Fix #yogosha8457

htdocs/core/lib/geturl.lib.php

@@ -214,11 +214,14 @@ function getURLContent($url, $postorget = 'GET', $param = '', $followlocation =
 				}
 			}
 
-			// Common check (local and external)
-			if (in_array($iptocheck, array('100.100.100.200'))) {
-				$info['http_code'] = 400;
-				$info['content'] = 'Error bad hostname IP (Used by Alibaba metadata). Must be an external URL.';
-				break;
+			// Common check on ip (local and external)
+			$arrayofmetadataserver = array('100.100.100.200' => 'Alibaba', '192.0.0.192'=> 'Oracle');
+			foreach ($arrayofmetadataserver as $ipofmetadataserver => $nameofmetadataserver) {
+				if ($iptocheck == $ipofmetadataserver) {
+					$info['http_code'] = 400;
+					$info['content'] = 'Error bad hostname IP (Used by '.$nameofmetadataserver.' metadata server). This IP is forbidden.';
+					break 2;	// exit the foreach and the do...
+				}
 			}
 
 			// Set CURLOPT_CONNECT_TO so curl will not try another resolution that may give a different result. Possible only on PHP v7+

test/phpunit/SecurityTest.php

@@ -791,6 +791,11 @@ class SecurityTest extends PHPUnit\Framework\TestCase
 		 $this->assertEquals(400, $tmp['http_code'], 'Should GET url to '.$url.' that resolves to a local URL');	// Test we receive an error because localtest.me is not an external URL
 		 */
 
+		$url = 'http://192.0.0.192';
+		$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0);		// Only external URL but on an IP in blacklist
+		print __METHOD__." url=".$url." tmp['http_code'] = ".$tmp['http_code']."\n";
+		$this->assertEquals(400, $tmp['http_code'], 'Access should be refused and was not');	// Test we receive an error because ip is in blacklist
+
 		return 0;
 	}