MDL-61143 core_files: Check all A records when testing blocked IPs

nilo72 · Jan 9, 2018 · cae2eb3 · cae2eb3
1 parent 01a79b4
commit cae2eb3
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/lib/classes/files/curl_security_helper.php b/lib/classes/files/curl_security_helper.php
@@ -144,10 +144,19 @@ protected function host_is_blocked($host) {
 
             // Only perform a forward lookup if there are IP rules to check against.
             if ($blacklistedhosts['ipv4'] || $blacklistedhosts['ipv6']) {
-                $hostip = gethostbyname($host); // DNS forward lookup - only returns IPv4 addresses!
-                if ($hostip !== $host && $this->address_explicitly_blocked($hostip)) {
+                $hostips = gethostbynamel($host); // DNS forward lookup - returns a list of only IPv4 addresses!
+
+                // If we don't get a valid record, bail (so curl is never called).
+                if (!$hostips) {
                     return true;
                 }
+
+                // If any of the returned IPs are in the blacklist, block the request.
+                foreach ($hostips as $hostip) {
+                    if ($this->address_explicitly_blocked($hostip)) {
+                        return true;
+                    }
+                }
             }
         }
         return false;