filelib.php oddness

filelib.php oddness

by Howard Miller -
Number of replies: 9
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

When filelib.php tries to download (or display) a file of (eg) .txt extension (ie, mimetype text/plain), it encounters this bit of code

else if ($mimetype == 'text/plain') {
            $options->newlines = false;
            $options->noclean = true;
            $text = htmlentities($pathisstring ? $path : implode('', file($path)));
            $output = '<pre>'. format_text($text, FORMAT_MOODLE, $options, $courseid) .'</pre>';
            if (!empty($CFG->usesid) && empty($_COOKIE['MoodleSession'.$CFG->sessioncookie])) {
                //cookieless mode - rewrite links
                $output = sid_ob_rewrite($output);
            }

            @header('Content-Length: '.strlen($output));
            @header('Content-Type: text/html; charset='.current_charset()); //add encoding
            while (@ob_end_flush()); //flush the buffers - save memory and disable sid rewrite
            echo $output;

which changes in to mimetype text/html runs it through format_text(), basically changing it to a fully formatted HTML file.

I have an idea that this could be a bad move. Although it works, if somebody uploads a .txt file (or it is generated by something like the quiz export) it cannot be downloaded in the same form by right-clicking the link and downloading the file. My particular gripe is that it breaks some exported quiz files.

I suggest that this should send the file as unformatted text/plain as nature intended.

Any thoughts/abuse?

Average of ratings: -
In reply to Howard Miller

Re: filelib.php oddness

by Gustav W Delius -
Yes, this has been a repeated nuisance for us as well. Text files should not be formatted but simply delivered as is, marked as text/plain.
Average of ratings: -
In reply to Gustav W Delius

Re: filelib.php oddness

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Mmmm... I would very much like to change this but I'm also worried that somebody created this for a good reason (I just don't see what it might be). As these files open in a new window, even if the file is full of garbage it is only that screen that is wrecked.

I suppose displaying un-screened files could also be seen a possible security issue? Not sure. I would be interested in Petr's thoughts on that one.
Average of ratings: -
In reply to Howard Miller

Re: filelib.php oddness

by Gustav W Delius -
If displaying text files in a browser did present a security risk then browsing the web would be a very dangerous thing. Web browsers happily open any text file out there on the web.

The reason text files are currently sent through format_text() is that they may have to be filtered. The string on admin/filters.php says: "Enabling this setting will cause Moodle to process all uploaded HTML and text files with the filters before displaying them.". Currently the logic checking whether this filtering of text files is in format_text(). It should also be done in file.php so that if filtering of text files is not required the text files are also not sent to format_text().

As an additional impovement the choices for "Filter uploaded files" could be extended so that the admin can choose to filter uploaded html files but not filter uploaded text files.
Average of ratings: -
In reply to Gustav W Delius

Re: filelib.php oddness

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Ahh... good thinking smile That sounds like the answer. I have no excuse, I wrote that admin/filters.php page!!!

I'm on to it!
Average of ratings: -
In reply to Howard Miller

Re: filelib.php oddness

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Hopefully now sorted in 1.6dev CVS.
Average of ratings: -
In reply to Howard Miller

Re: filelib.php oddness

by Petr Skoda -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Hi Howard!

IMO there was no bug in filelib.php, did you notice the send_file()'s $filter parameter? wink I guess you should revert your commit.

As I said elsewhere this feature should be IMO disabled by default in lib/defaults.php

skodak

edit: we should also add a warning that this feature may break flash and some uploaded web pages.
Average of ratings: -
In reply to Petr Skoda

Re: filelib.php oddness

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Strange... I definitely had $CFG->filteruploadedfiles=false and text/plain files were getting filtered anyway.

I clearly need to do some more work on this.

I like Gustav's idea of being able to select non/all/just html though.
Average of ratings: -
In reply to Petr Skoda

Re: filelib.php oddness

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Ok - I *think* ( thoughtful ) that should be it now. The setting now has three options (no files, all files, only html). This is passed through to the $filters parameter in send_file(..). I could only find this parameter being set in files.php, so it shouldn't effect anything else.

The default is now to not filter any files (what I thought it was in the first place) - I think there was a false/true vs. 0/1 issue on the filters admin page.

This really does need explained properly. I'll add something at docs.moodle.org unless you think somewhere else would be more appropriate?
Average of ratings: -
In reply to Gustav W Delius

Re: filelib.php oddness

by Petr Skoda -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Hi Gustav!

Currently the logic checking whether this filtering of text files is in format_text(). It should also be done in file.php so that if filtering of text files is not required the text files are also not sent to format_text()

The logic is in file.php, see:
    send_file($pathname, $filename, $lifetime, !empty($CFG->filteruploadedfiles), false, $forcedownload);


skodak
Average of ratings: -