From 51db933862b08945edabbb1df84ce5e349a5604c Mon Sep 17 00:00:00 2001
From: Rossco Hellmans <rosscohellmans@catalyst-au.net>
Date: Mon, 10 Feb 2025 12:35:44 +1000
Subject: [PATCH] Fix URL is blocked message when not behind a proxy/load
 balancer

When there is no proxy/load balancer and curlsecurityblockedhosts is set to
default (i.e. has 127.0.0.1 in it) fetching the outage page will result in
a "The URL is blocked." message. This resolves that issue by passing
ignoresecurity to the curl object.
---
 classes/local/outagelib.php                   |  2 +-
 .../maintenance_static_page_test.php          | 31 +++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/classes/local/outagelib.php b/classes/local/outagelib.php
index 5386859..82cab6a 100644
--- a/classes/local/outagelib.php
+++ b/classes/local/outagelib.php
@@ -57,7 +57,7 @@ class outagelib {
         global $CFG;
         require_once($CFG->libdir . '/filelib.php');
 
-        $curl = new curl();
+        $curl = new curl(['ignoresecurity' => true]);
         $contents = $curl->get($file);
         $info = $curl->get_info();
         if (!empty($info['content_type'])) {
diff --git a/tests/local/controllers/maintenance_static_page_test.php b/tests/local/controllers/maintenance_static_page_test.php
index 2fb469f..29f79df 100644
--- a/tests/local/controllers/maintenance_static_page_test.php
+++ b/tests/local/controllers/maintenance_static_page_test.php
@@ -423,6 +423,37 @@ class maintenance_static_page_test extends \auth_outage\base_testcase {
         maintenance_static_page_io::file_get_data(200);
     }
 
+    /**
+     * Test file_get_data with curlsecurityblockedhosts.
+     * We will use an external URL to test passing ignoresecurity inside of file_get_data works,
+     * ideally in real code we should only be calling file_get_data with internal URLs.
+     */
+    public function test_file_get_data_curlsecurityblockedhosts() {
+        global $CFG, $USER;
+
+        $testhtml = $this->getExternalTestFileUrl('/test.html');
+        $url = new \moodle_url($testhtml);
+        $host = $url->get_host();
+        set_config('curlsecurityblockedhosts', $host); // Blocks $host.
+
+        // Test a regular curl with the default security enabled does in fact get blocked.
+        $curl = new \curl();
+        $contents = $curl->get($testhtml);
+        $expected = $curl->get_security()->get_blocked_url_string();
+        self::assertSame($expected, $contents);
+        self::assertSame(0, $curl->get_errno());
+        if ($CFG->branch >= 403) {
+            self::assertDebuggingCalled(
+                "Blocked $testhtml: The URL is blocked. [user {$USER->id}]", DEBUG_NONE);
+        }
+
+        // Test file_get_data does return the page and isn't blocked by security.
+        $found = maintenance_static_page_io::file_get_data($url->out());
+        $expected = '47250a973d1b88d9445f94db4ef2c97a';
+        self::assertSame($expected, md5($found['contents']));
+        self::assertSame('text/html', $found['mime']);
+    }
+
     /**
      * Test remove css selector.
      */