Fix URL is blocked message when not behind a proxy/load balancer

When there is no proxy/load balancer and curlsecurityblockedhosts is set to default (i.e. has 127.0.0.1 in it) fetching the outage page will result in a "The URL is blocked." message. This resolves that issue by passing ignoresecurity to the curl object.
catalyst · Feb 10, 2025 · 51db933 · 51db933
1 parent 11fbe64
commit 51db933
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 1 deletion.
diff --git a/classes/local/outagelib.php b/classes/local/outagelib.php
@@ -57,7 +57,7 @@ public static function fetch_page($file) {
         global $CFG;
         require_once($CFG->libdir . '/filelib.php');
 
-        $curl = new curl();
+        $curl = new curl(['ignoresecurity' => true]);
         $contents = $curl->get($file);
         $info = $curl->get_info();
         if (!empty($info['content_type'])) {

diff --git a/tests/local/controllers/maintenance_static_page_test.php b/tests/local/controllers/maintenance_static_page_test.php
@@ -423,6 +423,37 @@ public function test_file_get_data_invalidfilename() {
         maintenance_static_page_io::file_get_data(200);
     }
 
+    /**
+     * Test file_get_data with curlsecurityblockedhosts.
+     * We will use an external URL to test passing ignoresecurity inside of file_get_data works,
+     * ideally in real code we should only be calling file_get_data with internal URLs.
+     */
+    public function test_file_get_data_curlsecurityblockedhosts() {
+        global $CFG, $USER;
+
+        $testhtml = $this->getExternalTestFileUrl('/test.html');
+        $url = new \moodle_url($testhtml);
+        $host = $url->get_host();
+        set_config('curlsecurityblockedhosts', $host); // Blocks $host.
+
+        // Test a regular curl with the default security enabled does in fact get blocked.
+        $curl = new \curl();
+        $contents = $curl->get($testhtml);
+        $expected = $curl->get_security()->get_blocked_url_string();
+        self::assertSame($expected, $contents);
+        self::assertSame(0, $curl->get_errno());
+        if ($CFG->branch >= 403) {
+            self::assertDebuggingCalled(
+                "Blocked $testhtml: The URL is blocked. [user {$USER->id}]", DEBUG_NONE);
+        }
+
+        // Test file_get_data does return the page and isn't blocked by security.
+        $found = maintenance_static_page_io::file_get_data($url->out());
+        $expected = '47250a973d1b88d9445f94db4ef2c97a';
+        self::assertSame($expected, md5($found['contents']));
+        self::assertSame('text/html', $found['mime']);
+    }
+
     /**
      * Test remove css selector.
      */