Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-60127

File Type restriction checks are not done at server side

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.3.2
    • Fix Version/s: None
    • Component/s: Filepicker, Files API
    • Labels:
    • Affected Branches:
      MOODLE_33_STABLE

      Description

      Via the mobile app it is possible to bypass the file type restriction checks, this means that the checks are not done properly when using Web Services.

      I was reviewing how was implemented the "file restrictions" for assignment because the file restriction check should've done in the server.
      Basically, the problem is that via Web Services the restrictions checks are not done. The reason is that in Moodle web the restrictions checks are done by the file picker at client level only but in Web Services the file picker client restriction does not apply because is not used (files are directly uploaded to a draft file area).
      In any case, all the files created in that draft area via WS are processed via file_postupdate_standard_filemanager that internally calls file_save_draft_area_files (where all the maxbytes and maxfiles restrictions are double checked).

      I suppose that the way to fix this problem is to check the accepted_types option not only in file picker (client) but also in this function (file_save_draft_area_files) in the same way that maxfiles/maxsize is double checked.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jleyva Juan Leyva
              Participants:
              Component watchers:
              Adrian Greeve, Mihail Geshoski, Peter Dias, Matteo Scaramuccia, Jake Dallimore, Jun Pataleta, Ryan Wyllie
            • Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: