lately there have been some malicious attacks on many sites using moodle.
users are uploading .exe files as attachments to different modules, for example
other users click the attached .exe file and that file turns out to be a trojan.
same is happening with other executable file types like .js even though of course those aren't trojans, just contain other less malicious code.
also, those users keep uploading .php, because it's possible but looks like moodle takes actions to disable the options for them to be executed on server.
the code I see moodle's default allowed file type is '*'.
seems like a security hole.
I think this is the known vulnerability of it:
was this addressed in the code moodle 3.5?
there a patch for it for moodle 3.1.x and later?
if moodle didn't fix this and don't intend to - where is the best place in the code for me to change this so that no matter what - no user will be able to add an .exe file?
I don't to intent to rely on clam antivirus or imperva or any other layer of protection to keep me safe.
I have to change this in the code level.