[LON-CAPA-cvs] cvs: loncom /auth lonacc.pm /lonnet/perl lonnet.pm
raeburn
raeburn at source.lon-capa.org
Sat Jan 2 14:31:11 EST 2021
raeburn Sat Jan 2 19:31:11 2021 EDT
Modified files:
/loncom/auth lonacc.pm
/loncom/lonnet/perl lonnet.pm
Log:
- Bug 6518. Content blocking check for wrapped uploaded files (e.g., PDFs),
uploaded files with mime types that require /adm/coursedocs/showdoc/, and
/adm/viewclasslist.
Index: loncom/auth/lonacc.pm
diff -u loncom/auth/lonacc.pm:1.185 loncom/auth/lonacc.pm:1.186
--- loncom/auth/lonacc.pm:1.185 Tue Dec 22 22:23:37 2020
+++ loncom/auth/lonacc.pm Sat Jan 2 19:31:11 2021
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Cookie Based Access Handler
#
-# $Id: lonacc.pm,v 1.185 2020/12/22 22:23:37 raeburn Exp $
+# $Id: lonacc.pm,v 1.186 2021/01/02 19:31:11 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -616,11 +616,20 @@
}
# ---------------------------------------------------------------- Check access
my $now = time;
- my ($check_symb,$check_access);
+ my ($check_symb,$check_access,$check_block,$access,$poss_symb);
if ($requrl !~ m{^/(?:adm|public|(?:prt|zip)spool)/}
|| $requrl =~ /^\/adm\/.*\/(smppg|bulletinboard)(\?|$ )/x) {
$check_access = 1;
}
+ if ((!$check_access) && ($env{'request.course.id'})) {
+ if (($requrl eq '/adm/viewclasslist') ||
+ ($requrl =~ m{^(/adm/wrapper|)\Q/uploaded/$cdom/$cnum/docs/\E}) ||
+ ($requrl =~ m{^/adm/.*/aboutme$}) ||
+ ($requrl=~m{^/adm/coursedocs/showdoc/}) ||
+ ($requrl=~m{^(/adm/wrapper|)/adm/$cdom/$cnum/\d+/ext\.tool$})) {
+ $check_block = 1;
+ }
+ }
if (($env{'request.course.id'}) && (!$suppext)) {
$requrl=~/\.(\w+)$/;
if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') ||
@@ -635,8 +644,7 @@
$check_symb = 1;
}
}
- if ($check_access) {
- my ($access,$poss_symb);
+ if (($check_access) || ($check_block)) {
if ($check_symb) {
if ($env{'form.symb'}) {
$poss_symb=&Apache::lonnet::symbclean($env{'form.symb'});
@@ -656,7 +664,9 @@
if ($poss_symb) {
my ($possmap,$resid,$url)=&Apache::lonnet::decode_symb($poss_symb);
$url = &Apache::lonnet::clutter($url);
- unless (($url eq $requrl) && (&Apache::lonnet::is_on_map($possmap))) {
+ my $toplevelmap = $env{'course.'.$env{'request.course.id'}.'.url'};
+ unless (($url eq $requrl) && (($possmap eq $toplevelmap) ||
+ (&Apache::lonnet::is_on_map($possmap)))) {
undef($poss_symb);
}
if ($poss_symb) {
@@ -674,6 +684,18 @@
} else {
$access=&Apache::lonnet::allowed('bre',$requrl);
}
+ }
+ if ($check_block) {
+ if ($access eq 'B') {
+ if ($poss_symb) {
+ if (&Apache::lonnet::symbverify($poss_symb,$requrl)) {
+ $env{'request.symb'} = $poss_symb;
+ }
+ }
+ &Apache::blockedaccess::setup_handler($r);
+ return OK;
+ }
+ } elsif ($check_access) {
if ($handle eq '') {
unless ($access eq 'F') {
if ($requrl =~ m{^/res/$match_domain/$match_username/}) {
@@ -691,9 +713,6 @@
}
if ($access eq 'B') {
if ($poss_symb) {
- if ($requrl=~m{^(/adm/.*/aboutme)/portfolio$}) {
- $requrl = $1;
- }
if (&Apache::lonnet::symbverify($poss_symb,$requrl)) {
$env{'request.symb'} = $poss_symb;
}
Index: loncom/lonnet/perl/lonnet.pm
diff -u loncom/lonnet/perl/lonnet.pm:1.1435 loncom/lonnet/perl/lonnet.pm:1.1436
--- loncom/lonnet/perl/lonnet.pm:1.1435 Sat Jan 2 18:38:02 2021
+++ loncom/lonnet/perl/lonnet.pm Sat Jan 2 19:31:11 2021
@@ -1,7 +1,7 @@
# The LearningOnline Network
# TCP networking package
#
-# $Id: lonnet.pm,v 1.1435 2021/01/02 18:38:02 raeburn Exp $
+# $Id: lonnet.pm,v 1.1436 2021/01/02 19:31:11 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -8082,7 +8082,7 @@
if (defined($env{'allowed.'.$priv})) { return $env{'allowed.'.$priv}; }
# Free bre access to adm and meta resources
- if (((($uri=~/^adm\//) && ($uri !~ m{/(?:smppg|bulletinboard|ext\.tool)$}))
+ if (((($uri=~/^adm\//) && ($uri !~ m{/(?:smppg|bulletinboard|viewclasslist|aboutme|ext\.tool)$}))
|| (($uri=~/\.meta$/) && ($uri!~m|^uploaded/|) ))
&& ($priv eq 'bre')) {
return 'F';
More information about the LON-CAPA-cvs
mailing list