Commit 8825bed5 authored by Aaron Wells's avatar Aaron Wells

Bug 1592276: External RSS feed can be used to probe network

behatnotneeded
Change-Id: I635bf6d685c79b26c24805efa0a63c79df6f6201
(cherry picked from commit a6722cd9)
parent 5190027b
......@@ -27,7 +27,7 @@ $string['itemstoshowdescription'] = 'Between 1 and 20';
$string['showfeeditemsinfull'] = 'Show feed items in full';
$string['showfeeditemsinfulldesc'] = 'Whether to show a summary of the feed items or show the full text for each one.';
$string['invalidurl'] = 'That URL is invalid. You can only view feeds for http and https URLs.';
$string['invalidfeed'] = 'The feed appears to be invalid. The error reported was: %s';
$string['invalidfeed1'] = 'No valid feed detected at that URL.';
$string['lastupdatedon'] = 'Last updated on %s';
$string['publishedon'] = 'Published on %s';
$string['defaulttitledescription'] = 'If you leave this blank, the title of the feed will be used.';
......
......@@ -15,6 +15,8 @@ require_once('XML/Feed/Parser.php');
class PluginBlocktypeExternalfeed extends SystemBlocktype {
const CURL_TIMEOUT = 15;
public static function get_title() {
return get_string('title', 'blocktype.externalfeed');
}
......@@ -231,13 +233,30 @@ class PluginBlocktypeExternalfeed extends SystemBlocktype {
}
if (!$form->get_error('url')) {
// Calculate the time to delay to, on failure
list($usec, $sec) = explode(" ", microtime());
$sleepto = (($sec + static::CURL_TIMEOUT + 1) * 1000000) + $usec;
try {
$authpassword = ($values['authpassword']['submittedvalue'] !== null) ? $values['authpassword']['submittedvalue'] : $values['authpassword']['defaultvalue'];
self::parse_feed($values['url'], $values['insecuresslmode'], $values['authuser'], $authpassword);
return;
}
catch (XML_Feed_Parser_Exception $e) {
$form->set_error('url', get_string('invalidfeed', 'blocktype.externalfeed', hsc($e->getMessage())), false);
// Pad the response time to hinder timing side channel attacks
list($usec, $sec) = explode(" ", microtime());
$now = ($sec * 1000000) + $usec;
if ($now < $sleepto) {
$delay = $sleepto - $now;
$delaynanosec = ($delay % 1000000) * 1000;
$delaysec = floor($delay / 1000000);
time_nanosleep($delaysec, $delaynanosec);
}
// To prevent SSRF information-gathering attacks, don't show the user the details
// of the curl error. Just show them a generic error message.
$form->set_error('url', get_string('invalidfeed1', 'blocktype.externalfeed'));
}
}
}
......@@ -370,7 +389,7 @@ class PluginBlocktypeExternalfeed extends SystemBlocktype {
$config = array(
CURLOPT_URL => $source,
CURLOPT_TIMEOUT => 15,
CURLOPT_TIMEOUT => static::CURL_TIMEOUT,
CURLOPT_USERAGENT => '',
);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment