Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-58971

touch() in unoconv temp file creation needs better protection

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't Do
    • Affects Version/s: 3.2.3, 3.3
    • Fix Version/s: None
    • Component/s: Files API
    • Labels:
    • Affected Branches:
      MOODLE_32_STABLE, MOODLE_33_STABLE

      Description

      In files/converter/unoconv/classes/converter.php. The start_document_conversion() function looks like this...

      $result = exec($cmd, $output);
       chdir($currentdir);
       touch($newtmpfile);
       if (filesize($newtmpfile) === 0) \{
       $conversion->set('status', conversion::STATUS_FAILED);
       
      return $this;
       }
      

      The touch() needs to have write permissions to the newly created pdf file. The problem is that it's quite easy to configure unoconv/libreoffice to write the file with the wrong permissions. Example, a headless libreoffice process if run as root will create the temp file as root - unwriteable by Moodle. 

      It would be very good wrap the touch() in an is_writeable() or similar. If it is not writeable some diagnostic to indicate that there are permission problems would be great. 

      With debugging on, this will corrupt the PDF file and it will not open (and not be obvious why). 

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                zig Zig Tan (Inactive)
                Reporter:
                howardsmiller Howard Miller
                Participants:
                Component watchers:
                Matteo Scaramuccia, Jake Dallimore, Jun Pataleta, Ryan Wyllie
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: