).
+
 === 3.11 ===
 * PHPUnit has been upgraded to 9.5 (see MDL-71036 for details).
   That comes with a few changes: