WebSVN – Moodle – Diff – /lib/filelib.php

  * @param int $itemid helps identify the file area. Can be null if there are no files yet.
  * @param array $options text and file options ('subdirs'=>false, 'forcehttps'=>false)
  * @param string $text some html content that needs to have embedded links rewritten to point to the draft area.
  * @return string|null returns string if $text was passed in, the rewritten $text is returned. Otherwise NULL.
  */
-function file_prepare_draft_area(&$draftitemid, $contextid, $component, $filearea, $itemid, array $options=null, $text=null) {
+function file_prepare_draft_area(&$draftitemid, $contextid, $component, $filearea, $itemid, ?array $options=null, $text=null) {
     global $CFG, $USER;
     $options = (array)$options;
     if (!isset($options['subdirs'])) {
  *          bool    $options.forcehttps Force the user of https
  *          bool    $options.reverse Reverse the behaviour of the function
  *          mixed   $options.includetoken Use a token for authentication. True for current user, int value for other user id.
  *          string  The processed text.
  */
-function file_rewrite_pluginfile_urls($text, $file, $contextid, $component, $filearea, $itemid, array $options=null) {
+function file_rewrite_pluginfile_urls($text, $file, $contextid, $component, $filearea, $itemid, ?array $options=null) {
     global $CFG, $USER;
     $options = (array)$options;
     if (!isset($options['forcehttps'])) {
     $draftfiles = file_get_drafarea_files($draftitemid, $filepath);
     file_get_drafarea_folders($draftitemid, $filepath, $draftfiles);
     if (!empty($draftfiles)) {
         foreach ($draftfiles->list as $draftfile) {
-            if ($draftfile->type == 'file') {
+            if ($draftfile->type !== 'folder') {
                 $files[] = $draftfile;
+            }
+        }
  * @param string $text some html content that needs to have embedded links rewritten
  *      to the @@PLUGINFILE@@ form for saving in the database.
  * @param bool $forcehttps force https urls.
  * @return string|null if $text was passed in, the rewritten $text is returned. Otherwise NULL.
  */
-function file_save_draft_area_files($draftitemid, $contextid, $component, $filearea, $itemid, array $options=null, $text=null, $forcehttps=false) {
+function file_save_draft_area_files($draftitemid, $contextid, $component, $filearea, $itemid, ?array $options=null, $text=null, $forcehttps=false) {
     global $USER;
     // Do not merge files, leave it as it was.
     if ($draftitemid === IGNORE_FILE_MERGE) {
         return file_rewrite_urls_to_pluginfile($text, $draftitemid, $forcehttps);
+    }
+}
+/**
+ * Clear a draft area.
+ *
+ * @param int $draftitemid Id of the draft area to clear.
+ * @return boolean success
+ */
+function file_clear_draft_area(int $draftitemid): bool {
+    global $USER;
+    $fs = get_file_storage();
+    $usercontext = context_user::instance($USER->id);
+    return $fs->delete_area_files($usercontext->id, 'user', 'draft', $draftitemid);
+}
 /**
  * Convert the draft file area URLs in some content to @@PLUGINFILE@@ tokens
  * ready to be saved in the database. Normally, this is done automatically by
  * {@link file_save_draft_area_files()}.
+ *
         header('Content-Type: text/plain; charset=utf-8');
     } else {
         header('Content-Type: '.$mimetype);
+    }
+    $isfileobj = is_object($file);
-    $lastmodified = is_object($file) ? $file->get_timemodified() : filemtime($file);
+    $lastmodified = $isfileobj ? $file->get_timemodified() : filemtime($file);
     header('Last-Modified: '. gmdate('D, d M Y H:i:s', $lastmodified) .' GMT');
-    if (is_object($file)) {
+    if ($isfileobj) {
         header('Etag: "' . $file->get_contenthash() . '"');
         if (isset($_SERVER['HTTP_IF_NONE_MATCH']) and trim($_SERVER['HTTP_IF_NONE_MATCH'], '"') === $file->get_contenthash()) {
             header('HTTP/1.1 304 Not Modified');
             return;
+        }
     }
     // if etag present for stored file rely on it exclusively
-    if (!empty($_SERVER['HTTP_IF_MODIFIED_SINCE']) and (empty($_SERVER['HTTP_IF_NONE_MATCH']) or !is_object($file))) {
+    if (!empty($_SERVER['HTTP_IF_MODIFIED_SINCE']) && (empty($_SERVER['HTTP_IF_NONE_MATCH']) || !$isfileobj)) {
         // get unixtime of request header; clip extra junk off first
         $since = strtotime(preg_replace('/;.*$/', '', $_SERVER["HTTP_IF_MODIFIED_SINCE"]));
     } else {
         header('Accept-Ranges: none');
+    }
     if ($accelerate) {
-        if (is_object($file)) {
+        if ($isfileobj) {
             $fs = get_file_storage();
             if ($fs->supports_xsendfile()) {
                 if ($fs->xsendfile_file($file)) {
                     return;
+                }
+            }
+        }
+    }
+    $filesize = $isfileobj ? $file->get_filesize() : filesize($file);
-    $filesize = is_object($file) ? $file->get_filesize() : filesize($file);
+    $filename = $isfileobj ? $file->get_filename() : $file;
+                }
             } else {
                 $ranges = false;
+            }
             if ($ranges) {
-                if (is_object($file)) {
+                if ($isfileobj) {
                     $handle = $file->get_content_file_handle();
                     if ($handle === false) {
-                        throw new file_exception('storedfilecannotreadfile', $file->get_filename());
+                        throw new file_exception('storedfilecannotreadfile', $filename);
+                    }
                 } else {
                     $handle = fopen($file, 'rb');
                     if ($handle === false) {
                         throw new file_exception('cannotopenfile', $file);
         $activehandler = array_pop($handlerstack);
         if ($activehandler === 'default output handler') {
             // We do not expect any content in the buffer when we are serving files.
             $buffercontents = ob_get_clean();
             if ($buffercontents !== '') {
+                // Include a preview of the first 20 characters of the output buffer to help identify
+                // what's causing it to be non-empty. This is useful for diagnosing unexpected output
+                // without exposing full content.
+                $buffercontentspreview = substr($buffercontents, 0, 20);
-                error_log('Non-empty default output handler buffer detected while serving the file ' . $file);
+                debugging("Non-empty default output handler buffer detected while serving the file {$filename}. " .
+                    "Buffer contents (first 20 characters): {$buffercontentspreview}", DEBUG_DEVELOPER);
+            }
         } else {
             // Some handlers such as zlib output compression may have file signature buffered - flush it.
             ob_end_flush();
+        }
+    }
     // send the whole file content
-    if (is_object($file)) {
+    if ($isfileobj) {
         $file->readfile();
     } else {
         if (readfile_allow_large($file, $filesize) === false) {
             throw new file_exception('cannotopenfile', $file);
         $nobyteserving = true;
         if (is_https()) { // HTTPS sites - watch out for IE! KB812935 and KB316431.
             header('Cache-Control: private, max-age=10, no-transform');
             header('Expires: '. gmdate('D, d M Y H:i:s', 0) .' GMT');
             header('Pragma: ');
-        } else { //normal http - prevent caching at all cost
+        } else { // Normal http - prevent caching at all cost.
-            header('Cache-Control: private, must-revalidate, pre-check=0, post-check=0, max-age=0, no-transform');
+            header('Cache-Control: private, must-revalidate, pre-check=0, post-check=0, max-age=0, no-transform', 'no-store');
             header('Expires: '. gmdate('D, d M Y H:i:s', 0) .' GMT');
             header('Pragma: no-cache');
+        }
+    }
     } else {
         // Try to put the file through filters
         if ($mimetype == 'text/html' || $mimetype == 'application/xhtml+xml' || file_is_svg_image_from_mimetype($mimetype)) {
             $options = new stdClass();
             $options->noclean = true;
-            $options->nocache = true; // temporary workaround for MDL-5136
+            $options->context = context_course::instance($COURSE->id);
             if (is_object($path)) {
                 $text = $path->get_content();
             } else if ($pathisstring) {
                 $text = $path;
             } else {
                 $text = implode('', file($path));
+            }
-            $output = format_text($text, FORMAT_HTML, $options, $COURSE->id);
             $output = format_text($text, FORMAT_HTML, $options);
-            readstring_accel($output, $mimetype);
             readstring_accel($output, $mimetype);
         } else if (($mimetype == 'text/plain') and ($filter == 1)) {
             // only filter text if filter all files is selected
             $options = new stdClass();
             $options->newlines = false;
+            $options->noclean = true;
+            $options->context = context_course::instance($COURSE->id);
             $options->noclean = true;
             if (is_object($path)) {
                 $text = htmlentities($path->get_content(), ENT_QUOTES, 'UTF-8');
             } else if ($pathisstring) {
                 $text = htmlentities($path, ENT_QUOTES, 'UTF-8');
             } else {
                 $text = htmlentities(implode('', file($path)), ENT_QUOTES, 'UTF-8');
-            }
+            }
             $output = '<pre>'. format_text($text, FORMAT_MOODLE, $options, $COURSE->id) .'</pre>';
-            readstring_accel($output, $mimetype);
+            $output = '<pre>'. format_text($text, FORMAT_MOODLE, $options) .'</pre>';
             readstring_accel($output, $mimetype);
         } else {
             // send the contents
             if ($pathisstring) {
  * @param array $options area options (subdirs=false, maxfiles=-1, maxbytes=0, areamaxbytes=FILE_AREA_MAX_BYTES_UNLIMITED)
  * @see file_save_draft_area_files
  * @since Moodle 3.2
  */
 function file_merge_files_from_draft_area_into_filearea($draftitemid, $contextid, $component, $filearea, $itemid,
-                                                        array $options = null) {
+                                                        ?array $options = null) {
     // We use 0 here so file_prepare_draft_area creates a new one, finaldraftid will be updated with the new draft id.
     $finaldraftid = 0;
     file_prepare_draft_area($finaldraftid, $contextid, $component, $filearea, $itemid, $options);
     file_merge_draft_area_into_draft_area($draftitemid, $finaldraftid);
     file_save_draft_area_files($finaldraftid, $contextid, $component, $filearea, $itemid, $options);
     private $securityhelper;
     /** @var bool ignoresecurity a flag which can be supplied to the constructor, allowing security to be bypassed. */
     private $ignoresecurity;
     /** @var array $mockresponses For unit testing only - return the head of this list instead of making the next request. */
     private static $mockresponses = [];
+    /** @var array $curlresolveinfo Resolve addresses for the URL that have passed cuRL security checks, in a CURLOPT_RESOLVE compatible format. */
+    private $curlresolveinfo = [];
     /** @var array temporary params value if the value is not belongs to class stored_file. */
     public $_tmp_file_post_params = [];
     /**
         if ($this->securityhelper->url_is_blocked($url)) {
             $this->error = $this->securityhelper->get_blocked_url_string();
             return $this->error;
+        }
+        // Set allowed resolve info if the URL is not blocked.
+        $this->curlresolveinfo = $this->securityhelper->get_resolve_info();
         return null;
+    }
+        }
         // Set the URL as a curl option.
+        $this->setopt(array('CURLOPT_URL' => $url));
+        // Force cURL to only resolve the URL from IP/port combinations that were validated by the security helper.
+        // This prevents re-fetching DNS data on subsequent requests, which could return un-validated hosts/ports.
-        $this->setopt(array('CURLOPT_URL' => $url));
+        $this->setopt(['CURLOPT_RESOLVE' => $this->curlresolveinfo]);
         // Create curl instance.
         $curl = curl_init();
+                    }
+                }
+                curl_setopt($curl, CURLOPT_URL, $redirecturl);
+                // Force cURL to only resolve the URL from IP/port combinations that were validated by the security helper.
+                // This prevents re-fetching DNS data on subsequent requests, which could return un-validated hosts/ports.
-                curl_setopt($curl, CURLOPT_URL, $redirecturl);
+                $this->setopt(['CURLOPT_RESOLVE' => $this->curlresolveinfo]);
                 // If CURLOPT_UNRESTRICTED_AUTH is empty/false, don't send credentials to other hosts.
                 // Ref: https://curl.se/libcurl/c/CURLOPT_UNRESTRICTED_AUTH.html.
                 $isdifferenthost = parse_url($currenturl)['host'] !== parse_url($redirecturl)['host'];
             // fix file name automatically
             if ($filename !== 'f1' and $filename !== 'f2' and $filename !== 'f3') {
                 $filename = 'f1';
+            }
-            if ((!empty($CFG->forcelogin) and !isloggedin()) ||
-                    (!empty($CFG->forceloginforprofileimage) && (!isloggedin() || isguestuser()))) {
+            if (!\core\output\user_picture::allow_view($context->instanceid)) {
                 // protect images if login required and not logged in;
                 // also if login is required for profile images and is not logged in or guest
                 // do not use require_login() because it is expensive and not suitable here anyway
                 $theme = theme_config::load($themename);

Proyectos de Subversion Moodle

(root)/lib/filelib.php – Rev 11 → 1441