In some places we prevented cache poisoning, in others we did not. We
also did not place any restriction on the minimum value for a revision.
This change introduces a new set of functions for configonly endpoints
which validates the revision numbers passed in. If the revision is
either too old, or too new, it is rejected and the file content is not
cached. The content is still served, but caching headers are not sent,
and any local storage caching is prevented.
The current time is used as the maximum version, with 60 seconds added
to allow for any clock skew between cluster nodes. Previously some
locations used one hour, but there should never be such a large clock
skew on a correctly configured system.
Co-authored-by: Andrew Nicols <andrew@nicols.co.uk>
Applied the following changes to various testcase classes:
- Namespaced with component[\level2-API]
- Moved to level2-API subdirectory when required.
- Fixed incorrect use statements with leading backslash.
- Remove file phpdoc block
- Remove MOODLE_INTERNAL if not needed.
- Changed code to point to global scope when needed.
- Fix some relative paths and comments here and there.
- All them passing individually.
- Complete runs passing too.
Special mention to:
- The following task tests have been moved within the level2 directory:
- \core\adhoc_task_test => \core\task\adhoc_task_test
- \core\scheduled_task_test => \core\task\scheduled_task_test
- \core\calendar_cron_task_test => \core\task\calendar_cron_task_test
- \core\h5p_get_content_types_task_test => \core\task\h5p_get_content_types_task_test
- \core\task_database_logger_test => \core\task\database_logger_test
- \core\task_logging_test => \core\task\logging_test
- The following event tests have been moved within level2 directory:
- \core\event_context_locked_test => \core\event\context_locked_test
- \core\event_deprecated_test => \core\event\deprecated_test
- \core\event_grade_deleted_test => \core\event\grade_deleted_test
- \core\event_profile_field_test => \core\event\profile_field_test
- \core\event_unknown_logged_test => \core\event\unknown_logged_test
- \core\event_user_graded_test => \core\event\user_graded_test
- \core\event_user_password_updated_test => \core\event\user_password_updated_test
- The following output tests have been moved within level2 directory:
- \core\mustache_template_finder_test => \core\output\mustache_template_finder_test
- \core\mustache_template_source_loader_test => \core\output\mustache_template_source_loader_test
- \core\output_mustache_helper_collection_test => \core\output\mustache_helper_collection_test
- The following tests have been moved to their correct tests directories:
- lib/tests/time_splittings_test.php => analytics/tests/time_splittings_test.php
- All the classes and tests under lib/filebrowser and lib/filestorage
belong to core, not to core_files. Some day we should move
them to their correct subsystem.
- All the classes and tests under lib/grade belong to core, not
to core_grades. Some day we should move them to their correct
subsystem.
- The core_grades_external class and its \core\grades_external_test
unit test should belong to the grades subsystem or, alternatively,
to \core\external, they both should be moved together.
- The core_grading_external class and its \core\grading_external_test
unit test should belong to the grading subsystem or, alternatively,
to \core\external, they both should be moved together.
- The \core\message\message and \core\message\inbound (may be others)
classes, and their associated tests should go to the core_message
subsystem.
- The core_user class, and its associated tests should go to the
core_user subsystem.
- The \core\update namespace is plain wrong (update is not valid API)
and needs action 1) create it or 2) move elsewhere.
This includes:
- Changing PHPUnit's bootstrap to use https://www...
- Modify all existing expectations to the new wwwroot.
- Amend some tests now with different defaults because of is_https()
- Added a note to main upgrade.php about the change.
The result from this function is used in send_file calls and if unclean
(windows dir separators, or .. path components) it could expose sensitive
files (e.g. .php files). Now we always clean the result from this function
even if it means double cleaning.
I also fixed the unit test for this function and added a new test for this cleaning.
I also updated the comments to point to get_file_argument as the full version of
min_get_slash_argument.