From 2a2ece647a55c7930f0c15d87dc953c35364aff9 Mon Sep 17 00:00:00 2001 From: Michael Hawkins Date: Wed, 20 Oct 2021 20:43:11 +0800 Subject: [PATCH] MDL-72316 filelib: Add ability for modules to directly load SVG images This also implements the functionality for SCORM packages, which may have SVG images embedded within their content which require loading directly (and are only created by users with appropriate risk flag). --- lib/filelib.php | 8 ++++++-- lib/upgrade.txt | 6 ++++++ mod/scorm/lib.php | 3 +++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/lib/filelib.php b/lib/filelib.php index 1df9aa9cd0b54..cd1cf4d34710b 100644 --- a/lib/filelib.php +++ b/lib/filelib.php @@ -2505,6 +2505,9 @@ function file_safe_save_content($content, $destination) { * @param array $options An array of options, currently accepts: * - (string) cacheability: public, or private. * - (string|null) immutable + * - (bool) dontforcesvgdownload: true if force download should be disabled on SVGs. + * Note: This overrides a security feature, so should only be applied to "trusted" content + * (eg module content that is created using an XSS risk flagged capability, such as SCORM). * @return null script execution stopped unless $dontdie is true */ function send_file($path, $filename, $lifetime = null , $filter=0, $pathisstring=false, $forcedownload=false, $mimetype='', @@ -2535,8 +2538,9 @@ function send_file($path, $filename, $lifetime = null , $filter=0, $pathisstring $filename = rawurlencode($filename); } - // Make sure we force download of SVG files for security reasons (https://digi.ninja/blog/svg_xss.php). - if (file_is_svg_image_from_mimetype($mimetype)) { + // Make sure we force download of SVG files, unless the module explicitly allows them (eg within SCORM content). + // This is for security reasons (https://digi.ninja/blog/svg_xss.php). + if (file_is_svg_image_from_mimetype($mimetype) && empty($options['dontforcesvgdownload'])) { $forcedownload = true; } diff --git a/lib/upgrade.txt b/lib/upgrade.txt index 971a378ca0e39..985f0efa93b55 100644 --- a/lib/upgrade.txt +++ b/lib/upgrade.txt @@ -110,6 +110,12 @@ completely removed from Moodle core too. classes extending it. When possible, the enable_plugin() method will store these changes into the config_log table, to let admins check when and who has enabled/disabled plugins. +=== 3.11.4 === +* A new option dontforcesvgdownload has been added to the $options parameter of the send_file() function. + Note: This option overrides the forced download of directly accessed SVGs, so should only be used where the calling method is + rendering SVGs directly for content created using XSS risk flagged capabilities (such as creating a SCORM activity). + This is also not necessary where SVGs are already being safely loaded into tags by Moodle (eg within forum posts). + === 3.11.2 === * For security reasons, filelib has been updated so all requests now use emulated redirects. For this reason, manually disabling emulateredirects will no longer have any effect (and will generate a debugging message). diff --git a/mod/scorm/lib.php b/mod/scorm/lib.php index 4cd969e5f68e3..99c5c7b33ba4d 100644 --- a/mod/scorm/lib.php +++ b/mod/scorm/lib.php @@ -1011,6 +1011,9 @@ function scorm_pluginfile($course, $cm, $context, $filearea, $args, $forcedownlo return false; } + // Allow SVG files to be loaded within SCORM content, instead of forcing download. + $options['dontforcesvgdownload'] = true; + // Finally send the file. send_stored_file($file, $lifetime, 0, false, $options); }