Tilde ~ symbol in the file name of scorm files from new version of adobe captivate in the dist folder, get changed

[riesaau]

Describe I am on a mac running OS sonoma 14.0 (23A344). There are ~ in the file names in the "dist" folder of published scorm output from the all new adobe captivate (previously known as project charm). But when chamilo uploads these files the file name gets changed by removing the ~ symbol. The result is that when the user in chamillo LMS tries to play the scorm file, there is just a blank window and the elearning doesn't launch.

To Reproduce Steps to reproduce the behavior:

1. Publish an elearning project from adobe captivate and try and import it into course in Chamilo
2. When the user clicks on the course, they just see a blank window

Expected behavior To fix this problem one has to go into cpanel, locate the dist folder To go into the learning path, just go to the scorm folder inside the course you're working on, then open the learning path name and go to the dist folder. You should be able to see the JavaScript files in there. As a work around, just locate the JavaScript (JS) files same in the dist folder and rename them to have ~ in between on the course directory on cPanel File Manager.

Screenshots You need to change the files to look like the ones below:-

Desktop (please complete the following information):

• OS: [e.g. Linux Ubuntu 18.04/Windows 10]
• Browser [e.g. chrome, firefox, safari] and version

**Server

• OS: [e.g. Linux Ubuntu 18.04/Windows 10]
• Version of Chamilo: Chamilo 1.11.26
• Version of PHP: the web server is on PHP version 8.1.16 (I thought my version for the domain where chamilo is was something like 7.4 but i can't find it right now.

[riesaau]

The browser doesn't make any difference - I tried in Safari, Chrome and firefox.

[riesaau]

Also my excellent host (kualo.com) checked to confirm it wasn't any problem on their end. They said...

I've reviewed and there aren't any server end restrictions for this sign.

I believe that there's some JavaScript code altering the filenames.

PHP itself doesn't have a specific setting that modifies the behavior of the tilde sign (~) during file uploads.

If a specific code for handling file uploads is in use, reviewing it is worth checking if there are any explicit transformations or substitutions applied to filenames.

[meuhland]

Yeah there is a sanitizer in api_replace_dangerous_char in (api.lib.php) that takes anything that is not basic characters and strips it out of the resulting filenames. It will also rename files with spaces in them to hyphens... issue seems to be that it is not respecting the filename as per the scorm manifest and will just do it without any warnings.

[riesaau]

Thanks for confirming where the problem arises from. I am in contact with adobe too and trying to push them to remove that ~ character. could there be an option in chamilo to remove that api.lib.php? i have no programming knowledge.

[meuhland]

It's a bit more complicated than just removing it frankly, there is a purpose to this security-wise and such. Could probably also just unzip the SCORM and rename it that way (Search & Replace in a text editor will make that task a breeze) to avoid hitting the sanitizer. I'm sure @ywarnier or @NicoDucou can give you a better understanding. I've experienced that issue with caps and spaces, but in the end just manually logging in to the server and fixing the filenames directly is done in a few seconds once you know that it's the issue, a proper fix would take a bit more time and a lot of testing.

[riesaau]

HI, unzipping the scorm and changing the file name in the dist folder wouldn't help as there is a path that something else in there is searching for. It isn't too hard for me though to put the ~ back in via cpanel, but it is going to make it difficult for lots of other people who will soon be coming across this issue. Would be good if there was an option to cut out the sanitiser.

[riesaau]

I just had an idea. Would it be possible to write the code in the sanitiser so it checks the whole package and therefore changes all references to those altered files and not just the files in the dist folder. Then even though the dist folder files have a new name, the rest of the software could find those new names? I'm not sure i'm explaining it very well.

[ywarnier]

Hi @riesaau Sorry, we've seen your report but the whole team is super busy right now and those kind of issues are complex to solve. We'll be coming back to this later (but not right now - I just saw an e-mail from you offering a meeting - that's very kind but we're already juggling with too many things on our hands right now). This being said, if that helps you advance in any way, I do acknowledge the issue is probably due, as @meuhland suggested, to the characters sanitizer. For when we will be able to have a look at it (probably in 3-4 weeks at best), we will need an example content with those ~ characters to test it out (so if you have a chance at generating a small, dumb example file with the ~ issue but no intellectual property in it, posting it here would really help). I'm not excluding the possibility from anyone else here to help you out, but SCORM issues... how do I say this... there's not a lot of people willing to spend their free time on these (next thing you know, one of those SCORM authoring tools will generate a file with those Windows-encoding whitespace that are not detected as whitespace and that open up a new vulnerability because they can be used as command triggers or whatever - just imagining).

[ywarnier]

This being said, if you are talking to the Adobe guys, maybe simply ask them for a mode where they don't use special characters in their output...? Under Linux, "~" can be used as the shortcut for the home directory of a user, for example. Not that this would directly create a vulnerability, but it seems less confusing to me to just use hyphens. I mean, come on... runtime~main.bundle.js !?

[riesaau]

Yes, I asked adobe that. The meeting was with someone from the adobe team, not with me, if you want to talk to them directly, as there may be some complexities to this. Agree, that hyphens seem much simpler. Here is a link to a tiny test course so you can see the issue for yourself. https://1drv.ms/u/s!As1YK0Zp3Lainm1VMnN7qNgdfwCI?e=vfECUg

[riesaau]

Adobe confirmed in an email to me that captivate is adding the tilde symbol but says it is not an issue with any other LMS. I find that surprising because aren't a lot of the commercial LMSs based on chamilo? Or do they somehow have software that gets rid of the tilde? or their LMS modifications doesn't care about tilde?

[LudiscapeXApi]

It's a peculiarity of Adobe Captivate software. Other authoring tools do not use this character.

In general, the symbols ~ and _ are not recommended in constructing URLs; therefore, it is a problem with Adobe Captivate software.

You can easily fix this issue:

main\inc\lib\api.lib.php function api_replace_dangerous_char line 6667

Add the line $filename = str_replace('~', 'tildepass', $filename); at the beginning and $filename = str_replace('tildepass','~', $filename); at the end.

[riesaau]

I do get this window popup when i open edit of that php document. would it be easier to just choose disable?

[riesaau]

My line number is different to yours.

[LudiscapeXApi]

Never modify a production file. If you ask a developer to do this task, it is necessary to test it in a development environment before making any code changes. Request a quote from a developer or from official Chamilo suppliers.

[riesaau]

It's okay. I can upload the scorm and change the filename afterwards to put the tilde back. I've tested that already and it works.

[riesaau]

But why do you say "never". I don't use my chamilo for anything commercial at the moment and I just play around with it. If it stopped working I could put my backup copy of that php file back in. So would it still be a case of never do it?

[riesaau]

Anyway, all good. I've been in contact with adobe again and they are going to address the problem in a soon to be released update.