Commit Graph

4 Commits

Author SHA1 Message Date
David Woloszyn 7679452caf MDL-77846 core: Make endpoint revision number checks stricter
In some places we prevented cache poisoning, in others we did not. We
also did not place any restriction on the minimum value for a revision.

This change introduces a new set of functions for configonly endpoints
which validates the revision numbers passed in. If the revision is
either too old, or too new, it is rejected and the file content is not
cached. The content is still served, but caching headers are not sent,
and any local storage caching is prevented.

The current time is used as the maximum version, with 60 seconds added
to allow for any clock skew between cluster nodes. Previously some
locations used one hour, but there should never be such a large clock
skew on a correctly configured system.

Co-authored-by: Andrew Nicols <andrew@nicols.co.uk>
2023-10-04 01:24:19 +00:00
David Woloszyn da81f260f0 MDL-78005 editor_tiny: Declared vars to supress error logging 2023-05-18 12:57:56 +10:00
Andrew Nicols 59d42e1ed2 MDL-77718 editor_tiny: Restrict the revision to int for loaders
The revision should always be an int. I suspect this was missed during
debugging and not corrected.
2023-04-19 16:44:19 +00:00
Andrew Nicols 90c40fba5d MDL-75271 editor_tiny: Add a cache-busting loader for TinyMCE
Part of MDL-75966

This commit adds a cache-busting loader API for use in the TinyMCE
plugin.

This is not for use in any TinyMCE subplugins at this time as we have no
use-case outside of AMD modules.

This loader ensures that only files within the js/tiny directory are
loaded, and it only supports either .js or .css files at this time.

The client-side of the loader makes use of the jsrevision as a
cache-buster, including for CSS files included with TinyMCE.

If the revision is negative, then files are not cached.
If the revision is positive, then the requested file is cached in a
candidate file and served using aggressive cache headers.
2022-11-10 19:52:15 +08:00