Security and privacy

HTTP to HTTPS converter for external content

 
 
Picture of John Okely
Re: HTTP to HTTPS converter for external content
Group DevelopersGroup Moodle HQGroup Testers

Tracker link: MDL-46269

 
Average of ratings: -
Picture of Dan Marsden
Re: HTTP to HTTPS converter for external content
Group DevelopersGroup Moodle Course Creator Certificate holdersGroup Particularly helpful MoodlersGroup Plugins guardiansGroup TestersGroup Translators

Personally I think the "new content" issue should be resolved in the editor on saving content - it would be nice if it could do an automatic check and fix anything it can fix automatically and then warn the user perform some validation to report to the user that to embed the content they must find an https link.

Then we can just use an admin tool to fix "existing" content and don't need to rely on a filter that adds performance overheads to the site.

 
Average of ratings: -
Picture of John Okely
Re: HTTP to HTTPS converter for external content
Group DevelopersGroup Moodle HQGroup Testers

Yeah the filter is added overhead. Then again, if we don't implement a filter, we will need the admin tool to run during upgrade, then again once the admin finishes putting together their whitelist.

The filter would work nicely for existing content, allowing the admin to locate items that don't work and gradually add them to the whitelist, without having to run the tool each time.

 
Average of ratings: -
Picture of Kevin Wiliarty
Re: HTTP to HTTPS converter for external content
Group DevelopersGroup Testers

Is my understanding correct that a filter would miss URL resources set to display as embedded content? It seems to me that the external URL is not exposed to a filter in that case.

 
Average of ratings: -
Picture of John Okely
Re: HTTP to HTTPS converter for external content
Group DevelopersGroup Moodle HQGroup Testers

A filter could modify the embedded url, if it was programmed to do so. But it would not be able to change the url in the URL resource's settings. Only the admin tool could achieve that.

 
Average of ratings: -
Picture of Kevin Wiliarty
Re: HTTP to HTTPS converter for external content
Group DevelopersGroup Testers

My attempt to write such a filter succeeded in influencing the intro contents of a URL resource -- so I know it is working -- but did not affect the value of the URL itself that was used to build the iframe markup. Looking at /mod/url/locallib.php I can see where some of the settings are being passed through filtering, but I can't see where $exteurl gets filtered. Is there some way, from within the filter (without hacking mod_url) to invoke a filter on that value?

I've tried the filter you proposed in connection with MDL-46296 and while it will modify an iframe src that is added to a textarea, it does not modify the "External URL" value for an embedded URL resource. I know that it won't change the setting, but it seems not to filter it, either.

 
Average of ratings: -
Picture of John Okely
Re: HTTP to HTTPS converter for external content
Group DevelopersGroup Moodle HQGroup Testers

In that case, perhaps a tool like enovation's would help? It could modify the external tool URL in the database.

 
Average of ratings: -