Public bug reported:
Mahara: 17.10.2
OS: Ubuntu 16.04
PHP: 7.0
DB: Postgres
Browser: n/a
During a XML-RPC 'File' transfer (not 'Leap2A' transfer) from Moodle to
Mahara, a file name with unicode characters gets stripped out. Clamdscan
then can't find the file when it tries to scan it and reports an error.
The error message coming from Clam is:
ERROR: Can't access file
/var/lib/sitedata/temp/import/339/extract/uploadxxxassignment1.txt
The file name should be: upload(xxx)assignment1.txt
Please note that the brackets are actually unicode: %uFF08 and %uFF09
This PHP core function strips any unicode characters: escapeshellarg($fullpath)
This is in htdocs/lig/uploadmanager.php::mahara_clam_scan_file() line
337
We were able to reproduce by:
1. Set up a Moodle / Mahara xml-rpc integration
2. In Mahara, set up clamAV (or clamdscan) virus checking
3. In Moodle, create a course and set up an assignment to upload a file
4. In Moodle, Enrol a test user in the course.
5. In Moodle, Log in as the test user and go to course.
6. In Moodle, Upload a file with unicode chars %uFF08 and %uFF09 in the name
(I've attached a sample).
7. In Moodle, export the file to Mahara and select 'File'
8. In Moodle, the following error will appear to the user:
Exception: Failed to start communication with remote server: remote server
error: code: , message: Your administrator has enabled virus checking for file
uploads but has misconfigured something. Your file upload was NOT successful.
Your administrator was notified so they can fix it. Maybe try uploading this
file later.ERROR 4:
4: remote server error: code: , message: Your administrator has enabled virus
checking for file uploads but has misconfigured something. Your file upload was
NOT successful. Your administrator was notified so they can fix it. Maybe try
uploading this file later.
in ./portfolio/mahara/lib.php on line 212.
Stack trace:
line 212 of ./portfolio/mahara/lib.php: portfolio_export_exception thrown
line 510 of ./lib/portfolio/exporter.php: call to
portfolio_plugin_mahara->send_package()
line 227 of ./lib/portfolio/exporter.php: call to
portfolio_exporter->process_stage_send()
line 233 of ./lib/portfolio/exporter.php: call to
portfolio_exporter->process_stage()
line 233 of ./lib/portfolio/exporter.php: call to
portfolio_exporter->process_stage()
line 265 of ./portfolio/add.php: call to portfolio_exporter->process_stage()
9. In Mahara, an error is generated in the error log:
*14997 FastCGI sent in stderr: "PHP message: [DBG] 75
(lib/uploadmanager.php:452) Clam AV has found a file that is infected with a
virus. It was uploaded by . The original file path of the infected file was
/var/lib/sitedata/temp/import/341/extract/upload<EF><BC><88>xxx<EF><BC><89>assignment1.txt.
The file has been moved to a quarantine directory and the new path is
/var/lib/sitedata/quarantine/20180312093305-user-0-infected#012PHP message:
[WAR] 75 (import/file/lib.php:58) Your administrator has enabled virus checking
for file uploads but has misconfigured something. Your file upload was NOT
successful. Your administrator was notified so they can fix it. Maybe try
uploading this file later.#012PHP message: Call stack (most recent
first):#012PHP message:
* PluginImportFile->verify_file_contents() at
/var/www/site/import/file/lib.php:37#012PHP message:
* PluginImportFile->process() at /var/www/site/api/xmlrpc/lib.php:514#012PHP
message:
* send_content_ready("f3b1200695be08bdfeeea32918048b1be2ae89e3", "xxxx",
"file", array(size 4), 1) at /var/www/site/api/xmlrpc/lib.php:115#012PHP
message:
* api_dummy_method("portfolio/mahara/lib.php/send_content_ready", array(size
5), "send_content_ready") at Unknown:0#012PHP message:
* xmlrpc_server_call_method(resource(#23), "<?xml version="1.0"
encoding="utf-8"?>#012PHP message: <methodCall...", "send_content_ready",
array(size 1)) at /var/www/site/api/xmlrpc/dispatcher.php:178#012PHP message:
* Dispatcher->__construct("<?xml version="1.0" encoding="utf-8"?>#012PHP
message: <methodCall...", true, true) at
/var/www/site/api/xmlrpc/server.php:122#012PHP message:" while reading response
header from upstream, client: xxx.xxx.xxx.xxx, server: xxx.com, request: "POST
/api/xmlrpc/server.php HTTP/1.1", upstream:
"fastcgi://unix:/var/run/php-fpm7.sock:", host: "eportfolio-test.com"
10. In Mahara, a system message (in inbox) is sent to the administrator:
You have been sent a notification from ePortfolios. Message follows:
------------------------------------------------------------------------
From: System
To: Admin
ClamAV has failed to run. The return error message was An error
occurred. Here is the output from ClamAV:
ERROR: Can't access file
/var/lib/sitedata/temp/import/349/extract/uploadxxxassignment1.txt
----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.214 sec (0 m 0 s)
The file has been moved to a quarantine directory.
------------------------------------------------------------------------
11. In Mahara, the file is moved to the quarantine directory:
-rw-r--r-- 1 www-data www-data 15 Mar 11 22:33
20180312093305-user-0-infected
The call to: escapeshellarg() is essential to ensure the system is not
compromised with additional command line execution.
One option is to rename the file at the beginning of this function and rename
it back again to its original name.
Please note that a direct upload of the file to Mahara does not cause this
issue. Neither does a Leap2A export from Moodle.
** Affects: mahara
Importance: Undecided
Status: New
** Attachment added: "upload(xxx)assignment1.txt"
https://bugs.launchpad.net/bugs/1755046/+attachment/5076275/+files/upload%EF%BC%88xxx%EF%BC%89assignment1.txt
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1755046
Title:
File name stripped of unicode chars in file transfer from Moodle to
Mahara
Status in Mahara:
New
Bug description:
Mahara: 17.10.2
OS: Ubuntu 16.04
PHP: 7.0
DB: Postgres
Browser: n/a
During a XML-RPC 'File' transfer (not 'Leap2A' transfer) from Moodle
to Mahara, a file name with unicode characters gets stripped out.
Clamdscan then can't find the file when it tries to scan it and
reports an error.
The error message coming from Clam is:
ERROR: Can't access file
/var/lib/sitedata/temp/import/339/extract/uploadxxxassignment1.txt
The file name should be: upload(xxx)assignment1.txt
Please note that the brackets are actually unicode: %uFF08 and %uFF09
This PHP core function strips any unicode characters:
escapeshellarg($fullpath)
This is in htdocs/lig/uploadmanager.php::mahara_clam_scan_file() line
337
We were able to reproduce by:
1. Set up a Moodle / Mahara xml-rpc integration
2. In Mahara, set up clamAV (or clamdscan) virus checking
3. In Moodle, create a course and set up an assignment to upload a file
4. In Moodle, Enrol a test user in the course.
5. In Moodle, Log in as the test user and go to course.
6. In Moodle, Upload a file with unicode chars %uFF08 and %uFF09 in the name
(I've attached a sample).
7. In Moodle, export the file to Mahara and select 'File'
8. In Moodle, the following error will appear to the user:
Exception: Failed to start communication with remote server: remote server
error: code: , message: Your administrator has enabled virus checking for file
uploads but has misconfigured something. Your file upload was NOT successful.
Your administrator was notified so they can fix it. Maybe try uploading this
file later.ERROR 4:
4: remote server error: code: , message: Your administrator has enabled virus
checking for file uploads but has misconfigured something. Your file upload was
NOT successful. Your administrator was notified so they can fix it. Maybe try
uploading this file later.
in ./portfolio/mahara/lib.php on line 212.
Stack trace:
line 212 of ./portfolio/mahara/lib.php: portfolio_export_exception thrown
line 510 of ./lib/portfolio/exporter.php: call to
portfolio_plugin_mahara->send_package()
line 227 of ./lib/portfolio/exporter.php: call to
portfolio_exporter->process_stage_send()
line 233 of ./lib/portfolio/exporter.php: call to
portfolio_exporter->process_stage()
line 233 of ./lib/portfolio/exporter.php: call to
portfolio_exporter->process_stage()
line 265 of ./portfolio/add.php: call to
portfolio_exporter->process_stage()
9. In Mahara, an error is generated in the error log:
*14997 FastCGI sent in stderr: "PHP message: [DBG] 75
(lib/uploadmanager.php:452) Clam AV has found a file that is infected with a
virus. It was uploaded by . The original file path of the infected file was
/var/lib/sitedata/temp/import/341/extract/upload<EF><BC><88>xxx<EF><BC><89>assignment1.txt.
The file has been moved to a quarantine directory and the new path is
/var/lib/sitedata/quarantine/20180312093305-user-0-infected#012PHP message:
[WAR] 75 (import/file/lib.php:58) Your administrator has enabled virus checking
for file uploads but has misconfigured something. Your file upload was NOT
successful. Your administrator was notified so they can fix it. Maybe try
uploading this file later.#012PHP message: Call stack (most recent
first):#012PHP message:
* PluginImportFile->verify_file_contents() at
/var/www/site/import/file/lib.php:37#012PHP message:
* PluginImportFile->process() at /var/www/site/api/xmlrpc/lib.php:514#012PHP
message:
* send_content_ready("f3b1200695be08bdfeeea32918048b1be2ae89e3", "xxxx",
"file", array(size 4), 1) at /var/www/site/api/xmlrpc/lib.php:115#012PHP
message:
* api_dummy_method("portfolio/mahara/lib.php/send_content_ready", array(size
5), "send_content_ready") at Unknown:0#012PHP message:
* xmlrpc_server_call_method(resource(#23), "<?xml version="1.0"
encoding="utf-8"?>#012PHP message: <methodCall...", "send_content_ready",
array(size 1)) at /var/www/site/api/xmlrpc/dispatcher.php:178#012PHP message:
* Dispatcher->__construct("<?xml version="1.0" encoding="utf-8"?>#012PHP
message: <methodCall...", true, true) at
/var/www/site/api/xmlrpc/server.php:122#012PHP message:" while reading response
header from upstream, client: xxx.xxx.xxx.xxx, server: xxx.com, request: "POST
/api/xmlrpc/server.php HTTP/1.1", upstream:
"fastcgi://unix:/var/run/php-fpm7.sock:", host: "eportfolio-test.com"
10. In Mahara, a system message (in inbox) is sent to the
administrator:
You have been sent a notification from ePortfolios. Message follows:
------------------------------------------------------------------------
From: System
To: Admin
ClamAV has failed to run. The return error message was An error
occurred. Here is the output from ClamAV:
ERROR: Can't access file
/var/lib/sitedata/temp/import/349/extract/uploadxxxassignment1.txt
----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.214 sec (0 m 0 s)
The file has been moved to a quarantine directory.
------------------------------------------------------------------------
11. In Mahara, the file is moved to the quarantine directory:
-rw-r--r-- 1 www-data www-data 15 Mar 11 22:33
20180312093305-user-0-infected
The call to: escapeshellarg() is essential to ensure the system is not
compromised with additional command line execution.
One option is to rename the file at the beginning of this function and rename
it back again to its original name.
Please note that a direct upload of the file to Mahara does not cause this
issue. Neither does a Leap2A export from Moodle.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1755046/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
