MDL-72203 curl: Revert original fix of redirects to blocked URLs

This reverts the original fix introduced in MDL-71916. It introduced an extra native cURL call inside curl_security_helper to check if the given URL triggers a redirect to a blocked URL or not. Shortly after the release, a couple of regressions were reported as a result of the integrated solution. It was agreed to revert the fix and progress with implementing an alternative approach.
mpetrowi · Jul 27, 2021 · c619cd1 · c619cd1
1 parent 8c0853d
commit c619cd1
Showing 1 changed file with 3 additions and 25 deletions.
diff --git a/lib/classes/files/curl_security_helper.php b/lib/classes/files/curl_security_helper.php
@@ -60,10 +60,9 @@ class curl_security_helper extends curl_security_helper_base {
      * could not be parsed, as well as those valid URLs which were found in the blocklist.
      *
      * @param string $urlstring the URL to check.
-     * @param int $maxredirects Optional number of maximum redirects to follow - prevents infinite recursion.
      * @return bool true if the URL is blocked or invalid and false if the URL is not blocked.
      */
-    public function url_is_blocked($urlstring, $maxredirects = 3) {
+    public function url_is_blocked($urlstring) {
         // If no config data is present, then all hosts/ports are allowed.
         if (!$this->is_enabled()) {
             return false;
@@ -86,30 +85,9 @@ public function url_is_blocked($urlstring, $maxredirects = 3) {
         }
 
         if ($parsed['port'] && $parsed['host']) {
-            // Check the host and port against the allow/block entries, and that we have not run out of redirects.
-            if ($this->host_is_blocked($parsed['host']) || $this->port_is_blocked($parsed['port']) || $maxredirects < 1) {
-                return true;
-            }
-
-            // Check if the host has a redirect in place, without following it.
-            $ch = curl_init();
-            curl_setopt($ch, CURLOPT_URL, $urlstring);
-            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
-
-            curl_exec($ch);
-            $curlinfo = curl_getinfo($ch);
-            $redirecturl = $curlinfo['redirect_url'];
-
-            if (!$redirecturl) {
-                return false;
-            }
-
-            // Recursively check redirects, until final URL checked, redirects to a blocked host/port, or has too many redirects.
-            $maxredirects--;
-            return $this->url_is_blocked($redirecturl, $maxredirects);
+            // Check the host and port against the allow/block entries.
+            return $this->host_is_blocked($parsed['host']) || $this->port_is_blocked($parsed['port']);
         }
-
         return true;
     }