Moodle
  1. Moodle
  2. MDL-21992

Custom Scripts doesn't work with HTTPS (SSL)

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.9.8, 2.0, 2.2.1
    • Fix Version/s: 2.2.2, 2.3
    • Component/s: General, Libraries
    • Labels:
      None
    • Environment:
      Moodle with loginhttps turned on
    • Rank:
      5917

      Description

      Here is an illustrative example:

      • The first thing almost any moodle script does is require config.php. This one then requires lib/setup.php, which, almost in the end, calls custom_script_path() (that is defined in lib/moodlelib.php) because you are using custom scripts. Inside custom_script_path() we can see a call to qualifie_me(), that tests if the server has https enabled (testing $_SERVER['HTTPS']) nad returns a URL beginning with "https://" if true and beginning with "http://" otherwise. This url is tested against $CFG->wwwroot, because at this point we don't have $CFG->httpswwwroot , because the function httpsrequired() is called by each script only after requiring the needed libraries. As we are using "https"-beginning URLs, the check fails, the function returns false and the custom script is not imported.

      Looking more carefully at the function custom_script_path(), i think i shouldn't care about the URL. It just need to know which script is being called (that can be acquired with the function me() instead of qualified_me()) , concatenate it after $CFG->customscripts and proceed with the othe checks. This also removes the need for the param $urlpath, also because this function is called on in lib/setup.php . Above is the patch to do this.

      diff --git a/lib/moodlelib.php b/lib/moodlelib.php
      index bc6b22d..4a9f599 100644
      --- a/lib/moodlelib.php
      +++ b/lib/moodlelib.php
      @@ -8318,25 +8318,13 @@ function object_property_exists( $obj, $property ) {
       /**
        * Detect a custom script replacement in the data directory that will
        * replace an existing moodle script
      - * @param string $urlpath path to the original script
        * @return string full path name if a custom script exists
        * @return bool false if no custom script exists
        */
      -function custom_script_path($urlpath='') {
      +function custom_script_path() {
           global $CFG;
       
      -    // set default $urlpath, if necessary
      -    if (empty($urlpath)) {
      -        $urlpath = qualified_me(); // e.g. http://www.this-server.com/moodle/this-script.php
      -    }
      -
      -    // $urlpath is invalid if it is empty or does not start with the Moodle wwwroot
      -    if (empty($urlpath) or (strpos($urlpath, $CFG->wwwroot) === false )) {
      -        return false;
      -    }
      -
      -    // replace wwwroot with the path to the customscripts folder and clean path
      -    $scriptpath = $CFG->customscripts . clean_param(substr($urlpath, strlen($CFG->wwwroot)), PARAM_PATH);
      +    $scriptpath = $CFG->customscripts . clean_param(me(), PARAM_PATH);
       
           // remove the query string, if any
           if (($strpos = strpos($scriptpath, '?')) !== false) {
      
      1. login.tgz
        3 kB
        Daniel Neis
      2. mdl21992.diff
        1 kB
        Daniel Neis
      3. mdl-21992.patch
        1 kB
        Anthony Borrow
      4. mdl21992.v2.diff
        1 kB
        Daniel Neis
      1. var_dump.png
        201 kB

        Activity

        Hide
        Anthony Borrow added a comment -

        Daniel - Could you upload the patch file and also a sample custom script that we could use for testing purposes. I just want to make sure we are looking at the same thing. Peace - Anthony

        Show
        Anthony Borrow added a comment - Daniel - Could you upload the patch file and also a sample custom script that we could use for testing purposes. I just want to make sure we are looking at the same thing. Peace - Anthony
        Hide
        Daniel Neis added a comment -

        Hello,

        i have attached the patch (mdl21992.diff) and a sample customscript , that is for moodle/login/forgot_password . This custom script shows a different message to the user and asks just for the username instead of username + email. Hope you can test things with this =)

        Show
        Daniel Neis added a comment - Hello, i have attached the patch (mdl21992.diff) and a sample customscript , that is for moodle/login/forgot_password . This custom script shows a different message to the user and asks just for the username instead of username + email. Hope you can test things with this =)
        Hide
        Anthony Borrow added a comment -

        Daniel - I am trying to better understand your patch but I may just be misunderstanding customscripts. Here is what I have:

        $CFG->customscripts = '/moodle/data/19stable/custom';

        I have created a /moodle/data/19stable/custom/course/view.php flle with a simple echo in it that should be required when the normal course/view.php is called.

        However, with the patch you have provided I get a scriptpath of:

        '/moodle/data/19stable/custom/netbeans/19stable/moodle/course/view.php?id=3'

        instead of what I would have expected namely

        /moodle/data/19stable/custom/course/view.php

        I'm off to a meeting but it is not working as I would have expected. Peace - Anthony

        Show
        Anthony Borrow added a comment - Daniel - I am trying to better understand your patch but I may just be misunderstanding customscripts. Here is what I have: $CFG->customscripts = '/moodle/data/19stable/custom'; I have created a /moodle/data/19stable/custom/course/view.php flle with a simple echo in it that should be required when the normal course/view.php is called. However, with the patch you have provided I get a scriptpath of: '/moodle/data/19stable/custom/netbeans/19stable/moodle/course/view.php?id=3' instead of what I would have expected namely /moodle/data/19stable/custom/course/view.php I'm off to a meeting but it is not working as I would have expected. Peace - Anthony
        Hide
        Anthony Borrow added a comment -

        p.s. - part of my question is whether the custom scripts should be on the webserver or in data. The comments for custom_script_path function indicate data. Thanks for helping me to understand how this works.

        Show
        Anthony Borrow added a comment - p.s. - part of my question is whether the custom scripts should be on the webserver or in data. The comments for custom_script_path function indicate data. Thanks for helping me to understand how this works.
        Hide
        Daniel Neis added a comment -

        Hello, Anthony

        i am using

        $CFG->customscripts = '/home/daniel/public_html/moodle_customscripts';
        

        in my config.php file. Don't really know if i should use full path. This directory is not visible by url.

        Show
        Daniel Neis added a comment - Hello, Anthony i am using $CFG->customscripts = '/home/daniel/public_html/moodle_customscripts'; in my config.php file. Don't really know if i should use full path. This directory is not visible by url.
        Hide
        Anthony Borrow added a comment -

        Daniel - As best I can tell, your patch does not work. Here is what I get with the patch:

        '/moodle/data/19stable/custom/netbeans/19stable/moodle/course/view.php'

        without the patch here is what I get:

        '/moodle/data/19stable/custom/course/view.php'

        keeping in mind that in my config.php I have:

        $CFG->customscripts = '/moodle/data/19stable/custom';

        Show
        Anthony Borrow added a comment - Daniel - As best I can tell, your patch does not work. Here is what I get with the patch: '/moodle/data/19stable/custom/netbeans/19stable/moodle/course/view.php' without the patch here is what I get: '/moodle/data/19stable/custom/course/view.php' keeping in mind that in my config.php I have: $CFG->customscripts = '/moodle/data/19stable/custom';
        Hide
        Daniel Neis added a comment -

        Hello, Anthony

        sorry for the non-woking patch.

        Here is a patch that works on my machine, with loginhttps set to true or false, and accessing via https and http, with my CFG->wwwroot = HTTP://mymachine

        In this patch i rely on $_SERVER['SCRIPT_FILENAME'] to get the paths, don't really know if it is not a secure practice.

        By the way, here are some analysis of the problem (for moodle stable code):

        • Aapache is configured to listen in port 443, to use https
        • Moodle is configured loginhttps to true
        • Moodle has $CFG->wwwroot = HTTP://mymachine
        • Moodle has $CFG->customscripts = /home/daniel/public_html/customscripts

        I have a custom script to at /home/daniel/public_html/customscripts/login/forgot_password.php , but when i try to access HTTPS://mymachine/login/forgot_password.php my customscript is not loaded. When i change my $CFG->wwwroot to HTTPS://mymachine, it works.

        Show
        Daniel Neis added a comment - Hello, Anthony sorry for the non-woking patch. Here is a patch that works on my machine, with loginhttps set to true or false, and accessing via https and http, with my CFG->wwwroot = HTTP://mymachine In this patch i rely on $_SERVER ['SCRIPT_FILENAME'] to get the paths, don't really know if it is not a secure practice. By the way, here are some analysis of the problem (for moodle stable code): Aapache is configured to listen in port 443, to use https Moodle is configured loginhttps to true Moodle has $CFG->wwwroot = HTTP://mymachine Moodle has $CFG->customscripts = /home/daniel/public_html/customscripts I have a custom script to at /home/daniel/public_html/customscripts/login/forgot_password.php , but when i try to access HTTPS://mymachine/login/forgot_password.php my customscript is not loaded. When i change my $CFG->wwwroot to HTTPS://mymachine, it works.
        Hide
        Anthony Borrow added a comment -

        Daniel - Rather than changing the workings of the function, as I am not sure completely how folks were imagining it to work, I would simply handle the exceptions a little more carefully. Attached is a patch, probably not the cleanest but will at least show what I am thinking that should work for you. Peace - Anthony

        Show
        Anthony Borrow added a comment - Daniel - Rather than changing the workings of the function, as I am not sure completely how folks were imagining it to work, I would simply handle the exceptions a little more carefully. Attached is a patch, probably not the cleanest but will at least show what I am thinking that should work for you. Peace - Anthony
        Hide
        Anthony Borrow added a comment -

        Daniel - I have tested your second patch and it does not work as intended either. You are presuming that the script is located in the same physical location as webroot (whether it is accessible or not to the web server). Instead of using my $CFG->customscripts it is merely using the path of $CFG->wwwroot which is not the intention as I understand it. Peace- Anthony

        p.s.

        a var_dump($scriptpath) produces /var/www/netbeans/19stable/moodle/login/index.php instead of /moodle/data/19stable/custom/login/index.php

        Show
        Anthony Borrow added a comment - Daniel - I have tested your second patch and it does not work as intended either. You are presuming that the script is located in the same physical location as webroot (whether it is accessible or not to the web server). Instead of using my $CFG->customscripts it is merely using the path of $CFG->wwwroot which is not the intention as I understand it. Peace- Anthony p.s. a var_dump($scriptpath) produces /var/www/netbeans/19stable/moodle/login/index.php instead of /moodle/data/19stable/custom/login/index.php
        Hide
        Anthony Borrow added a comment -

        I'm lowering the priority of this issue. It is really not a blocker and the workaround would be to change $CFG->wwwroot to use https so that everything is being run over https. This really only impacts pages that get re-written from http to https for login purposes. It is not likely to be an issue for many folks but I would be happy to walk them through getting things working. Peace - Anthony

        Show
        Anthony Borrow added a comment - I'm lowering the priority of this issue. It is really not a blocker and the workaround would be to change $CFG->wwwroot to use https so that everything is being run over https. This really only impacts pages that get re-written from http to https for login purposes. It is not likely to be an issue for many folks but I would be happy to walk them through getting things working. Peace - Anthony
        Hide
        Daniel Neis added a comment -

        Hello, Anthony

        don't know why my patch doesn't work for you.
        What it does is replace CFG->dirrot with CFG->customscripts in _SERVER['SCRIPT_FILENAME'] .

        Here is the funcion with a var_dump:

        8331 function custom_script_path($urlpath='') {
        8332     global $CFG;
        8333 
        8334     $scriptpath = str_replace($CFG->dirroot, $CFG->customscripts, $_SERVER['SCRIPT_FILENAME']);
        8335     var_dump($CFG->dirroot, $CFG->customscripts, $_SERVER['SCRIPT_FILENAME'], $scriptpath);
        8336 
        8337     // check the custom script exists
        8338     if (file_exists($scriptpath)) {
        8339         return $scriptpath;
        8340     } else {
        8341         return false;
        8342     }
        8343 }
        

        and the output at login/index.php:

        string '/home/daniel/public_html/moodle' (length=31)
        
        string '/home/daniel/customscripts' (length=26)
        
        string '/home/daniel/public_html/moodle/login/index.php' (length=47)
        
        string '/home/daniel/customscripts/login/index.php' (length=42)
        

        and at index.php:

        string '/home/daniel/public_html/moodle' (length=31)
        
        string '/home/daniel/customscripts' (length=26)
        
        string '/home/daniel/public_html/moodle/index.php' (length=41)
        
        string '/home/daniel/customscripts/index.php' (length=36)
        

        in both i am using CFG->customscripts = '/home/daniel/customscripts/index.php'

        Show
        Daniel Neis added a comment - Hello, Anthony don't know why my patch doesn't work for you. What it does is replace CFG->dirrot with CFG->customscripts in _SERVER ['SCRIPT_FILENAME'] . Here is the funcion with a var_dump: 8331 function custom_script_path($urlpath='') { 8332 global $CFG; 8333 8334 $scriptpath = str_replace($CFG->dirroot, $CFG->customscripts, $_SERVER['SCRIPT_FILENAME']); 8335 var_dump($CFG->dirroot, $CFG->customscripts, $_SERVER['SCRIPT_FILENAME'], $scriptpath); 8336 8337 // check the custom script exists 8338 if (file_exists($scriptpath)) { 8339 return $scriptpath; 8340 } else { 8341 return false; 8342 } 8343 } and the output at login/index.php: string '/home/daniel/public_html/moodle' (length=31) string '/home/daniel/customscripts' (length=26) string '/home/daniel/public_html/moodle/login/index.php' (length=47) string '/home/daniel/customscripts/login/index.php' (length=42) and at index.php: string '/home/daniel/public_html/moodle' (length=31) string '/home/daniel/customscripts' (length=26) string '/home/daniel/public_html/moodle/index.php' (length=41) string '/home/daniel/customscripts/index.php' (length=36) in both i am using CFG->customscripts = '/home/daniel/customscripts/index.php'
        Hide
        Anthony Borrow added a comment -

        Daniel - Your patch works for you only because both customscripts and dirroot are the same. Your patch does not work for me because mine are different. I have the following in my config.php which is possible (and from what I read how it is intended to be used by others). So we cannot assume that they will be the same.

        $CFG->dirroot = '/home/arborrow/NetBeansProjects/19stable/moodle';
        $CFG->dataroot = '/moodle/data/19stable';
        $CFG->customscripts = '/moodle/data/19stable/custom';

        Have you been able to try my patch and see if that works for you?

        Peace - Anthony

        Show
        Anthony Borrow added a comment - Daniel - Your patch works for you only because both customscripts and dirroot are the same. Your patch does not work for me because mine are different. I have the following in my config.php which is possible (and from what I read how it is intended to be used by others). So we cannot assume that they will be the same. $CFG->dirroot = '/home/arborrow/NetBeansProjects/19stable/moodle'; $CFG->dataroot = '/moodle/data/19stable'; $CFG->customscripts = '/moodle/data/19stable/custom'; Have you been able to try my patch and see if that works for you? Peace - Anthony
        Hide
        Daniel Neis added a comment -

        Hello, Anthony

        i am attaching a file (var_dump.png) to show you that my patch really works for any directory.

        I put customscripts at /media/arquivos/customscripts , that is not only another path bu another filesystem, and here is the result.

        I didn't test your patch yet, because, no offenses, i don't really think it is the right way to do things. I think custom scripts should not rely on the url ...

        Show
        Daniel Neis added a comment - Hello, Anthony i am attaching a file (var_dump.png) to show you that my patch really works for any directory. I put customscripts at /media/arquivos/customscripts , that is not only another path bu another filesystem, and here is the result. I didn't test your patch yet, because, no offenses, i don't really think it is the right way to do things. I think custom scripts should not rely on the url ...
        Hide
        Anthony Borrow added a comment -

        Daniel - No offense taken, I generally try to change as little as possible with patches so I will let Moodle HQ determine which patch seems most appropriate. I did not look too closely at your but I was concerned that it was using $_SERVER['SCRIPT_FILENAME'] which I am not sure if it behaves the same on all webservers (Apache, IIS, etc.) so there may be some webserver compatibility issues (or there may not but it would need to be tested. I searched and noticed something in /lib/typo3/class.t3lib_div.php which you may want to look at but the lack of its use in Moodle is something you may want to consider. Peace - Anthony

        Show
        Anthony Borrow added a comment - Daniel - No offense taken, I generally try to change as little as possible with patches so I will let Moodle HQ determine which patch seems most appropriate. I did not look too closely at your but I was concerned that it was using $_SERVER ['SCRIPT_FILENAME'] which I am not sure if it behaves the same on all webservers (Apache, IIS, etc.) so there may be some webserver compatibility issues (or there may not but it would need to be tested. I searched and noticed something in /lib/typo3/class.t3lib_div.php which you may want to look at but the lack of its use in Moodle is something you may want to consider. Peace - Anthony
        Hide
        Daniel Neis added a comment -

        This is still valid for 2.0 RC1

        Show
        Daniel Neis added a comment - This is still valid for 2.0 RC1
        Hide
        Petr Škoda added a comment - - edited

        Thanks a lot for the report and patch proposals.

        I have used $SCRIPT global which was designed for this kind of problems, it should fix problems with CLI scripts too.

        Ciao

        Show
        Petr Škoda added a comment - - edited Thanks a lot for the report and patch proposals. I have used $SCRIPT global which was designed for this kind of problems, it should fix problems with CLI scripts too. Ciao
        Hide
        Aparup Banerjee added a comment -

        cool, this has been integrated and is ready for testing.

        Show
        Aparup Banerjee added a comment - cool, this has been integrated and is ready for testing.
        Hide
        Michael de Raadt added a comment -

        Test result: success

        I might add some more to the docs for custom scripts. That was very lacking.

        Show
        Michael de Raadt added a comment - Test result: success I might add some more to the docs for custom scripts. That was very lacking.
        Hide
        Eloy Lafuente (stronk7) added a comment -

        This is now available in the git and cvs repositories.

        Consider the responsibility of your fingerprints engraved there for future generations!

        Thanks for the work, closing, ciao

        Show
        Eloy Lafuente (stronk7) added a comment - This is now available in the git and cvs repositories. Consider the responsibility of your fingerprints engraved there for future generations! Thanks for the work, closing, ciao

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: