Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-55049

Files uploaded via webservice/upload.php are not scanned for viruses

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.1
    • Fix Version/s: 3.1.1
    • Component/s: Web Services
    • Labels:
    • Testing Instructions:
      Hide

      Testing instructions are based on MDL-50887

      Setup

      1. Configure SMTP in Site administration ► Plugins ► Message outputs ► Email

      Testing plugin installation:
      1. Make sure you have clamav scanning enabled and configured (runclamonupload is ticked, pathtoclam setting is set to clamav path)

      Enabling webservice upload:
      As admin, enable "Mobile services": Plugins ► Web Services ► Mobile

      1. Create a Token for one user:
        • Click on Site administration ► Plugins ► Web services ► Manage tokens

      Testing virus scanning:
      1. Try to upload file via CURL not containing the virus, the file should be uploaded successfully. (Replace the token value with the one you obtained previously)

      curl -i -F name=test.pdf -F filedata=@/Users/juanleyvadelgado/Documents/fast http://localhost/m/stable_master/webservice/upload.php?token=ffbe3a3002f235bf9d01fd9369e10b66&filearea=draft"

      2. Try to upload file containing the virus via CURL, this could be EICAR test signature in the text file (see https://en.wikipedia.org/wiki/EICAR_test_file for details), you should get an exception on upload containing the message that your file contains the virus and can't be uploaded.
      3. Go to ClamAV settings and modify 'pathtoclam' so that it points to the wrong path, and 'clamfailureonupload' is set to "Treat files as OK". Save settings.
      4. Try to upload any file, the file should be uploaded successfully. Admin should get email notification that antivirus is not configured correctly.
      5. Go to ClamAV settings and modify 'clamfailureonupload', set it to "Treat files as viruses". Save settings.
      6. Ty to upload any file, the file should trigger an exception similar to one in step 2. Admin should get email notification that antivirus is not configured correctly.

      Show
      Testing instructions are based on MDL-50887 Setup Configure SMTP in Site administration ► Plugins ► Message outputs ► Email Testing plugin installation: 1. Make sure you have clamav scanning enabled and configured (runclamonupload is ticked, pathtoclam setting is set to clamav path) Enabling webservice upload: As admin, enable "Mobile services": Plugins ► Web Services ► Mobile Create a Token for one user: Click on Site administration ► Plugins ► Web services ► Manage tokens Testing virus scanning: 1. Try to upload file via CURL not containing the virus , the file should be uploaded successfully. (Replace the token value with the one you obtained previously) curl -i -F name=test.pdf -F filedata=@/Users/juanleyvadelgado/Documents/fast http://localhost/m/stable_master/webservice/upload.php?token=ffbe3a3002f235bf9d01fd9369e10b66&filearea=draft " 2. Try to upload file containing the virus via CURL, this could be EICAR test signature in the text file (see https://en.wikipedia.org/wiki/EICAR_test_file for details), you should get an exception on upload containing the message that your file contains the virus and can't be uploaded. 3. Go to ClamAV settings and modify 'pathtoclam' so that it points to the wrong path, and 'clamfailureonupload' is set to "Treat files as OK". Save settings. 4. Try to upload any file, the file should be uploaded successfully. Admin should get email notification that antivirus is not configured correctly. 5. Go to ClamAV settings and modify 'clamfailureonupload', set it to "Treat files as viruses". Save settings. 6. Ty to upload any file, the file should trigger an exception similar to one in step 2. Admin should get email notification that antivirus is not configured correctly.
    • Affected Branches:
      MOODLE_31_STABLE
    • Fixed Branches:
      MOODLE_31_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-55049-master

      Description

      I will backport the fix only for 3.1 (because the antivirus infraestructure was refactored in MDL-50887)

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                11/Jul/16