Commit 8825bed5 authored by Aaron Wells's avatar Aaron Wells
Browse files

Bug 1592276: External RSS feed can be used to probe network 

behatnotneeded
Change-Id: I635bf6d685c79b26c24805efa0a63c79df6f6201
(cherry picked from commit a6722cd9)
parent 5190027b

htdocs/blocktype/externalfeed/lang/en.utf8/blocktype.externalfeed.php

+1 −1
Original line number Diff line number Diff line
@@ -27,7 +27,7 @@ $string['itemstoshowdescription'] = 'Between 1 and 20'; 
$string['showfeeditemsinfull'] = 'Show feed items in full';

$string['showfeeditemsinfulldesc'] = 'Whether to show a summary of the feed items or show the full text for each one.';

$string['invalidurl'] = 'That URL is invalid. You can only view feeds for http and https URLs.';

$string['invalidfeed'] = 'The feed appears to be invalid. The error reported was: %s';

$string['invalidfeed1'] = 'No valid feed detected at that URL.';

$string['lastupdatedon'] = 'Last updated on %s';

$string['publishedon'] = 'Published on %s';

$string['defaulttitledescription'] = 'If you leave this blank, the title of the feed will be used.';

htdocs/blocktype/externalfeed/lib.php

+21 −2
Original line number Diff line number Diff line
@@ -15,6 +15,8 @@ require_once('XML/Feed/Parser.php'); 


class PluginBlocktypeExternalfeed extends SystemBlocktype {



    const CURL_TIMEOUT = 15;



    public static function get_title() {

        return get_string('title', 'blocktype.externalfeed');

    }
@@ -231,13 +233,30 @@ class PluginBlocktypeExternalfeed extends SystemBlocktype { 
        }



        if (!$form->get_error('url')) {

            // Calculate the time to delay to, on failure

            list($usec, $sec) = explode(" ", microtime());

            $sleepto = (($sec + static::CURL_TIMEOUT + 1) * 1000000) + $usec;



            try {

                $authpassword = ($values['authpassword']['submittedvalue'] !== null) ? $values['authpassword']['submittedvalue'] : $values['authpassword']['defaultvalue'];

                self::parse_feed($values['url'], $values['insecuresslmode'], $values['authuser'], $authpassword);

                return;

            }

            catch (XML_Feed_Parser_Exception $e) {

                $form->set_error('url', get_string('invalidfeed', 'blocktype.externalfeed',  hsc($e->getMessage())), false);



                // Pad the response time to hinder timing side channel attacks

                list($usec, $sec) = explode(" ", microtime());

                $now = ($sec * 1000000) + $usec;

                if ($now < $sleepto) {

                    $delay = $sleepto - $now;

                    $delaynanosec = ($delay % 1000000) * 1000;

                    $delaysec = floor($delay / 1000000);

                    time_nanosleep($delaysec, $delaynanosec);

                }



                // To prevent SSRF information-gathering attacks, don't show the user the details

                // of the curl error. Just show them a generic error message.

                $form->set_error('url', get_string('invalidfeed1', 'blocktype.externalfeed'));

            }

        }

    }
@@ -370,7 +389,7 @@ class PluginBlocktypeExternalfeed extends SystemBlocktype { 


        $config = array(

            CURLOPT_URL => $source,

            CURLOPT_TIMEOUT => 15,

            CURLOPT_TIMEOUT => static::CURL_TIMEOUT,

            CURLOPT_USERAGENT => '',

        );