-
Bug
-
Resolution: Duplicate
-
Minor
-
None
-
4.1.13
-
None
-
MOODLE_401_STABLE
There appears to be an issue in how H5P is implemented. H5P content that is uploaded to any course is processed and any libraries it contains is checked against those installed. If the library is higher than the current version of the library on the system or if the version of the library does not exist yet, it is installed.
If a user modifies an official library and sets the version to be higher than the current version, that version of the library will be installed and become the "official" latest library on that particular Moodle instance. Each time a new H5P package is uploaded or saved which uses an official library, the modified library which has a higher version is injected into the H5P package.
If the version of the modified official library is very high, such as 10.1.1, the official releases will never override that version for a long time. If there is a bug or serious issue with the modified library, simply deleting the library from the the H5P libraries page will not fix the issue as the modified library may have been injected into a lot of H5P packages already. Each time one of these packages are edited or saved, the modified library is installed again on the site and the issue begins again.
We found this issue when a user had uploaded a modified version of Interactive Book, they set the version to 9.3. The user uploaded this H5P package around 3 years ago. Now due to updates in other libraries which appear to have broken the out of date library which is used as the "official" latest Interactive Book (instead of version 1.9), it has been 3 years and over 500 packages have been injected with the modified Interactive Book 9.3. These packages cannot be saved via the interface and need to be downloaded and manually fixed to remove the Interactive 9.3 library.
Official releases of H5P libraries should not be installable from within any H5P content on the site and trusted. If a malicious user added a modified version of a H5P package, they could potentially alter how every H5p package which uses that library operates.
We need a way to update all files in H5P using the File API in Moodle to remove a library when a library is deleted in a way that causes minimum disruptions.
- has been marked as being related by
-
MDL-82850 Once a newer version of a package has been installed all the depending H5P activities are updated on edition and it is not possible to roll back to previous version
- Closed