From cae2eb357d15dc056a79e53f4f035eee1d3db221 Mon Sep 17 00:00:00 2001 From: Cameron Ball Date: Tue, 2 Jan 2018 14:42:09 +0800 Subject: [PATCH] MDL-61143 core_files: Check all A records when testing blocked IPs --- lib/classes/files/curl_security_helper.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/lib/classes/files/curl_security_helper.php b/lib/classes/files/curl_security_helper.php index 757c2a6a5a4c7..f180e5911e52f 100644 --- a/lib/classes/files/curl_security_helper.php +++ b/lib/classes/files/curl_security_helper.php @@ -144,10 +144,19 @@ protected function host_is_blocked($host) { // Only perform a forward lookup if there are IP rules to check against. if ($blacklistedhosts['ipv4'] || $blacklistedhosts['ipv6']) { - $hostip = gethostbyname($host); // DNS forward lookup - only returns IPv4 addresses! - if ($hostip !== $host && $this->address_explicitly_blocked($hostip)) { + $hostips = gethostbynamel($host); // DNS forward lookup - returns a list of only IPv4 addresses! + + // If we don't get a valid record, bail (so curl is never called). + if (!$hostips) { return true; } + + // If any of the returned IPs are in the blacklist, block the request. + foreach ($hostips as $hostip) { + if ($this->address_explicitly_blocked($hostip)) { + return true; + } + } } } return false;