Hide
1) Setup config to allow only certain files
php admin/cli/cfg.php --name='allowedfiletypes' --set='png, pdf'
|
- Download the attached zip file MDL-54716_Testing, and extract it, for use with testing this tracker.
Test uploading files with drag and drop
2) Visit /user/files.php
- Verify that there is text underneath the drag and drop box stating 'Accepted file types:'
- Verify that the only allowed types are 'Image (PNG)' and 'PDF Document'
- Attempt to drag and drop the blank.txt document from the extracted zip download.
- Verify that a popup states 'Text file filetype cannot be accepted'
- Close the window, and verify that the file is not inside of the draft area
- Drag in the test.pdf file.
- Verify that the file uploads to the draft area.
- Click 'Save Changes' and submit the page.
- Verify that the file just uploaded is still in the files area.
- Attempt to drag and drop the emptyextension file.
- Verify that there is an error message 'File filetype cannot be accepted.'.
- Verify that the pdf is still the only file in the testing area.
- This shows that empty files are correctly handled by being denied.
Test uploading files with filepicker
3) Visit /user/files.php
- Click the 'Add' button in the top of the files window.
- Click on 'Upload a file'
- Browse to the blank.txt document from step 2
- Click 'Upload this file'
- Verify that you get the same error message as in Step 2 'Text file filetype cannot be accepted'
- Close the filepicker
- Verify that the blank.txt file is not in the files area
Test uploading from editor
4) Visit /user/editadvanced.php?id=2 to edit the Admin profile
- Go to the editor window for 'Description'
- Click 'Image' in the editor bar, then click 'Browse repositories'
- Click Upload a file, and browse to the test.png file, and attempt to upload the file.
- Tick 'Description not necessary, then click save image, and verify that the image is now embedded in the description.
- Click again on image, and attempt to upload the test.jpg file.
- Verify that you receive an error message, stating 'Image (JPEG) filetype cannot be accepted'
- This shows that the restrictions are being applied on top of the 'web_image' type restrictions that already existed, which allows both PNG and JPG
5) Remain in the Description editor of the profile page
- Click 'Insert H5P' inside the editor bar.
- Click Browse repositories
- Verify that no repositories are listed.
- Verify there is a message stating 'Sorry, none of your current repositories can return files in the required format.'
- Close this message
- In a terminal, set the config to allow .h5p items.
-
php admin/cli/cfg.php --name='allowedfiletypes' --set='png, pdf, h5p'
|
- Reload the profile page
- Attempt to add a H5P to the editor again.
- Verify that repositories now appear.
- Click on upload a file
- Attempt to upload a .png file.
- Verify there is an error message stating 'Image (PNG) filetype cannot be accepted.'
- This shows that the restriction on the filetype still doesn't allow non-h5p files.
- Attempt to upload the blank.h5p file.
- Verify that you are able to upload and save the H5P, and a placeholder H5P element is embedded in the description.
- This means the file passed the file extension check.
- Delete the H5P placeholder element.
6) Remain in the Description editor of the profile page
- Click on Manage Files
- Verify that the file manager states all the filetypes that can be accepted, H5P, PNG and PDF.
Test filemanager with restrictions already applied
7) Go the the User Picture section of the profile
- Verify that the file manager has text underneath that states accepted types is only (PNG).
- This shows that the previous restriction, 'all web images' is now being further restricted, but PDFs still aren't allowed.
- Attempt to drag and drop the test.jpg file to the file area.
- Verify you receive an error 'Image (JPEG) filetype cannot be accepted'.
- Drop in a test.png file.
- Verify it uploads correctly.
- Click 'Update Profile' and revisit the page.
- Verify the User picture is now the uploaded test.png.
Test assignment upload with restrictions in place.
8) Visit the Assignment File submission settings page /admin/settings.php?section=assignsubmission_file#
- Set the 'filetypes' control to 'image, video, pdf'.
- Click save changes, and verify that underneath the control, there is a now a list of all image file extensions, video file extensions, and PDF documents.
- Visit /course/edit.php?category=0
- Fill in the course creation form with dummy data.
- Visit the course just created.
- Turn on editing mode.
- Click on 'Add an activity or resource' inside any section.
- Add a new assignment mod
- Fill in the assignment with dummy data
- Create a test user, and enrol them in the test course just created.
- Login as the test user, and attempt to make a submission for the assignment just created.
- Verify that the file types accepted are 'Image (PNG)' and 'PDF Document'.
- Now edit the assignment settings again, and set the allowed filetypes control to empty.
- Log back in as the test user, and attempt to make a submission for the assignment.
- Verify that the file types accepted are 'Image (PNG)', 'PDF Document' and .H5P
- This shows that the file restrictions work with both broad types (image) and specific types (pdf) and union with other restrictions.
Test uploading archive and unzipping banned filetypes
9) Add .zip to the list of filetypes allowed, and remove .png
php admin/cli/cfg.php --name='allowedfiletypes' --set='zip'
|
- Log back in as the admin user (or whichever account was in use before).
- Go to /user/files.php
- Delete any files present from earlier steps.
- Upload the provided test.zip file.
- Click on the zip file in the draft area, then click unzip in the popup.
- Verify that a PNG has been extracted into the draft area.
- Click 'Save changes' at the bottom of the page.
- Verify that there is validation text underneath the file area 'Some files (test.png) cannot be uploaded. Only file types of .zip are allowed'
Test that filelib will drop files after validation
10) As a defence against any missed attack vectors, filelib will drop any illegal files when attempting to save them.
- With the .zip still extracted and inside the file area, edit the file /lib/form/filemanager.php
- In the function validateSubmitValue, immediately return:
-
public function validateSubmitValue($value) {
|
return;
|
|
if (empty($value)) {
|
...
|
- Click 'Save changes' on the files page.
- Verify validation now passed.
- Verify that the extracted PNG file was not saved, and that the only file in the draft area is the test.zip file.
- Verify that there is an error notification on the page, stating 'A file was unable to be saved due to a forbidden file type.'
- Remove the added return line in lib/form/filemanager.
public function validateSubmitValue($value) {
|
|
if (empty($value)) {
|
...
|
Test that filegroup restrictions work
11) Visit the Site Security Settings at /admin/settings.php?section=sitepolicies
- Go to 'Allowed upload file types'
- Click 'Choose'
- Untick .zip, and tick 'Image files used on the web'
- Click save changes on the chooser, then save changes on the settings page.
- Visit /user/files.php
- Verify that the accepted filetypes now has 2 groups: 'Image files to be optimised, such as badges' and 'Image files used on the web'.
- These are the groups that are completely selected, as the optimised images are a subset of web images group.
- Attempt to drag and drop the blank.txt file onto the file area.
- Verify the error message 'Text file filetype cannot be accepted.'
- This shows that file categories are also functional inside the admin settings.
Test that drag and drop inside courses is restricted
12) Visit the test course you created earlier /course/view.php
- Enter editing mode from the cog menu.
- Attempt to drag and drop the test.png file onto the header section of the course, where 'Add file(s) here' appears.
- Verify the file correctly is embedded inside the course.
- Click on the file.
- Verify you are sent to mod/resource/view.php for the file you just uploaded.
- Go back in your browser, to the course page.
- Attempt to drag and drop the blank.txt document onto the header section.
- Verify that the add section now reads 'The file could not be uploaded, filetype is not accepted. Please try a different file.'
- Verify that the blank.txt is not present on the page.
- Attempt to drag and drop the test.png file onto the page again.
- Verify that the error message disappears and is replaced with the 'Add files' text again.
- Drop the png onto the page again.
- Verify the upload is successful as before.
Test the Collapse of files into groups at display time
13) Expand the whitelist to some files that group, and some that do not.
php admin/cli/cfg.php --name='allowedfiletypes' --set='.pdf,.bmp,.gif,.jpe,.jpeg,.jpg,.pct,.pic,.pict,.png,.ai,.svg,.svgz,.h5p'
|
14) Visit user/files.php
- Verify that there are some groups for images: 'Image files to be optimised, such as badges', 'Image files used on the web'.
- Verify that there are file overlaps between the two groups, eg .gif appears in both correctly.
- Verify that other images of that are not part of the above groups are collapsed into a generic 'Image' group, with types '.ai .bmp .pct .pic .pict'
Show
1) Setup config to allow only certain files
php admin/cli/cfg.php --name= 'allowedfiletypes' --set= 'png, pdf'
Download the attached zip file MDL-54716 _Testing, and extract it, for use with testing this tracker.
Test uploading files with drag and drop
2) Visit /user/files.php
Verify that there is text underneath the drag and drop box stating 'Accepted file types:'
Verify that the only allowed types are 'Image (PNG)' and 'PDF Document'
Attempt to drag and drop the blank.txt document from the extracted zip download.
Verify that a popup states 'Text file filetype cannot be accepted'
Close the window, and verify that the file is not inside of the draft area
Drag in the test.pdf file.
Verify that the file uploads to the draft area.
Click 'Save Changes' and submit the page.
Verify that the file just uploaded is still in the files area.
Attempt to drag and drop the emptyextension file.
Verify that there is an error message 'File filetype cannot be accepted.'.
Verify that the pdf is still the only file in the testing area.
This shows that empty files are correctly handled by being denied.
Test uploading files with filepicker
3) Visit /user/files.php
Click the 'Add' button in the top of the files window.
Click on 'Upload a file'
Browse to the blank.txt document from step 2
Click 'Upload this file'
Verify that you get the same error message as in Step 2 'Text file filetype cannot be accepted'
Close the filepicker
Verify that the blank.txt file is not in the files area
Test uploading from editor
4) Visit /user/editadvanced.php?id=2 to edit the Admin profile
Go to the editor window for 'Description'
Click 'Image' in the editor bar, then click 'Browse repositories'
Click Upload a file, and browse to the test.png file, and attempt to upload the file.
Tick 'Description not necessary, then click save image, and verify that the image is now embedded in the description.
Click again on image, and attempt to upload the test.jpg file.
Verify that you receive an error message, stating 'Image (JPEG) filetype cannot be accepted'
This shows that the restrictions are being applied on top of the 'web_image' type restrictions that already existed, which allows both PNG and JPG
5) Remain in the Description editor of the profile page
Click 'Insert H5P' inside the editor bar.
Click Browse repositories
Verify that no repositories are listed.
Verify there is a message stating 'Sorry, none of your current repositories can return files in the required format.'
Close this message
In a terminal, set the config to allow .h5p items.
php admin/cli/cfg.php --name= 'allowedfiletypes' --set= 'png, pdf, h5p'
Reload the profile page
Attempt to add a H5P to the editor again.
Verify that repositories now appear.
Click on upload a file
Attempt to upload a .png file.
Verify there is an error message stating 'Image (PNG) filetype cannot be accepted.'
This shows that the restriction on the filetype still doesn't allow non-h5p files.
Attempt to upload the blank.h5p file.
Verify that you are able to upload and save the H5P, and a placeholder H5P element is embedded in the description.
This means the file passed the file extension check.
Delete the H5P placeholder element.
6) Remain in the Description editor of the profile page
Click on Manage Files
Verify that the file manager states all the filetypes that can be accepted, H5P, PNG and PDF.
Test filemanager with restrictions already applied
7) Go the the User Picture section of the profile
Verify that the file manager has text underneath that states accepted types is only (PNG).
This shows that the previous restriction, 'all web images' is now being further restricted, but PDFs still aren't allowed.
Attempt to drag and drop the test.jpg file to the file area.
Verify you receive an error 'Image (JPEG) filetype cannot be accepted'.
Drop in a test.png file.
Verify it uploads correctly.
Click 'Update Profile' and revisit the page.
Verify the User picture is now the uploaded test.png.
Test assignment upload with restrictions in place.
8) Visit the Assignment File submission settings page /admin/settings.php?section=assignsubmission_file#
Set the 'filetypes' control to 'image, video, pdf'.
Click save changes, and verify that underneath the control, there is a now a list of all image file extensions, video file extensions, and PDF documents.
Visit /course/edit.php?category=0
Fill in the course creation form with dummy data.
Visit the course just created.
Turn on editing mode.
Click on 'Add an activity or resource' inside any section.
Add a new assignment mod
Fill in the assignment with dummy data
Create a test user, and enrol them in the test course just created.
Login as the test user, and attempt to make a submission for the assignment just created.
Verify that the file types accepted are 'Image (PNG)' and 'PDF Document'.
Now edit the assignment settings again, and set the allowed filetypes control to empty.
Log back in as the test user, and attempt to make a submission for the assignment.
Verify that the file types accepted are 'Image (PNG)', 'PDF Document' and .H5P
This shows that the file restrictions work with both broad types (image) and specific types (pdf) and union with other restrictions.
Test uploading archive and unzipping banned filetypes
9) Add .zip to the list of filetypes allowed, and remove .png
php admin/cli/cfg.php --name= 'allowedfiletypes' --set= 'zip'
Log back in as the admin user (or whichever account was in use before).
Go to /user/files.php
Delete any files present from earlier steps.
Upload the provided test.zip file.
Click on the zip file in the draft area, then click unzip in the popup.
Verify that a PNG has been extracted into the draft area.
Click 'Save changes' at the bottom of the page.
Verify that there is validation text underneath the file area 'Some files (test.png) cannot be uploaded. Only file types of .zip are allowed'
Test that filelib will drop files after validation
10) As a defence against any missed attack vectors, filelib will drop any illegal files when attempting to save them.
With the .zip still extracted and inside the file area, edit the file /lib/form/filemanager.php
In the function validateSubmitValue, immediately return:
public function validateSubmitValue($value) {
return ;
if (empty($value)) {
...
Click 'Save changes' on the files page.
Verify validation now passed.
Verify that the extracted PNG file was not saved, and that the only file in the draft area is the test.zip file.
Verify that there is an error notification on the page, stating 'A file was unable to be saved due to a forbidden file type.'
Remove the added return line in lib/form/filemanager.
public function validateSubmitValue($value) {
if (empty($value)) {
...
Test that filegroup restrictions work
11) Visit the Site Security Settings at /admin/settings.php?section=sitepolicies
Go to 'Allowed upload file types'
Click 'Choose'
Untick .zip, and tick 'Image files used on the web'
Click save changes on the chooser, then save changes on the settings page.
Visit /user/files.php
Verify that the accepted filetypes now has 2 groups: 'Image files to be optimised, such as badges' and 'Image files used on the web'.
These are the groups that are completely selected, as the optimised images are a subset of web images group.
Attempt to drag and drop the blank.txt file onto the file area.
Verify the error message 'Text file filetype cannot be accepted.'
This shows that file categories are also functional inside the admin settings.
Test that drag and drop inside courses is restricted
12) Visit the test course you created earlier /course/view.php
Enter editing mode from the cog menu.
Attempt to drag and drop the test.png file onto the header section of the course, where 'Add file(s) here' appears.
Verify the file correctly is embedded inside the course.
Click on the file.
Verify you are sent to mod/resource/view.php for the file you just uploaded.
Go back in your browser, to the course page.
Attempt to drag and drop the blank.txt document onto the header section.
Verify that the add section now reads 'The file could not be uploaded, filetype is not accepted. Please try a different file.'
Verify that the blank.txt is not present on the page.
Attempt to drag and drop the test.png file onto the page again.
Verify that the error message disappears and is replaced with the 'Add files' text again.
Drop the png onto the page again.
Verify the upload is successful as before.
Test the Collapse of files into groups at display time
13) Expand the whitelist to some files that group, and some that do not.
php admin/cli/cfg.php --name= 'allowedfiletypes' --set= '.pdf,.bmp,.gif,.jpe,.jpeg,.jpg,.pct,.pic,.pict,.png,.ai,.svg,.svgz,.h5p'
14) Visit user/files.php
Verify that there are some groups for images: 'Image files to be optimised, such as badges', 'Image files used on the web'.
Verify that there are file overlaps between the two groups, eg .gif appears in both correctly.
Verify that other images of that are not part of the above groups are collapsed into a generic 'Image' group, with types '.ai .bmp .pct .pic .pict'