From c619cd1425b2db410b86ee0eaf228dd66522074a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Mudr=C3=A1k?= <david@moodle.com>
Date: Thu, 22 Jul 2021 23:10:11 +0200
Subject: [PATCH] MDL-72203 curl: Revert original fix of redirects to blocked
 URLs

This reverts the original fix introduced in MDL-71916. It introduced an
extra native cURL call inside curl_security_helper to check if the given
URL triggers a redirect to a blocked URL or not.

Shortly after the release, a couple of regressions were reported as a
result of the integrated solution. It was agreed to revert the fix and
progress with implementing an alternative approach.
---
 lib/classes/files/curl_security_helper.php | 28 +++-------------------
 1 file changed, 3 insertions(+), 25 deletions(-)

diff --git a/lib/classes/files/curl_security_helper.php b/lib/classes/files/curl_security_helper.php
index a7b59f5f9b612..8388a1317eedf 100644
--- a/lib/classes/files/curl_security_helper.php
+++ b/lib/classes/files/curl_security_helper.php
@@ -60,10 +60,9 @@ class curl_security_helper extends curl_security_helper_base {
      * could not be parsed, as well as those valid URLs which were found in the blocklist.
      *
      * @param string $urlstring the URL to check.
-     * @param int $maxredirects Optional number of maximum redirects to follow - prevents infinite recursion.
      * @return bool true if the URL is blocked or invalid and false if the URL is not blocked.
      */
-    public function url_is_blocked($urlstring, $maxredirects = 3) {
+    public function url_is_blocked($urlstring) {
         // If no config data is present, then all hosts/ports are allowed.
         if (!$this->is_enabled()) {
             return false;
@@ -86,30 +85,9 @@ public function url_is_blocked($urlstring, $maxredirects = 3) {
         }
 
         if ($parsed['port'] && $parsed['host']) {
-            // Check the host and port against the allow/block entries, and that we have not run out of redirects.
-            if ($this->host_is_blocked($parsed['host']) || $this->port_is_blocked($parsed['port']) || $maxredirects < 1) {
-                return true;
-            }
-
-            // Check if the host has a redirect in place, without following it.
-            $ch = curl_init();
-            curl_setopt($ch, CURLOPT_URL, $urlstring);
-            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
-
-            curl_exec($ch);
-            $curlinfo = curl_getinfo($ch);
-            $redirecturl = $curlinfo['redirect_url'];
-
-            if (!$redirecturl) {
-                return false;
-            }
-
-            // Recursively check redirects, until final URL checked, redirects to a blocked host/port, or has too many redirects.
-            $maxredirects--;
-            return $this->url_is_blocked($redirecturl, $maxredirects);
+            // Check the host and port against the allow/block entries.
+            return $this->host_is_blocked($parsed['host']) || $this->port_is_blocked($parsed['port']);
         }
-
         return true;
     }