Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
2.7.1, 2.7.5, 2.8.3
-
MOODLE_27_STABLE, MOODLE_28_STABLE
-
MOODLE_27_STABLE, MOODLE_28_STABLE
-
MDL_47085_master
-
Description
Up to now, Moodle has been running at our university for four years with allow_url_fopen turned off in the PHP configuration for security reasons. Recently, we have activated the Badge module and now we have a problem.
Replication steps:
- Disable allow_url_fopen in PHP
- Create a badge and issue this badge to a user A in Moodle
- Login as this user A
- Go to /badges/mybadges.php
- Try to download this badge to your computer
Result:
You should get a corrupt file which contains an error message like:
<br />
<b>Warning</b>: readfile(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 in <b>/var/www/html/moodle_dev/badges/badge.php</b> on line <b>44</b><br />
<br />
<b>Warning</b>: readfile(https://your-moodle.com/pluginfile.php/1978/badges/userbadge/18/648f08190003a2a7f50b02f3292a28c4f9a020a7?forcedownload=1): failed to open stream: no suitable wrapper could be found in <b>/var/www/html/moodle_dev/badges/badge.php</b> on line <b>44</b><br />
Expected result:
The badge should be correctly downloaded.
Is it possible to code the badge download mechanism without the need for allow_url_fopen=on?
I assume, but am not sure, that the problem is caused by the readfile() function being called with a FQDN URL instead of only a local file path.
I marked this as security problem as it affects the webserver's security settings.