FlowPlayer recent changes for MDL-48085 and Moodle 2.7 problems

FlowPlayer recent changes for MDL-48085 and Moodle 2.7 problems

by Sergio Rabellino -
Number of replies: 4
Picture of Particularly helpful Moodlers Picture of Plugin developers
After the last update to Moodle 2.7.11, the flv playing with the flowplayer has completely stopped working.
The error in the browser is a 404 in getting /lib/flowplayer/flowplayer-3.2.18.swf.php and the moodle page is composed without the player.
I did some debugging and the 404 is fired by the following lines:

   if (!empty($_GET) or !empty($_POST) or !empty($_REQUEST)) {
        header("HTTP/1.1 404 Not Found");
        die;
    }

into the newly introduced file lib.php of the flowplayer tool. The corresponding MDL-48085 could not be viewed in the tracker, so i can't figure out why this code is there, but i know the removing it, the flv video plays correctly.
In my debugging session, i've found that $_GET and $_POST are empty arrays (so no problems) but $_REQUEST is filled with the cookies, primarily the MoodleSession, but also some google analytics ones.

Maybe i've something wrong somewhere (some hints?), but these checks on input params can be substituted by these lines ?

    unset($_GET);
    unset($_POST);
    unset($_REQUEST);

which cleanup these params before serving the flash ?

Thanks in advance.
Average of ratings: -
In reply to Sergio Rabellino

Re: FlowPlayer recent changes for MDL-48085 and Moodle 2.7 problems

by Petr Skoda -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Ah, my fault, this is caused by the cookies. Just remove the $_REQUEST from the if, but do not touch the _GET. Thanks for the debugging info.

Workaround is to use the recommended "request_order=GP" in your PHP.ini
Average of ratings: -
In reply to Petr Skoda

Re: FlowPlayer recent changes for MDL-48085 and Moodle 2.7 problems

by Sergio Rabellino -
Picture of Particularly helpful Moodlers Picture of Plugin developers

I can confirm that the code change solve the missing videos in page.

Can i suggest to use in these cases other http error codes, like 400 (bad parameters) instead of 404 (file not found) ? Initially i didn't understand why the file was "missing" into the web server, and instead it was there in the correct directory, without messages about it in the apache error_log ?


Bye.


Average of ratings: -
In reply to Petr Skoda

Re: FlowPlayer recent changes for MDL-48085 and Moodle 2.7 problems

by Fred Woolard -

Petr, I've been trying to learn more about the issue prompting the change, and checking this document I have to ask, was there really an issue that needed a fix, given the way FlowPlayer is used in Moodle? And, again, I don't know enough to determine whether it's relevant, but FlowPlayer uses ActionScript 3 (according to its site)--doesn't that mitigate the threat also?

Average of ratings: -