Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-37560

File areas ignore the setting $CFG->maxbytes

    XMLWordPrintable

    Details

    • Affected Branches:
      MOODLE_24_STABLE

      Description

      While copying a file to your Private Files, if we hack $maxbytes in repository_ajax.php (MDL-36448), then it is possible to upload a file which is greater than $maxbytes but smaller than $CFG->userquota. And this means that any area over Moodle do not respect $CFG->maxbytes properly.

      The reason is that in between defining the initial $maxbytes for the File Manager and saving the information in file_save_draft_area_files() there is no check for what should be $maxbytes according to the settings. In repository_ajax.php this check is made by using get_user_max_upload_file_size().

      Please note that while fixing this, file references should not be affected by any *bytes limitations (areamaxbytes, maxbytes).

      To replicate

      • Apply the following to repository_ajax.php

        $maxbytes = -1; // get_user_max_upload_file_size($context, $CFG->maxbytes, $coursemaxbytes, $maxbytes);
        

      • Set the setting maxbytes to something small
      • Go to your privates files
      • Visit Dropbox and upload a file greater than the maxbytes
      • Validate the form

      Expected

      • The file disappears

      Actual

      • The file is uploaded and accessible in your Private Files

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                fred Frédéric Massart
                Participants:
                Component watchers:
                Matteo Scaramuccia, Jake Dallimore, Jun Pataleta, Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: