Search moodle.org's
Developer Documentation

See Release Notes

  • Bug fixes for general core bugs in 4.3.x will end 7 October 2024 (12 months).
  • Bug fixes for security issues in 4.3.x will end 21 April 2025 (18 months).
  • PHP version: minimum PHP 8.0.0 Note: minimum PHP version has increased since Moodle 4.1. PHP 8.2.x is supported too.

Differences Between: [Versions 310 and 403] [Versions 311 and 403] [Versions 39 and 403] [Versions 400 and 403] [Versions 401 and 403] [Versions 402 and 403]

   1  <?php
   2  
   3  // This file is part of Moodle - http://moodle.org/
   4  //
   5  // Moodle is free software: you can redistribute it and/or modify
   6  // it under the terms of the GNU General Public License as published by
   7  // the Free Software Foundation, either version 3 of the License, or
   8  // (at your option) any later version.
   9  //
  10  // Moodle is distributed in the hope that it will be useful,
  11  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13  // GNU General Public License for more details.
  14  //
  15  // You should have received a copy of the GNU General Public License
  16  // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  17  
  18  /**
  19   * Private url module utility functions
  20   *
  21   * @package    mod_url
  22   * @copyright  2009 Petr Skoda  {@link http://skodak.org}
  23   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  24   */
  25  
  26  defined('MOODLE_INTERNAL') || die;
  27  
  28  require_once("$CFG->libdir/filelib.php");
  29  require_once("$CFG->libdir/resourcelib.php");
  30  require_once("$CFG->dirroot/mod/url/lib.php");
  31  
  32  /**
  33   * This methods does weak url validation, we are looking for major problems only,
  34   * no strict RFE validation.
  35   *
  36   * @param $url
  37   * @return bool true is seems valid, false if definitely not valid URL
  38   */
  39  function url_appears_valid_url($url) {
  40      if (preg_match('/^(\/|https?:|ftp:)/i', $url)) {
  41          // note: this is not exact validation, we look for severely malformed URLs only
  42          return (bool) preg_match('/^[a-z]+:\/\/([^:@\s]+:[^@\s]+@)?[^ @]+(:[0-9]+)?(\/[^#]*)?(#.*)?$/i', $url);
  43      } else {
  44          return (bool)preg_match('/^[a-z]+:\/\/...*$/i', $url);
  45      }
  46  }
  47  
  48  /**
  49   * Fix common URL problems that we want teachers to see fixed
  50   * the next time they edit the resource.
  51   *
  52   * This function does not include any XSS protection.
  53   *
  54   * @param string $url
  55   * @return string
  56   */
  57  function url_fix_submitted_url($url) {
  58      // note: empty urls are prevented in form validation
  59      $url = trim($url);
  60  
  61      // remove encoded entities - we want the raw URI here
  62      $url = html_entity_decode($url, ENT_QUOTES, 'UTF-8');
  63  
  64      if (!preg_match('|^[a-z]+:|i', $url) and !preg_match('|^/|', $url)) {
  65          // invalid URI, try to fix it by making it normal URL,
  66          // please note relative urls are not allowed, /xx/yy links are ok
  67          $url = 'http://'.$url;
  68      }
  69  
  70      return $url;
  71  }
  72  
  73  /**
  74   * Return full url with all extra parameters
  75   *
  76   * This function does not include any XSS protection.
  77   *
  78   * @param stdClass $url
  79   * @param object $cm
  80   * @param object $course
  81   * @param object $config
  82   * @return string url with & encoded as &amp;
  83   */
  84  function url_get_full_url($url, $cm, $course, $config=null) {
  85  
  86      $parameters = empty($url->parameters) ? [] : (array) unserialize_array($url->parameters);
  87  
  88      // make sure there are no encoded entities, it is ok to do this twice
  89      $fullurl = html_entity_decode($url->externalurl, ENT_QUOTES, 'UTF-8');
  90  
  91      $letters = '\pL';
  92      $latin = 'a-zA-Z';
  93      $digits = '0-9';
  94      $symbols = '\x{20E3}\x{00AE}\x{00A9}\x{203C}\x{2047}\x{2048}\x{2049}\x{3030}\x{303D}\x{2139}\x{2122}\x{3297}\x{3299}' .
  95                 '\x{2300}-\x{23FF}\x{2600}-\x{27BF}\x{2B00}-\x{2BF0}';
  96      $arabic = '\x{FE00}-\x{FEFF}';
  97      $math = '\x{2190}-\x{21FF}\x{2900}-\x{297F}';
  98      $othernumbers = '\x{2460}-\x{24FF}';
  99      $geometric = '\x{25A0}-\x{25FF}';
 100      $emojis = '\x{1F000}-\x{1F6FF}';
 101  
 102      if (preg_match('/^(\/|https?:|ftp:)/i', $fullurl) or preg_match('|^/|', $fullurl)) {
 103          // encode extra chars in URLs - this does not make it always valid, but it helps with some UTF-8 problems
 104          // Thanks to 💩.la emojis count as valid, too.
 105          $allowed = "[" . $letters . $latin . $digits . $symbols . $arabic . $math . $othernumbers . $geometric .
 106              $emojis . "]" . preg_quote(';/?:@=&$_.+!*(),-#%', '/');
 107          $fullurl = preg_replace_callback("/[^$allowed]/u", 'url_filter_callback', $fullurl);
 108      } else {
 109          // encode special chars only
 110          $fullurl = str_replace('"', '%22', $fullurl);
 111          $fullurl = str_replace('\'', '%27', $fullurl);
 112          $fullurl = str_replace(' ', '%20', $fullurl);
 113          $fullurl = str_replace('<', '%3C', $fullurl);
 114          $fullurl = str_replace('>', '%3E', $fullurl);
 115      }
 116  
 117      // add variable url parameters
 118      if (!empty($parameters)) {
 119          if (!$config) {
 120              $config = get_config('url');
 121          }
 122          $paramvalues = url_get_variable_values($url, $cm, $course, $config);
 123  
 124          foreach ($parameters as $parse=>$parameter) {
 125              if (isset($paramvalues[$parameter])) {
 126                  $parameters[$parse] = rawurlencode($parse).'='.rawurlencode($paramvalues[$parameter]);
 127              } else {
 128                  unset($parameters[$parse]);
 129              }
 130          }
 131  
 132          if (!empty($parameters)) {
 133              if (stripos($fullurl, 'teamspeak://') === 0) {
 134                  $fullurl = $fullurl.'?'.implode('?', $parameters);
 135              } else {
 136                  $join = (strpos($fullurl, '?') === false) ? '?' : '&';
 137                  $fullurl = $fullurl.$join.implode('&', $parameters);
 138              }
 139          }
 140      }
 141  
 142      // encode all & to &amp; entity
 143      $fullurl = str_replace('&', '&amp;', $fullurl);
 144  
 145      return $fullurl;
 146  }
 147  
 148  /**
 149   * Unicode encoding helper callback
 150   * @internal
 151   * @param array $matches
 152   * @return string
 153   */
 154  function url_filter_callback($matches) {
 155      return rawurlencode($matches[0]);
 156  }
 157  
 158  /**
 159   * Print url header.
 160   * @param object $url
 161   * @param object $cm
 162   * @param object $course
 163   * @return void
 164   */
 165  function url_print_header($url, $cm, $course) {
 166      global $PAGE, $OUTPUT;
 167  
 168      $PAGE->set_title($course->shortname.': '.$url->name);
 169      $PAGE->set_heading($course->fullname);
 170      $PAGE->set_activity_record($url);
 171      echo $OUTPUT->header();
 172  }
 173  
 174  /**
 175   * Get url introduction.
 176   *
 177   * @param object $url
 178   * @param object $cm
 179   * @param bool $ignoresettings print even if not specified in modedit
 180   * @return string
 181   */
 182  function url_get_intro(object $url, object $cm, bool $ignoresettings = false): string {
 183      $options = empty($url->displayoptions) ? [] : (array) unserialize_array($url->displayoptions);
 184      if ($ignoresettings or !empty($options['printintro'])) {
 185          if (trim(strip_tags($url->intro))) {
 186              return format_module_intro('url', $url, $cm->id);
 187          }
 188      }
 189  
 190      return '';
 191  }
 192  
 193  /**
 194   * Display url frames.
 195   * @param object $url
 196   * @param object $cm
 197   * @param object $course
 198   * @return does not return
 199   */
 200  function url_display_frame($url, $cm, $course) {
 201      global $PAGE, $OUTPUT, $CFG;
 202  
 203      $frame = optional_param('frameset', 'main', PARAM_ALPHA);
 204  
 205      if ($frame === 'top') {
 206          $PAGE->set_pagelayout('frametop');
 207          $PAGE->activityheader->set_attrs([
 208              'description' => url_get_intro($url, $cm),
 209              'title' => format_string($url->name)
 210          ]);
 211          url_print_header($url, $cm, $course);
 212          echo $OUTPUT->footer();
 213          die;
 214  
 215      } else {
 216          $config = get_config('url');
 217          $context = context_module::instance($cm->id);
 218          $exteurl = url_get_full_url($url, $cm, $course, $config);
 219          $navurl = "$CFG->wwwroot/mod/url/view.php?id=$cm->id&amp;frameset=top";
 220          $coursecontext = context_course::instance($course->id);
 221          $courseshortname = format_string($course->shortname, true, array('context' => $coursecontext));
 222          $title = strip_tags($courseshortname.': '.format_string($url->name));
 223          $framesize = $config->framesize;
 224          $modulename = s(get_string('modulename','url'));
 225          $contentframetitle = s(format_string($url->name));
 226          $dir = get_string('thisdirection', 'langconfig');
 227  
 228          $extframe = <<<EOF
 229  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
 230  <html dir="$dir">
 231    <head>
 232      <meta http-equiv="content-type" content="text/html; charset=utf-8" />
 233      <title>$title</title>
 234    </head>
 235    <frameset rows="$framesize,*">
 236      <frame src="$navurl" title="$modulename"/>
 237      <frame src="$exteurl" title="$contentframetitle"/>
 238    </frameset>
 239  </html>
 240  EOF;
 241  
 242          @header('Content-Type: text/html; charset=utf-8');
 243          echo $extframe;
 244          die;
 245      }
 246  }
 247  
 248  /**
 249   * Print url info and link.
 250   * @param object $url
 251   * @param object $cm
 252   * @param object $course
 253   */
 254  function url_print_workaround($url, $cm, $course) {
 255      global $OUTPUT, $PAGE, $USER;
 256  
 257      $PAGE->activityheader->set_description(url_get_intro($url, $cm, true));
 258      url_print_header($url, $cm, $course);
 259  
 260      $fullurl = new moodle_url(url_get_full_url($url, $cm, $course));
 261  
 262      $display = url_get_final_display_type($url);
 263      if ($display == RESOURCELIB_DISPLAY_POPUP) {
 264          $jsfullurl = addslashes_js($fullurl->out(false));
 265          $options = empty($url->displayoptions) ? [] : (array) unserialize_array($url->displayoptions);
 266          $width  = empty($options['popupwidth'])  ? 620 : $options['popupwidth'];
 267          $height = empty($options['popupheight']) ? 450 : $options['popupheight'];
 268          $wh = "width=$width,height=$height,toolbar=no,location=no,menubar=no,copyhistory=no,status=no,directories=no,scrollbars=yes,resizable=yes";
 269          $attributes = ['onclick' => "window.open('$jsfullurl', '', '$wh'); return false;"];
 270  
 271      } else if ($display == RESOURCELIB_DISPLAY_NEW) {
 272          $attributes = ['onclick' => "this.target='_blank';"];
 273  
 274      } else {
 275          $attributes = [];
 276      }
 277  
 278      echo '<div class="urlworkaround">';
 279      print_string('clicktoopen', 'url', html_writer::link($fullurl, format_string($cm->name), $attributes));
 280      echo '</div>';
 281  
 282      echo $OUTPUT->footer();
 283      die;
 284  }
 285  
 286  /**
 287   * Display embedded url file.
 288   * @param object $url
 289   * @param object $cm
 290   * @param object $course
 291   */
 292  function url_display_embed($url, $cm, $course) {
 293      global $PAGE, $OUTPUT;
 294  
 295      $mimetype = resourcelib_guess_url_mimetype($url->externalurl);
 296      $fullurl  = url_get_full_url($url, $cm, $course);
 297      $title    = $url->name;
 298  
 299      $moodleurl = new moodle_url($fullurl);
 300      $link = html_writer::link($moodleurl, format_string($cm->name));
 301      $clicktoopen = get_string('clicktoopen', 'url', $link);
 302  
 303      $extension = resourcelib_get_extension($url->externalurl);
 304  
 305      $mediamanager = core_media_manager::instance($PAGE);
 306      $embedoptions = array(
 307          core_media_manager::OPTION_TRUSTED => true,
 308          core_media_manager::OPTION_BLOCK => true
 309      );
 310  
 311      if (in_array($mimetype, array('image/gif','image/jpeg','image/png'))) {  // It's an image
 312          $code = resourcelib_embed_image($fullurl, $title);
 313  
 314      } else if ($mediamanager->can_embed_url($moodleurl, $embedoptions)) {
 315          // Media (audio/video) file.
 316          $code = $mediamanager->embed_url($moodleurl, $title, 0, 0, $embedoptions);
 317  
 318      } else {
 319          // anything else - just try object tag enlarged as much as possible
 320          $code = resourcelib_embed_general($fullurl, $title, $clicktoopen, $mimetype);
 321      }
 322  
 323      $PAGE->activityheader->set_description(url_get_intro($url, $cm));
 324      url_print_header($url, $cm, $course);
 325  
 326      echo $code;
 327  
 328      echo $OUTPUT->footer();
 329      die;
 330  }
 331  
 332  /**
 333   * Decide the best display format.
 334   * @param object $url
 335   * @return int display type constant
 336   */
 337  function url_get_final_display_type($url) {
 338      global $CFG;
 339  
 340      if ($url->display != RESOURCELIB_DISPLAY_AUTO) {
 341          return $url->display;
 342      }
 343  
 344      // detect links to local moodle pages
 345      if (strpos($url->externalurl, $CFG->wwwroot) === 0) {
 346          if (strpos($url->externalurl, 'file.php') === false and strpos($url->externalurl, '.php') !== false ) {
 347              // most probably our moodle page with navigation
 348              return RESOURCELIB_DISPLAY_OPEN;
 349          }
 350      }
 351  
 352      // Binaries and other formats that are known to cause trouble for external links.
 353      static $download = ['application/zip', 'application/x-tar', 'application/g-zip',
 354                          'application/pdf', 'text/html', 'document/unknown'];
 355      static $embed    = array('image/gif', 'image/jpeg', 'image/png', 'image/svg+xml',         // images
 356                               'application/x-shockwave-flash', 'video/x-flv', 'video/x-ms-wm', // video formats
 357                               'video/quicktime', 'video/mpeg', 'video/mp4',
 358                               'audio/mp3', 'audio/x-realaudio-plugin', 'x-realaudio-plugin',   // audio formats,
 359                              );
 360  
 361      $mimetype = resourcelib_guess_url_mimetype($url->externalurl);
 362  
 363      if (in_array($mimetype, $download)) {
 364          return RESOURCELIB_DISPLAY_DOWNLOAD;
 365      }
 366      if (in_array($mimetype, $embed)) {
 367          return RESOURCELIB_DISPLAY_EMBED;
 368      }
 369  
 370      // let the browser deal with it somehow
 371      return RESOURCELIB_DISPLAY_OPEN;
 372  }
 373  
 374  /**
 375   * Get the parameters that may be appended to URL
 376   * @param object $config url module config options
 377   * @return array array describing opt groups
 378   */
 379  function url_get_variable_options($config) {
 380      global $CFG;
 381  
 382      $options = array();
 383      $options[''] = array('' => get_string('chooseavariable', 'url'));
 384  
 385      $options[get_string('course')] = array(
 386          'courseid'        => 'id',
 387          'coursefullname'  => get_string('fullnamecourse'),
 388          'courseshortname' => get_string('shortnamecourse'),
 389          'courseidnumber'  => get_string('idnumbercourse'),
 390          'coursesummary'   => get_string('summary'),
 391          'courseformat'    => get_string('format'),
 392      );
 393  
 394      $options[get_string('modulename', 'url')] = array(
 395          'urlinstance'     => 'id',
 396          'urlcmid'         => 'cmid',
 397          'urlname'         => get_string('name'),
 398          'urlidnumber'     => get_string('idnumbermod'),
 399      );
 400  
 401      $options[get_string('miscellaneous')] = array(
 402          'sitename'        => get_string('fullsitename'),
 403          'serverurl'       => get_string('serverurl', 'url'),
 404          'currenttime'     => get_string('time'),
 405          'lang'            => get_string('language'),
 406      );
 407      if (!empty($config->secretphrase)) {
 408          $options[get_string('miscellaneous')]['encryptedcode'] = get_string('encryptedcode');
 409      }
 410  
 411      $options[get_string('user')] = array(
 412          'userid'          => 'id',
 413          'userusername'    => get_string('username'),
 414          'useridnumber'    => get_string('idnumber'),
 415          'userfirstname'   => get_string('firstname'),
 416          'userlastname'    => get_string('lastname'),
 417          'userfullname'    => get_string('fullnameuser'),
 418          'useremail'       => get_string('email'),
 419          'userphone1'      => get_string('phone1'),
 420          'userphone2'      => get_string('phone2'),
 421          'userinstitution' => get_string('institution'),
 422          'userdepartment'  => get_string('department'),
 423          'useraddress'     => get_string('address'),
 424          'usercity'        => get_string('city'),
 425          'usertimezone'    => get_string('timezone'),
 426      );
 427  
 428      if ($config->rolesinparams) {
 429          $roles = role_fix_names(get_all_roles());
 430          $roleoptions = array();
 431          foreach ($roles as $role) {
 432              $roleoptions['course'.$role->shortname] = get_string('yourwordforx', '', $role->localname);
 433          }
 434          $options[get_string('roles')] = $roleoptions;
 435      }
 436  
 437      return $options;
 438  }
 439  
 440  /**
 441   * Get the parameter values that may be appended to URL
 442   * @param object $url module instance
 443   * @param object $cm
 444   * @param object $course
 445   * @param object $config module config options
 446   * @return array of parameter values
 447   */
 448  function url_get_variable_values($url, $cm, $course, $config) {
 449      global $USER, $CFG;
 450  
 451      $site = get_site();
 452  
 453      $coursecontext = context_course::instance($course->id);
 454  
 455      $values = array (
 456          'courseid'        => $course->id,
 457          'coursefullname'  => format_string($course->fullname, true, array('context' => $coursecontext)),
 458          'courseshortname' => format_string($course->shortname, true, array('context' => $coursecontext)),
 459          'courseidnumber'  => $course->idnumber,
 460          'coursesummary'   => $course->summary,
 461          'courseformat'    => $course->format,
 462          'lang'            => current_language(),
 463          'sitename'        => format_string($site->fullname, true, array('context' => $coursecontext)),
 464          'serverurl'       => $CFG->wwwroot,
 465          'currenttime'     => time(),
 466          'urlinstance'     => $url->id,
 467          'urlcmid'         => $cm->id,
 468          'urlname'         => format_string($url->name, true, array('context' => $coursecontext)),
 469          'urlidnumber'     => $cm->idnumber,
 470      );
 471  
 472      if (isloggedin()) {
 473          $values['userid']          = $USER->id;
 474          $values['userusername']    = $USER->username;
 475          $values['useridnumber']    = $USER->idnumber;
 476          $values['userfirstname']   = $USER->firstname;
 477          $values['userlastname']    = $USER->lastname;
 478          $values['userfullname']    = fullname($USER);
 479          $values['useremail']       = $USER->email;
 480          $values['userphone1']      = $USER->phone1;
 481          $values['userphone2']      = $USER->phone2;
 482          $values['userinstitution'] = $USER->institution;
 483          $values['userdepartment']  = $USER->department;
 484          $values['useraddress']     = $USER->address;
 485          $values['usercity']        = $USER->city;
 486          $now = new DateTime('now', core_date::get_user_timezone_object());
 487          $values['usertimezone']    = $now->getOffset() / 3600.0; // Value in hours for BC.
 488      }
 489  
 490      // weak imitation of Single-Sign-On, for backwards compatibility only
 491      // NOTE: login hack is not included in 2.0 any more, new contrib auth plugin
 492      //       needs to be createed if somebody needs the old functionality!
 493      if (!empty($config->secretphrase)) {
 494          $values['encryptedcode'] = url_get_encrypted_parameter($url, $config);
 495      }
 496  
 497      //hmm, this is pretty fragile and slow, why do we need it here??
 498      if ($config->rolesinparams) {
 499          $coursecontext = context_course::instance($course->id);
 500          $roles = role_fix_names(get_all_roles($coursecontext), $coursecontext, ROLENAME_ALIAS);
 501          foreach ($roles as $role) {
 502              $values['course'.$role->shortname] = $role->localname;
 503          }
 504      }
 505  
 506      return $values;
 507  }
 508  
 509  /**
 510   * BC internal function
 511   * @param object $url
 512   * @param object $config
 513   * @return string
 514   */
 515  function url_get_encrypted_parameter($url, $config) {
 516      global $CFG;
 517  
 518      if (file_exists("$CFG->dirroot/local/externserverfile.php")) {
 519          require_once("$CFG->dirroot/local/externserverfile.php");
 520          if (function_exists('extern_server_file')) {
 521              return extern_server_file($url, $config);
 522          }
 523      }
 524      return md5(getremoteaddr().$config->secretphrase);
 525  }
 526  
 527  /**
 528   * Optimised mimetype detection from general URL
 529   * @param $fullurl
 530   * @param null $unused This parameter has been deprecated since 4.3 and should not be used anymore.
 531   * @return string|null mimetype or null when the filetype is not relevant.
 532   */
 533  function url_guess_icon($fullurl, $unused = null) {
 534      global $CFG;
 535      require_once("$CFG->libdir/filelib.php");
 536  
 537      if ($unused !== null) {
 538          debugging('Deprecated argument passed to ' . __FUNCTION__, DEBUG_DEVELOPER);
 539      }
 540  
 541      if (substr_count($fullurl, '/') < 3 or substr($fullurl, -1) === '/') {
 542          // Most probably default directory - index.php, index.html, etc. Return null because
 543          // we want to use the default module icon instead of the HTML file icon.
 544          return null;
 545      }
 546  
 547      try {
 548          // There can be some cases where the url is invalid making parse_url() to return false.
 549          // That will make moodle_url class to throw an exception, so we need to catch the exception to prevent errors.
 550          $moodleurl = new moodle_url($fullurl);
 551          $fullurl = $moodleurl->out_omit_querystring();
 552      } catch (\moodle_exception $e) {
 553          // If an exception is thrown, means the url is invalid. No need to log exception.
 554          return null;
 555      }
 556  
 557      $icon = file_extension_icon($fullurl);
 558      $htmlicon = file_extension_icon('.htm');
 559      $unknownicon = file_extension_icon('');
 560      $phpicon = file_extension_icon('.php'); // Exception for php files.
 561  
 562      // We do not want to return those icon types, the module icon is more appropriate.
 563      if ($icon === $unknownicon || $icon === $htmlicon || $icon === $phpicon) {
 564          return null;
 565      }
 566  
 567      return $icon;
 568  }