-
Bug
-
Resolution: Fixed
-
Major
-
3.9.12, 3.10.9, 3.11.5, 4.0
-
MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE
-
MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_39_STABLE
-
MDL-73588-master-curlfile -
As reported by thommars via email:
After https://github.com/moodle/moodle/commit/cbf9dfbd8dcfc60a6e677b475affb38598beec31 , downloading of content through the content hub for the H5P plugin is broken. Curl downloads to stream with redirects first writes the html of the redirect page to the stream, and then the actual file that was redirected to. This breaks with the previous behavior, which just wrote the file contents of the file that was redirected to.
The H5P module has code for reproducing this at https://github.com/h5p/moodle-mod_hvp/blob/stable/classes/framework.php#L227 where it sets CURLOPT_FILE to a stream and attempts to $curl->get() a url that redirects to a file.
The buggy behaviour can be reproduced using a simple script like:
<?php
|
|
define('CLI_SCRIPT', true);
|
|
require(__DIR__ . '/config.php');
|
require_once($CFG->libdir . '/filelib.php');
|
|
$f = fopen('/tmp/test.h5p', 'w');
|
|
$options = [
|
'CURLOPT_SSL_VERIFYPEER' => true,
|
'CURLOPT_CONNECTTIMEOUT' => 20,
|
'CURLOPT_FOLLOWLOCATION' => 1,
|
'CURLOPT_MAXREDIRS' => 5,
|
'CURLOPT_RETURNTRANSFER' => true,
|
'CURLOPT_NOBODY' => false,
|
'CURLOPT_TIMEOUT' => 300,
|
'CURLOPT_FILE' => $f,
|
];
|
|
$c = new curl();
|
|
$r = $c->get('https://hub-api.h5p.org/v1/contents/1291299601555854565/export', [], $options);
|
|
fclose($f);
|
The content of the redirect page at https://hub-api.h5p.org/v1/contents/1291299601555854565/export is written into the target file which effectively breaks the file content.
We need to fix our curl class so that it matches the curl's native behaviour - that is, only the content of the very last element in the redirect chain is written to the output stream.
- is a regression caused by
-
MDL-72203 Redirect security checks should not introduce additional cURL requests
- Closed