Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-60127

File Type restriction checks are not done at server side

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.3.2
    • Fix Version/s: None
    • Component/s: Filepicker, Files API
    • Labels:
    • Affected Branches:
      MOODLE_33_STABLE

      Description

      Via the mobile app it is possible to bypass the file type restriction checks, this means that the checks are not done properly when using Web Services.

      I was reviewing how was implemented the "file restrictions" for assignment because the file restriction check should've done in the server.
      Basically, the problem is that via Web Services the restrictions checks are not done. The reason is that in Moodle web the restrictions checks are done by the file picker at client level only but in Web Services the file picker client restriction does not apply because is not used (files are directly uploaded to a draft file area).
      In any case, all the files created in that draft area via WS are processed via file_postupdate_standard_filemanager that internally calls file_save_draft_area_files (where all the maxbytes and maxfiles restrictions are double checked).

      I suppose that the way to fix this problem is to check the accepted_types option not only in file picker (client) but also in this function (file_save_draft_area_files) in the same way that maxfiles/maxsize is double checked.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            jleyva Juan Leyva
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Matteo Scaramuccia, Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            3 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated: