Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-73588

Unexpected content in the CURLOPT_FILE output stream on redirects

XMLWordPrintable

    • MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE
    • MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_39_STABLE
    • MDL-73588-master-curlfile
    • Hide

      Replaying previous tests (copied from MDL-72203)

      Test 1 - Security fix still handled

      Repeat the same test as in MDL-71916.

      NOTE: Please do not include those testing instructions here (or refer to their specifics within the comments on this issue), as this issue is public and not restricted as a security issue.Anything that may be considered security specific (such as referring to steps around reproducing/confirming that the vulnerability is still covered by this patch) should be limited to comments that are restricted to the moodle-security group, rather than Viewable by All Users.

      Test 2 - Additional request bug addressed (tested using ngrok)

      1. Add an image file to your web root (eg /var/www/html/test.jpg).
      2. Enable ngrok (ngrok http 80). Copy the ngrok forwarding http URL (and keep the ngrok terminal/console where you can see it).
      3. Log in as any user, navigate to the private file area.
      4. Open the URL downloader and paste the URL to the test.jpg image hosted through the ngrok address. Then press the "Download" button.
      5. Check the ngrok HTTP Requests list and CONFIRM there is only one GET request.

      New tests related to this issue (MDL-73588)

      Fix covered by unit tests. Manual testing requires additional plugin to be installed.

      1. Install https://moodle.org/plugins/mod_hvp to the site.
      2. Go to "Administration / Plugins / Activity modules / H5P / H5P Settings".
      3. In the "H5P Hub Account Settings", register the H5P Hub (local instance doesn't require a public URL, and no verification is done after registering the hub).
      4. As a teacher, add a new "Interactive Content" (black H5P icon, not the blue one) module to the course.
      5. At the "Adding a new Interactive Content" form, choose "Get Shared Content" option and fetch a content item from the hub using the "Get Content" button.
      6. TEST Check that pressing the button leads to "... was successfully imported from the H5P Hub" message.
      Show
      Replaying previous tests (copied from MDL-72203 ) Test 1 - Security fix still handled Repeat the same test as in MDL-71916. NOTE: Please do not include those testing instructions here (or refer to their specifics within the comments on this issue), as this issue is public and not restricted as a security issue.Anything that may be considered security specific (such as referring to steps around reproducing/confirming that the vulnerability is still covered by this patch) should be limited to comments that are restricted to the moodle-security group, rather than Viewable by All Users . Test 2 - Additional request bug addressed ( tested using ngrok ) Add an image file to your web root (eg /var/www/html/test.jpg ). Enable ngrok ( ngrok http 80 ). Copy the ngrok forwarding http URL (and keep the ngrok terminal/console where you can see it). Log in as any user, navigate to the private file area. Open the URL downloader and paste the URL to the test.jpg image hosted through the ngrok address. Then press the "Download" button. Check the ngrok HTTP Requests list and CONFIRM there is only one GET request. New tests related to this issue ( MDL-73588 ) Fix covered by unit tests. Manual testing requires additional plugin to be installed. Install https://moodle.org/plugins/mod_hvp to the site. Go to "Administration / Plugins / Activity modules / H5P / H5P Settings". In the "H5P Hub Account Settings", register the H5P Hub (local instance doesn't require a public URL, and no verification is done after registering the hub). As a teacher, add a new "Interactive Content" (black H5P icon, not the blue one) module to the course. At the "Adding a new Interactive Content" form, choose "Get Shared Content" option and fetch a content item from the hub using the "Get Content" button. TEST Check that pressing the button leads to "... was successfully imported from the H5P Hub" message.

      As reported by thommars via email:

      After https://github.com/moodle/moodle/commit/cbf9dfbd8dcfc60a6e677b475affb38598beec31 , downloading of content through the content hub for the H5P plugin is broken. Curl downloads to stream with redirects first writes the html of the redirect page to the stream, and then the actual file that was redirected to. This breaks with the previous behavior, which just wrote the file contents of the file that was redirected to.

      The H5P module has code for reproducing this at https://github.com/h5p/moodle-mod_hvp/blob/stable/classes/framework.php#L227 where it sets CURLOPT_FILE to a stream and attempts to $curl->get() a url that redirects to a file.

      The buggy behaviour can be reproduced using a simple script like:

      <?php
       
      define('CLI_SCRIPT', true);
       
      require(__DIR__ . '/config.php');
      require_once($CFG->libdir . '/filelib.php');
       
      $f = fopen('/tmp/test.h5p', 'w');
       
      $options = [
          'CURLOPT_SSL_VERIFYPEER' => true,
          'CURLOPT_CONNECTTIMEOUT' => 20,
          'CURLOPT_FOLLOWLOCATION' => 1,
          'CURLOPT_MAXREDIRS'      => 5,
          'CURLOPT_RETURNTRANSFER' => true,
          'CURLOPT_NOBODY'         => false,
          'CURLOPT_TIMEOUT'        => 300,
          'CURLOPT_FILE'           => $f,
      ];
       
      $c = new curl();
       
      $r = $c->get('https://hub-api.h5p.org/v1/contents/1291299601555854565/export', [], $options);
       
      fclose($f);
      

      The content of the redirect page at https://hub-api.h5p.org/v1/contents/1291299601555854565/export is written into the target file which effectively breaks the file content.

      We need to fix our curl class so that it matches the curl's native behaviour - that is, only the content of the very last element in the redirect chain is written to the output stream.

            mudrd8mz David Mudrák (@mudrd8mz)
            mudrd8mz David Mudrák (@mudrd8mz)
            Frode Petterson Frode Petterson
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Gladys Basiana Gladys Basiana
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 1 hour, 5 minutes
                1d 1h 5m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.