Moodle PHP Documentation 4.3
Moodle 4.3.5 (Build: 20240610) (7dcfaa79f78)
core\files\curl_security_helper Class Reference

Host and port checking for curl. More...

Inheritance diagram for core\files\curl_security_helper:
core\files\curl_security_helper_base

Public Member Functions

 get_blocked_url_string ()
 Returns a string message describing a blocked URL.
 
 is_enabled ()
 Convenience method to check whether we have any entries in the host blocklist or ports allowlist admin settings.
 
 url_is_blocked ($urlstring, $notused=null)
 Checks whether the given URL is blocked by checking its address and port number against the allow/block lists.
 
 url_is_blocked ($url)
 Check whether the input url should be blocked or not.
 

Protected Member Functions

 address_explicitly_blocked ($addr)
 Checks whether the input address is blocked by at any of the IPv4 or IPv6 address rules.
 
 get_allowed_ports ()
 Helper that returns the allowed ports, as defined in the 'curlsecurityallowedport' setting.
 
 get_blocked_hosts ()
 Helper that returns the blocked hosts, as defined in the 'curlsecurityblockedhosts' setting.
 
 get_blocked_hosts_by_category ()
 Helper to get all entries from the admin setting, as an array, sorted by classification.
 
 get_host_list_by_name ($host)
 Retrieve all hosts for a domain name.
 
 host_explicitly_blocked ($host)
 Checks whether the input hostname is blocked by any of the domain/wildcard rules.
 
 host_is_blocked ($host)
 Checks whether the host portion of a url is blocked.
 
 port_is_blocked ($port)
 Checks whether the given port is blocked, as determined by its absence on the ports allowlist.
 

Protected Attributes

array $transportschemes
 of supported transport schemes and their respective default ports.
 

Detailed Description

Host and port checking for curl.

This class provides a means to check URL/host/port against the system-level cURL security entries. It does not provide a means to add URLs, hosts or ports to the allowed/blocked lists; this is configured manually via the site admin section of Moodle (See: 'Site admin' > 'Security' > 'HTTP Security').

This class is currently used by the 'curl' wrapper class in lib/filelib.php. Depends on: core\ip_utils (several functions) moodlelib (clean_param)

License
http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
Author
Jake Dallimore jrhda.nosp@m.llim.nosp@m.ore@g.nosp@m.mail.nosp@m..com

Member Function Documentation

◆ address_explicitly_blocked()

core\files\curl_security_helper::address_explicitly_blocked ( $addr)
protected

Checks whether the input address is blocked by at any of the IPv4 or IPv6 address rules.

Parameters
string$addrthe ip address to check.
Return values
booltrue if the address is covered by an entry in the blocklist, false otherwise.

◆ get_allowed_ports()

core\files\curl_security_helper::get_allowed_ports ( )
protected

Helper that returns the allowed ports, as defined in the 'curlsecurityallowedport' setting.

Return values
arraythe array of allowed ports.

◆ get_blocked_hosts()

core\files\curl_security_helper::get_blocked_hosts ( )
protected

Helper that returns the blocked hosts, as defined in the 'curlsecurityblockedhosts' setting.

Return values
arraythe array of blocked host entries.

◆ get_blocked_hosts_by_category()

core\files\curl_security_helper::get_blocked_hosts_by_category ( )
protected

Helper to get all entries from the admin setting, as an array, sorted by classification.

Classifications include 'ipv4', 'ipv6', 'domain', 'domainwildcard'.

Return values
arrayof host/domain/ip entries from the 'curlsecurityblockedhosts' config.

◆ get_blocked_url_string()

core\files\curl_security_helper::get_blocked_url_string ( )

Returns a string message describing a blocked URL.

E.g. 'This URL is blocked'.

Return values
stringthe string error.

Reimplemented from core\files\curl_security_helper_base.

◆ get_host_list_by_name()

core\files\curl_security_helper::get_host_list_by_name ( $host)
protected

Retrieve all hosts for a domain name.

Parameters
string$param
Return values
arrayAn array of IPs associated with the host name.

◆ host_explicitly_blocked()

core\files\curl_security_helper::host_explicitly_blocked ( $host)
protected

Checks whether the input hostname is blocked by any of the domain/wildcard rules.

Parameters
string$hostthe hostname to check
Return values
booltrue if the host is covered by an entry in the blocklist, false otherwise.

◆ host_is_blocked()

core\files\curl_security_helper::host_is_blocked ( $host)
protected

Checks whether the host portion of a url is blocked.

The host portion may be a FQDN, IPv4 address or a IPv6 address wrapped in square brackets, as per standard URL notation. E.g. images.example.com 127.0.0.1 [0.0.0.0.0.0.0.1] The method logic is as follows:

  1. Check the host component against the list of IPv4/IPv6 addresses and ranges.
    • This will perform a DNS forward lookup if required.
  2. Check the host component against the list of domain names and wildcard domain names.
    • This will perform a DNS reverse lookup if required.

The behaviour of this function can be classified as strict, as it returns true for hosts which are invalid or could not be parsed, as well as those valid URLs which were found in the blocklist.

Parameters
string$hostthe host component of the URL to check against the blocklist.
Return values
booltrue if the host is both valid and blocked, false otherwise.

◆ is_enabled()

core\files\curl_security_helper::is_enabled ( )

Convenience method to check whether we have any entries in the host blocklist or ports allowlist admin settings.

If no entries are found at all, the assumption is that the blocklist is disabled entirely.

Return values
booltrue if one or more entries exist, false otherwise.

◆ port_is_blocked()

core\files\curl_security_helper::port_is_blocked ( $port)
protected

Checks whether the given port is blocked, as determined by its absence on the ports allowlist.

Ports are assumed to be blocked unless found in the allowlist.

Parameters
integer | string$portthe port to check against the ports allowlist.
Return values
booltrue if the port is blocked, false otherwise.

◆ url_is_blocked() [1/2]

core\files\curl_security_helper::url_is_blocked ( $urlstring,
$notused = null )

Checks whether the given URL is blocked by checking its address and port number against the allow/block lists.

The behaviour of this function can be classified as strict, as it returns true for URLs which are invalid or could not be parsed, as well as those valid URLs which were found in the blocklist.

Parameters
string$urlstringthe URL to check.
int$notusedThere used to be an optional parameter $maxredirects for a short while here, not used any more.
Return values
booltrue if the URL is blocked or invalid and false if the URL is not blocked.

◆ url_is_blocked() [2/2]

core\files\curl_security_helper_base::url_is_blocked ( $url)
abstractinherited

Check whether the input url should be blocked or not.

Parameters
string$urlthe url to check.
Return values
booltrue if the url is deemed to be blocked, false otherwise.

Member Data Documentation

◆ $transportschemes

array core\files\curl_security_helper::$transportschemes
protected
Initial value:
= [
'http' => 80,
'https' => 443
]

of supported transport schemes and their respective default ports.


The documentation for this class was generated from the following file: