Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-53602

The method repository::prepare_file() may return a path, not a file

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.9.5, 3.0.3
    • Fix Version/s: None
    • Component/s: Repositories
    • Labels:
    • Affected Branches:
      MOODLE_29_STABLE, MOODLE_30_STABLE

      Description

      I discovered this while investigating MDL-50735. Basically I crafted a URL to hit the get_file method of the upload repository. Then because the default argument of get_file is an empty filename, it is passed to prepare_file which does not bother generating a file name and thus returns a path. That path is passed to curl which complains.

      {"error":"An error occurred while downloading the file: Cannot write to file ([localcachedir]\/f3c4fdf9-f539-49c2-b97f-5e2f122b1cba\/8c4afc0a-1f0a-42e6-ab67-1331b853fdd4\/)","stacktrace":"* line 1673 of \/repository\/lib.php: moodle_exception thrown\n* line 278 of \/repository\/repository_ajax.php: call to repository->get_file()\n","debuginfo":"\nError code: errorwhiledownload","reproductionlink":"http:\/\/fmc.per.in.moodle.com\/sm\/"}
      

      This is the curl command:

      curl 'http://fmc.per.in.moodle.com/sm/repository/repository_ajax.php?action=download' -H 'Host: fmc.per.in.moodle.com' -H 'Cookie: MoodleSession=fjdhfuf1e4gtttd598mak3iu05;' --data 'file=a&repo_id=3&p=&page=&env=filemanager&sesskey=1nLhogQLGt&client_id=&itemid=&maxbytes=134217728&areamaxbytes=-1&ctx_id=5&source=https://google.com'
      

      I am not sure if this scenario can be hit without manipulating the URL, but it could affect any code using get_file() or prepare_file().

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                fred Frédéric Massart
                Participants:
                Component watchers:
                Adrian Greeve, Mihail Geshoski, Peter Dias
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: