PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Sam Mudle -
Number of replies: 20

I'm having problems using the Moodle Media button to insert SWF movies into forum posts.  I create an SWF via camtasia, then upload the SWF file into the forum post.  Moodle's filters generate the proper OBJECT embedding HTML, but I get MOVIE NOT LOADED.  I'm the administrator with god powers, so it's not a trusted content thing... I think...

I can use the Moodle Media button perfectly in regular resource and assignment posts.. just something wierd about forum posts.

 

For some reason, Moodle treats Moodle Media uploads as a downloadable attachment.

If I extract the data attribute from the OBJECT tag, it looks like this:

http://www.moodleserver.com/pluginfile.php/237/mod_page/content/3/mammyblue2.swf

..and this plays inline flash SWF movies fine.  I can simply paste this url into the address bar and the browser will full screen play the movie. However, forum posts have a data attribute that looks like this:

http://www.moodleserver.info/pluginfile.php/248/mod_forum/post/90/mammyblue2.swf

The problem is that PLUGINFILE.PHP is telling the browser that the SWF file is to be downloaded.... if I just put that URL into the browser address bar it won't play it, it will ask to be downloaded.  So I have to figure out why PLUGINFILE.PHP wants to serve the media as a download.

Is there hack or setting to prevent Moodle Media Button inserted SWF's from being force downloaded?

Average of ratings: -
In reply to Sam Mudle

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Sam Mudle -

http://docs.moodle.org/dev/File_API#pluginfile.php

There's a quote: student submitted files must not be served with normal headers, we have to force download instead; ideally there should be second wwwroot for serving of untrusted files.

True, but I don't care and want to take the risk.  I want forum posts to not force download and play the flash movies in the browser.  My students do not have permission to upload to youtube.

It seems that forum posts force downloads on all content, but I want to hack the moodle core to not do this.

Average of ratings: -
In reply to Sam Mudle

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

See send_stored_file in lib/filelib.php

Average of ratings: Useful (1)
In reply to Sam Mudle

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Sam Mudle -

Ok, this is crazy.  Moodle's forum attachment codebase will always force attachments to download. 

Why the big deal with allowing students to upload SWF's?  Anyway, I'm going to turn disable the param here in lib.php.  Finally students will be able to show off SWF movies they've uploaded to moodle.

send_stored_file($file, 0, 0, true); // download MUST be forced - security!

Average of ratings: -
In reply to Sam Mudle

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Petr Skoda -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Allowing anybody to upload files with correct headers without forced download is a real security risk, but if you like your server hacked then do whatever you want.

By default only files uploaded by teachers into safe areas are served normally, we try really hard to prevent execution of scripted content from student uploaded files.
Average of ratings: Useful (1)
In reply to Petr Skoda

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Sam Mudle -

By default only files uploaded by teachers into safe areas are served normally, we try really hard to prevent execution of scripted content from student uploaded files.

Ok so the Trusted Content value doesn't apply to uploaded SWF files in forum posts.  I have my student record movies in flash, and it would be nice if they could upload them and have them play without having to download them.

My idea was that the students could upload their SWF movies in a forum and have everyone see them play.  It seems the correct Moodle Way is to have them upload somewhere else.  Then what is the point of the moodle media button in forums?  There should be a message saying that MOODLE MEDIA BUTTON HAS NO MEANING IN FORUM POSTS.

In summary:

  1. Enable the Moodle Media button does nothing in Forums.
  2. You must enable the Trusted Content and apply it to the Student Role
  3. If the trusted content is on, the moodle Media button will upload the SWF, and the filter will render the OBJECT tags, but the SWF will not play since forums force download ANY file reference.
Average of ratings: -
In reply to Sam Mudle

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Mary Cooch -
Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators

Well the moodle media button isn't just for swf - for example; your students could use it to upload mp3 files or flv files and it will play them just fine

 

moodletvgirl.flv

Average of ratings: Useful (2)
In reply to Mary Cooch

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Sam Mudle -

Well the moodle media button isn't just for swf - for example; your students could use it to upload mp3 files or flv files and it will play them just fine.

Ah, then where can I add the SWF extension to the allowed not-force-download types?

So technically I should be producing FLV files since FlowPlayer handles the controls.  My SWF file has it's own controls.... hmm

Ok, so I just need a freeware screen recording software app that exports to FLV.  Grrr or have my students record the screen in AVI then convert to FLV with another app.

Average of ratings: -
In reply to Sam Mudle

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Mary Cooch -
Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators

If you go to site admin>plugins>multimedia filters you will see that flv (and mp3) are quite different settings from swf. yes, swf and flv are quite different things - I am not technical so I can't say exactly but flv is more of a movie file format whereas swf is more of an animation file format (that yes,can look like a movie, I agree) I always use flv for any of my movies that I upload to Moodle.  Here is an answer here: http://www.video-to-flash.com/flash_video/

Average of ratings: -
In reply to Mary Cooch

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Sam Mudle -

Yes, what Tim Hunt freaks about is that SWF has embedded ActionScript would could cause all kinds of XSS attacks.  FLV is "just" a video format and has no such logic.

Many screen recorders assume that the user needs player controls (fast forward, slider, pause) and then bundle the movie inside an SWF.

Since Moodle has FlowPlayer, that's not necessary.  My problem is that my students don't have an app that converts AVI to FLV.

Average of ratings: -
In reply to Sam Mudle

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Mary Cooch -
Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators

Easy -use what I use - in fact - for our students at my school we have it on the network -use the free Any Video Converter here

http://www.any-video-converter.com/products/for_video_free/

Average of ratings: Useful (1)
In reply to Mary Cooch

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Sam Mudle -

Ah, it supports MOV to FLV.....    well maybe I don't have to hack my server...

Average of ratings: -
In reply to Sam Mudle

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Mary Cooch -
Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators

It converts pretty much anything to anything really - even video to mp3 which I have had occasion to use from time to time.

Average of ratings: -
In reply to Sam Mudle

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Matt Bury -
Picture of Plugin developers

BTW, Jeremy,

If it's screen recordings you want, there are loads of open source tools available that'll give you a more web friendly video output (I believe VLC media player does screen recordings). One important consideration is to avoid using "converters" which re-encode already compressed video files, AKA "transcoding". Transcoding results in a considerable loss of picture quality and for screen recordings that can make them unintelligible.

Average of ratings: -
In reply to Petr Skoda

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Matt Bury -
Picture of Plugin developers

Hi all,

With all due respect to everyone and their considerable expertise with programming and internet security issues, I think the approach that's being taken with regards to Flash files is a bit over the top. There's a lot of FUD (fear uncertainty and doubt) being spread around by Steve Jobs and Apple Corp. which many people believe but has little basis in fact. According to Symantec et al. Flash is pretty far down the list of security threats on the web. For example,  Javascript and PDFs are much riskier.The truth is that Flash is a major threat to Apple's iTunes based "walled garden" business model for iPhone and iPad, i.e. we don't need apps, which are far riskier, if we have fast, efficient RIAs (rich internet applications, AKA Flash and Java) running in the browser.

Anyone who has any experience of working with Flash Player's security model will tell you that the majority of security risks aren't from Flash Player per say, but from not implementing basic security features or circumventing them with hacks and proxies. There are simple settings in Flash embed code that will prevent cross-scripting for any 3rd party Flash file.

I've attached an example HTML file with more secure embed code. This will effectively block attempts at cross-scripting and cross-site request forgery. The two main parameters to look at are:

param name="allowscriptaccess" value="never"
param name="allownetworking" value="none"

There are also more permissive settings that only allow script access and networking locally on the same server.

I hope this helps!

Average of ratings: -
In reply to Matt Bury

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Petr Skoda -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Hello Matt,

it seems you are forgetting the other side of embedding - people embedding stuff uploaded to our Moodle from other sites. It took ages before Adobe addressed this serious security issue and that was a know security issue in all Moodle sites for several years.

I am responsible for most of the SWF restrictions in Moodle. I agree the Flash player security model was significantly improved in latest versions, we could probably lower the restrictions in some places, but we need some expert opinion on this topic because at present there is nobody in the HQ dev team that understands all the details of Flash. I suppose the easies way would be to submit patches with detailed explanation of the potential security issues and links to official documentation.

Thanks for your comment - it does help a lot.
Average of ratings: -
In reply to Petr Skoda

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Sam Mudle -

Petr,

I'm actually using Alice (www.alice.org) which exports to a large filesize QuickTime movie.  I want my students to share their creations with each other by posting on the forums.  Now I'm using the All Video Converter to transcode from MOV to FLV.  It can convert a 10MB MOV to a 500KB FLV without significant loss of quality.  Mary's solution is MUCH better than me using a screen capture utility.

My main beef is that there are multiple places in the documentation that say the site:trustcontent role will allow users to submit any media and yet the forum module does not listen for that role.  It will force download no matter what the trustcontent setting is for that user.

In particular, the information on this moodle manual is wrong or at best missing that the SWF will never play inline on the forum post and will be a force download option.

http://docs.moodle.org/20/en/Video#Why_won.27t_my_swf_video_play.3F

I hope this information helps someone out.

Average of ratings: -
In reply to Sam Mudle

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Mary Cooch -
Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators

Hi Jeremy- I just wrote that documentation yesterdaybig grin I will edit it to say that it doesn't seem to work with forum posts.

Average of ratings: -
In reply to Petr Skoda

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by Henry Foster -

Hi Petr,

Students can upload .swf files to wikis (if trusted content is enabled). Isn't that just as much of a security risk as in forums and blogs?

Average of ratings: -
In reply to Henry Foster

Re: PLUGINFILE.PHP forcing download for Moodle Media inserted SWF's

by imbu danilot -

Hello,

We are on 2.2.5+ (Build: 20120920) and we experience the same issue.

the swf file appears to be loaded but it is not displayed....

the only problem is that we are talking about Teachers, not students experiencing the problem.

I enabled the multimedia filter,

I went to Site Administration>Security>Site policies and checked the "enable trusted content" box.

I also went to Site Administration>Users>Permissions>Define roles and allowed Trust Submitted content moodle/site:trustcontent for teacher role (well it was already allowed).

however we still see the issue.

would you know if this is actually more than just a students´ restriction or something is going on here...

Thanks

Imbu

Average of ratings: -