Upload with executable permision and 'exe' after file name

Upload with executable permision and 'exe' after file name

by Eliasz Eliyahu -
Number of replies: 5

My new module is the new version of assignment. It should be upload script file (sh, exe, bat, com etc.) and run when student uploading file for checking uploaded file. My script check everything.  I build the API betwean Moodle assignment and binary program.

OK. If I use the Filepicker can I upload my script to other catalog or only to 'moodledata/filedir/xx/yy/xxyyhashofmysript' ? What can I do if I want have the same permision (chmod +x) in my uploaded script? What can I do if i want 'exe', 'sh', 'bat', 'com' after file name?

This is the most important questions for me. Thanks for helping. Regards

Average of ratings: -
In reply to Eliasz Eliyahu

Re: Upload with executable permision and 'exe' after file name

by Erik Ordway -

Doing this will guarante that your webserver gets hacked.  Running user submitted code is a very bad idea.

 

Take a look at some on the computer science grading modules that run the code in a separate sandboxed vm for examples of how to do the right.

Average of ratings: -
In reply to Erik Ordway

Re: Upload with executable permision and 'exe' after file name

by Eliasz Eliyahu -

Thanks and don't worry about me smile this is for my Master's degree work no for a real Moodle Instalation smile

-----

OK..  Does the filepiker has a setting to not changed the end of file? (exe, sh, bat, com) ...  ?

Average of ratings: -
In reply to Eliasz Eliyahu

Re: Upload with executable permision and 'exe' after file name

by Tim Williams -
Picture of Plugin developers
Speaking as somebody who has supervised and marked work for computer science masters degrees, I would mark you down very heavily for writing a system with such a huge security hole. Writing a 'proof of concept' project is OK, but you would still need to demonstrate that all of the major issues can be dealt with, I would rate the security of a system that is dealing with uploaded executables as problem No 1.

You need to look very seriously at sand boxing the test environment if you want to get a decent grade.

I would also recommend making the students upload source as a single zip file, rather than executables, with the source then being unzipped and compiled within the sand boxed testing environment. That way you won't have any potentially dangerous executable files sat on a live server.
Average of ratings: -
In reply to Eliasz Eliyahu

Re: Upload with executable permision and 'exe' after file name

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Using the formslib you can upload a file and do whatever you like with it (see the formslib docs). You don't *have* to store it using the file API.

Having said that, even as an exercise this is an insane thing to do unless you have thought of a way of very properly containing the code that is being run. Of course, it's Windows by the sound of things - so you probably haven't tongueout
Average of ratings: Useful (1)
In reply to Howard Miller

Re: Upload with executable permision and 'exe' after file name

by Eliasz Eliyahu -

I did it! smile I used FILE API. I uploaded file and he has a new 'boss' - user 'nobody'. 'nobody' can make new permision for a file. In Unix the 'exe' is no problem. Windows sucks but if i want i can change the name and update record in mdl_files..  Everythink.

 

Thx

Average of ratings: -