Hi, I'm wondering where I should put third party PHP libraries that my customized installation needs. Running on Apache and Ubuntu. The libraries don't necessarily have to be under html/ so I'd rather not have them there. Should I put them in moodledata/lib? Or /html/vendor or html/lib/vendor, which are hidden by rewrite rules?
Follow-on question, can we be confident that the rewrite rules given in Security recommendations will hide everything that doesn't need to be public in /lib/?
For Catalyst plugins - we use the folder ".extlib" to put these into - it's not an official guideline, but it allows to have a rule to block all content within .extlib folders from being web accessible. eg:
https://github.com/catalyst/moodle-auth_saml2/tree/MOODLE_39_STABLE/.extlib
IDEA-75is in the Moodle Roadmap for exploring a restructure of the codebase to allow for us to better control what code should be web-accessible, so it's possible that one day Moodle will allow us to control this a bit better
https://github.com/catalyst/moodle-auth_saml2/tree/MOODLE_39_STABLE/.extlib
IDEA-75is in the Moodle Roadmap for exploring a restructure of the codebase to allow for us to better control what code should be web-accessible, so it's possible that one day Moodle will allow us to control this a bit better
When adding third-party PHP libraries to your setup, it’s ideal to keep them outside of the web-accessible `html/` directory for security. A common approach is to use a dedicated directory within your server, like `/var/www/vendor`, or within `moodledata` if it won’t interfere with Moodle’s data processing.
Avoid placing libraries in `html/lib` directly, as they could be exposed if rewrite rules fail. Instead, you could place them in a `vendor` directory protected by rewrite rules. If you need more guidance on structuring third-party libraries, check out best practices from Google on secure PHP deployments.