Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-85175

The Filepicker is accepting wrong format files because of their purported extension

XMLWordPrintable

    • MOODLE_405_STABLE, MOODLE_500_STABLE

      Good day team.

      When uploading files to a Filepicker, theoreticially it only accepts valid format files. For example if we use the Filepicker for H5P, then it only accepts h5p files.

      But what if a user renames a webp file as an h5p file? The file itself remains webp, but the Filepicker takes it as an h5p.

      Preconditions

      Set up a site on the `main` branch and make sure to pull the latest commits so you know this problem is current era.

      Download the file "actualwebp.h5p" that you should find attached to this issue (or please download a webp formatted image, and rename it to "actualwebp.h5p" making sure that the file extension is .h5p (your OS may not show you the actual extension, i.e. it may show you the .h5p as part of the filename and not the extension itself, so please bear in mind to make sure)).

      Use the Tiny editor as your editor of preference.

      Steps to replicate.

      1. Log in as admin.
      2. On the frontpage, turn on edit mode.
      3. Click on "Add an activity or resource".
      4. Click on "Assignment" to add one.
      5. Scroll down to the "Description" field.
      6. Click on the H5P icon to open a modal.
      7. Click on "Browse repositories" to open the Filepicker.
      8. Click "Upload a file".
      9. Click "Choose file" to open a file browser.
      10. Select the file "actualwebp.h5p" described in the preconditions.
      11. Click "Upload this file"

      Observed behavior

      The Filepicker accepts this file despite it erroneous file format.

      Expected behavior

      I guess this is debatable. Maybe allow webp files to be added as images to a Filepicker if we are talking about accepting images? Or maybe throw an exception so the user knows the format is wrong? In the case of h5p files, ostensibly this should show an error.

      Additional info for devs

      This problem seems to come from \file_storage::mimetype. Inside that method, you can see a call to \mimeinfo before a call to \file_storage::mimetype_from_file is made ... turns out that the latter does not fall for this trap, while the first one, accepts the file extension as such, without checking if the file is actually of that format or not.

        1. actualwebp.h5p
          10 kB
          Julian Tovar

            Unassigned Unassigned
            julian.tovar Julian Tovar
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.