Merge branch 'MDL-72316-master-2' of git://github.com/mickhawkins/moodle

moodle · Oct 28, 2021 · 4d10196 · 4d10196
2 parents 00483c9 + 2a2ece6
commit 4d10196
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 2 deletions.
diff --git a/lib/filelib.php b/lib/filelib.php
@@ -2505,6 +2505,9 @@ function file_safe_save_content($content, $destination) {
  * @param array $options An array of options, currently accepts:
  *                       - (string) cacheability: public, or private.
  *                       - (string|null) immutable
+ *                       - (bool) dontforcesvgdownload: true if force download should be disabled on SVGs.
+ *                                Note: This overrides a security feature, so should only be applied to "trusted" content
+ *                                (eg module content that is created using an XSS risk flagged capability, such as SCORM).
  * @return null script execution stopped unless $dontdie is true
  */
 function send_file($path, $filename, $lifetime = null , $filter=0, $pathisstring=false, $forcedownload=false, $mimetype='',
@@ -2535,8 +2538,9 @@ function send_file($path, $filename, $lifetime = null , $filter=0, $pathisstring
         $filename = rawurlencode($filename);
     }
 
-    // Make sure we force download of SVG files for security reasons (https://digi.ninja/blog/svg_xss.php).
-    if (file_is_svg_image_from_mimetype($mimetype)) {
+    // Make sure we force download of SVG files, unless the module explicitly allows them (eg within SCORM content).
+    // This is for security reasons (https://digi.ninja/blog/svg_xss.php).
+    if (file_is_svg_image_from_mimetype($mimetype) && empty($options['dontforcesvgdownload'])) {
         $forcedownload = true;
     }
 

diff --git a/lib/upgrade.txt b/lib/upgrade.txt
@@ -111,6 +111,12 @@ completely removed from Moodle core too.
 classes extending it. When possible, the enable_plugin() method will store these changes into the config_log table, to let admins
 check when and who has enabled/disabled plugins.
 
+=== 3.11.4 ===
+* A new option dontforcesvgdownload has been added to the $options parameter of the send_file() function.
+  Note: This option overrides the forced download of directly accessed SVGs, so should only be used where the calling method is
+  rendering SVGs directly for content created using XSS risk flagged capabilities (such as creating a SCORM activity).
+  This is also not necessary where SVGs are already being safely loaded into <img> tags by Moodle (eg within forum posts).
+
 === 3.11.2 ===
 * For security reasons, filelib has been updated so all requests now use emulated redirects.
   For this reason, manually disabling emulateredirects will no longer have any effect (and will generate a debugging message).

diff --git a/mod/scorm/lib.php b/mod/scorm/lib.php
@@ -1011,6 +1011,9 @@ function scorm_pluginfile($course, $cm, $context, $filearea, $args, $forcedownlo
         return false;
     }
 
+    // Allow SVG files to be loaded within SCORM content, instead of forcing download.
+    $options['dontforcesvgdownload'] = true;
+
     // Finally send the file.
     send_stored_file($file, $lifetime, 0, false, $options);
 }