[LON-CAPA-cvs] cvs: loncom /auth lonacc.pm /lonnet/perl lonnet.pm

raeburn raeburn at source.lon-capa.org
Sat Jan 2 14:31:11 EST 2021


raeburn		Sat Jan  2 19:31:11 2021 EDT

  Modified files:              
    /loncom/auth	lonacc.pm 
    /loncom/lonnet/perl	lonnet.pm 
  Log:
  - Bug 6518. Content blocking check for wrapped uploaded files (e.g., PDFs), 
    uploaded files with mime types that require /adm/coursedocs/showdoc/, and
    /adm/viewclasslist.
  
  
Index: loncom/auth/lonacc.pm
diff -u loncom/auth/lonacc.pm:1.185 loncom/auth/lonacc.pm:1.186
--- loncom/auth/lonacc.pm:1.185	Tue Dec 22 22:23:37 2020
+++ loncom/auth/lonacc.pm	Sat Jan  2 19:31:11 2021
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Cookie Based Access Handler
 #
-# $Id: lonacc.pm,v 1.185 2020/12/22 22:23:37 raeburn Exp $
+# $Id: lonacc.pm,v 1.186 2021/01/02 19:31:11 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -616,11 +616,20 @@
         }
 # ---------------------------------------------------------------- Check access
 	my $now = time;
-        my ($check_symb,$check_access);
+        my ($check_symb,$check_access,$check_block,$access,$poss_symb);
 	if ($requrl !~ m{^/(?:adm|public|(?:prt|zip)spool)/}
 	    || $requrl =~ /^\/adm\/.*\/(smppg|bulletinboard)(\?|$ )/x) {
             $check_access = 1;
         }
+        if ((!$check_access) && ($env{'request.course.id'})) {
+            if (($requrl eq '/adm/viewclasslist') ||
+                ($requrl =~ m{^(/adm/wrapper|)\Q/uploaded/$cdom/$cnum/docs/\E}) ||
+                ($requrl =~ m{^/adm/.*/aboutme$}) ||
+                ($requrl=~m{^/adm/coursedocs/showdoc/}) ||
+                ($requrl=~m{^(/adm/wrapper|)/adm/$cdom/$cnum/\d+/ext\.tool$})) {
+                $check_block = 1;
+            }
+        }
         if (($env{'request.course.id'}) && (!$suppext)) {
             $requrl=~/\.(\w+)$/;
             if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') ||
@@ -635,8 +644,7 @@
                 $check_symb = 1;
             }
         }
-        if ($check_access) {
-            my ($access,$poss_symb);
+        if (($check_access) || ($check_block)) {
             if ($check_symb) {
                 if ($env{'form.symb'}) {
                     $poss_symb=&Apache::lonnet::symbclean($env{'form.symb'});
@@ -656,7 +664,9 @@
                 if ($poss_symb) {
                     my ($possmap,$resid,$url)=&Apache::lonnet::decode_symb($poss_symb);
                     $url = &Apache::lonnet::clutter($url);
-                    unless (($url eq $requrl) && (&Apache::lonnet::is_on_map($possmap))) {
+                    my $toplevelmap = $env{'course.'.$env{'request.course.id'}.'.url'};
+                    unless (($url eq $requrl) && (($possmap eq $toplevelmap) ||
+                                                  (&Apache::lonnet::is_on_map($possmap)))) {
                         undef($poss_symb);
                     }
                     if ($poss_symb) {
@@ -674,6 +684,18 @@
             } else {
                 $access=&Apache::lonnet::allowed('bre',$requrl);
             }
+        }
+        if ($check_block) {
+            if ($access eq 'B') {
+                if ($poss_symb) {
+                    if (&Apache::lonnet::symbverify($poss_symb,$requrl)) {
+                        $env{'request.symb'} = $poss_symb;
+                    }
+                }
+                &Apache::blockedaccess::setup_handler($r);
+                return OK;
+            }
+        } elsif ($check_access) {
             if ($handle eq '') {
                 unless ($access eq 'F') {
                     if ($requrl =~ m{^/res/$match_domain/$match_username/}) {
@@ -691,9 +713,6 @@
 	    }
             if ($access eq 'B') {
                 if ($poss_symb) {
-                    if ($requrl=~m{^(/adm/.*/aboutme)/portfolio$}) {
-                        $requrl = $1;
-                    }
                     if (&Apache::lonnet::symbverify($poss_symb,$requrl)) {
                         $env{'request.symb'} = $poss_symb;
                     }
Index: loncom/lonnet/perl/lonnet.pm
diff -u loncom/lonnet/perl/lonnet.pm:1.1435 loncom/lonnet/perl/lonnet.pm:1.1436
--- loncom/lonnet/perl/lonnet.pm:1.1435	Sat Jan  2 18:38:02 2021
+++ loncom/lonnet/perl/lonnet.pm	Sat Jan  2 19:31:11 2021
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # TCP networking package
 #
-# $Id: lonnet.pm,v 1.1435 2021/01/02 18:38:02 raeburn Exp $
+# $Id: lonnet.pm,v 1.1436 2021/01/02 19:31:11 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -8082,7 +8082,7 @@
 
     if (defined($env{'allowed.'.$priv})) { return $env{'allowed.'.$priv}; }
 # Free bre access to adm and meta resources
-    if (((($uri=~/^adm\//) && ($uri !~ m{/(?:smppg|bulletinboard|ext\.tool)$})) 
+    if (((($uri=~/^adm\//) && ($uri !~ m{/(?:smppg|bulletinboard|viewclasslist|aboutme|ext\.tool)$})) 
 	 || (($uri=~/\.meta$/) && ($uri!~m|^uploaded/|) )) 
 	&& ($priv eq 'bre')) {
 	return 'F';




More information about the LON-CAPA-cvs mailing list