moodle-mod_hvp
moodle-mod_hvp copied to clipboard
h5p
Fix fetching shared content from the H5P hub
There is a bug in Moodle core (MDL-73588) that makes CURLOPT_FILE not working as expected in cases when redirects are involved and the redirecting pages actually generate some HTML output, too.
This bug affects H5P hub and it was not possible to fetch any shared content from it in recent Moodle versions.
As a workaround, this patch stops using the CURLOPT_FILE option at all.
So, the change is that this no longer streams the request content to a file, it keeps the whole archive in memory until it can write it to file?
That's correct. And I could not think of an other solution, given that MDL-71916 was the primary security issue we need to have fixed. We cannot let cURL to blindly follow the new location from the 302 header without checking it against the defined block list. And we also cannot make multiple requests against the same URL as was discussed in MDL-72203. So the only solution I am aware of is to make standard non-streamed requests.
I am aware of the difference and I guess I understand your worries regarding fetching bigger files. I am afraid that's the price we have to pay for the gained security here.
This proposed fix will add a performance penalty and limitations when using the Hub that is not acceptable by many.
I've proposed a fix to solve the issue with Moodle's curl class here: https://github.com/moodle/moodle/compare/MOODLE_311_STABLE...icc:patch-1 Until the expected behavior is restored I suggest we just override the request function in mod/hvp/classes/curl.php with the fixed one so that people may get back to using the Hub.
I just commented at https://tracker.moodle.org/browse/MDL-73588 - I like your variant, too.
