Curl has the option CURLOPT_UNRESTRICTED_AUTH. If true, curl will send
the credentials to a different host. If false, they will not be sent.
CURLOPT_UNRESTRICTED_AUTH can only work if the CURLOPT_FOLLOWLOCATION
option is true. The filelib forces the CURLOPT_FOLLOWLOCATION option
to be false, because all redirects are emulated at the PHP level. So,
in this case, the CURLOPT_UNRESTRICTED_AUTH option is only being used
in our logic and will not work as you might expect it to.
This patch works almost the same as CURLOPT_UNRESTRICTED_AUTH in ideal
conditions. It will check whether the host is different. If so, the
system will check what value CURLOPT_UNRESTRICTED_AUTH has. If it is
not specified, then by default, it will be false. If false, then
credentials will not be sent.
See notes on:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Charset
Warning: Do not use this header. Browsers omit this header and servers
should ignore it.
The Accept-Charset request HTTP header was a header that advertised a
client's supported character encodings. It is no longer widely used.
UTF-8 is well-supported and the overwhelmingly preferred choice for
character encoding. To guarantee better privacy through less
configuration-based entropy, all browsers omit the Accept-Charset
header.
This has been generated running the following Sniffs, all
them part of the Moodle's CodeSniffer standard:
- PSR12.Functions.ReturnTypeDeclaration
- PSR12.Functions.NullableTypeDeclaration
- moodle.Methods.MethodDeclarationSpacing
- Squiz.Whitespace.ScopeKeywordSpacing
All them are, exclusively, about correct spacing, so the changes
are, all them, only white space changes.
Only exceptions to the above are 3 changes what were setting the
return type in a new line, and, when that happens, the closing
parenthesis (bracket) has to go to the same line than the colon.
The *.png files in pix/f folder have been removed, so their references
need to be updated to use the proper SVG file or a different icon, as
happened with logo_uri for oauth2 services.
The parameter $size of the following functions has been deprecated and is not used any more:
- file_extension_icon
- file_file_icon
- file_folder_icon
- file_mimetype_icon
- mimeinfo_from_type
- url_guess_icon
That way, the sized icons (xxxxxxx-yyy.png) can be removed and replaced by SVG, to make it easier
to keep them updated because once they are replaced, there will only be one single file for each
MIME icon.
Ensure that the following both return consistently, so that filepicker
form elements behave the same for each when defining "accepted_types":
'.html, .txt'
['.html', '.txt']
The problem is that HTML Purifier is not compatible with Markdown,
that means we cannot sanitise Markdown texts before editing.
Luckily Markdown has to use plain text editor which does not have
XSS problems.
The only tiny downside is that Markdown cannot be allowed
in "trust text" areas any more.
In PHP 8.2 and later, setting a value to an undeclared class property is
deprecated and emits a deprecation notice.
So we need to add missing class properties that still need to be declared.
* The file file_remove_editor_orphaned_files should take into account URL that
have been embedded in a tag content instead of an attribute (like src attribute)
* This will fix issue with inserting H5P content in calendar events.
Before this commit, is_empty() was being applied before returning
the mock response. But we want to be able to mock the empty response
for some tests, hence moving the condition to null/isset, that is
the value that array_pop() returns where there aren't more elements
in the array.
With that change performed, we can test lti_load_cartridge() with
empty responses, hence adding a new test for that.
After cbf9dfb the CURLOPT_FILE no longer behaves as expected. All
redirect responses are appended to the same stream resource. This fix
reverts back to the old behavior by setting the stream pointer back to
the beginning for each subsequent redirect.
This also implements the functionality for SCORM packages, which may
have SVG images embedded within their content which require loading
directly (and are only created by users with appropriate risk flag).
It was a mistake to force filtering of SVG files in MDL-55243. It can
easily lead to corrupted SVG files.
The patch removes that forced filtering and clarifies the inline comment
of what and why we need to do.
The security problem here was that only the first and the last URL in
the redirect chain was checked by the security helper. This patch forces
the curl wrapper to always emulate cURL redirects and check every
redirect URL in the chain before actually visiting it.
Augument all installed plugin's security helper if there is any.
Plugins function has to be defined as plugintype_pluginname_security_helper in pluginname/lib.php file.
The code has been using terms that were found exclusive and potentially
derogatory. Fixing the terms and making the variables and methods
consistent with the related admin settings.
It was found out that in certain situations there may be some content
in to output handlers buffers. Let's allow that to happen given that:
* default handler's buffer is not sent as a part of the file and an
error is reported into the server log.
* other handlers' buffer is sent with the assumption that it is required
for the correct serving of the file.
Currently, PHP getimagesize method doesn't support SVG images.
As some features, such as badges, processs and optimise the images
before using them, a new filetype group has been created to exclude
SVG from there: optimised_image.
SVG can't be removed from web_image because then users won't be
able to add SVG images to their courses using labels, pages...
