MDL-61143 core_files: Check all A records when testing blocked IPs
authorCameron Ball <cameron@moodle.com>
Tue, 2 Jan 2018 06:42:09 +0000 (14:42 +0800)
committerMr. Jenkins (CiBoT) <cibot@moodle.org>
Tue, 9 Jan 2018 08:54:32 +0000 (16:54 +0800)
lib/classes/files/curl_security_helper.php

index 757c2a6..f180e59 100644 (file)
@@ -144,10 +144,19 @@ class curl_security_helper extends curl_security_helper_base {
 
             // Only perform a forward lookup if there are IP rules to check against.
             if ($blacklistedhosts['ipv4'] || $blacklistedhosts['ipv6']) {
-                $hostip = gethostbyname($host); // DNS forward lookup - only returns IPv4 addresses!
-                if ($hostip !== $host && $this->address_explicitly_blocked($hostip)) {
+                $hostips = gethostbynamel($host); // DNS forward lookup - returns a list of only IPv4 addresses!
+
+                // If we don't get a valid record, bail (so curl is never called).
+                if (!$hostips) {
                     return true;
                 }
+
+                // If any of the returned IPs are in the blacklist, block the request.
+                foreach ($hostips as $hostip) {
+                    if ($this->address_explicitly_blocked($hostip)) {
+                        return true;
+                    }
+                }
             }
         }
         return false;