File:
[LON-CAPA] /
loncom /
interface /
lonexturlcheck.pm
Revision
1.4:
download - view:
text,
annotated -
select for diffs
Sat Feb 15 03:54:43 2020 UTC (4 years, 10 months ago) by
raeburn
Branches:
MAIN
CVS tags:
version_2_12_X,
version_2_11_X,
version_2_11_5_msu,
version_2_11_5,
version_2_11_4_uiuc,
version_2_11_4_msu,
version_2_11_4,
version_2_11_3_uiuc,
version_2_11_3_msu,
version_2_11_3,
HEAD
- "use LONCAPA::LWPReq" not needed because "use Apache::loncommon" is used.
# The LearningOnline Network with CAPA
# Handler to check if external resource can be shown in iframe
#
# $Id: lonexturlcheck.pm,v 1.4 2020/02/15 03:54:43 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#
#
###############################################################
###############################################################
=pod
=head1 NAME
Apache::lonexturlcheck - External Resource URL checker
=head1 SYNOPSIS
Called in course context by course personnel either with the course editing
privilege or with view-only access to course editing tools.
Query string contains one item: name=exturl, value=URL of external resource
(format: http://hostname/path or https://hostname/path).
The resource URL is sent to &loncommon::is_nonframeable() to check whether
it can be displayed in an iframe in a page served by the current host.
=head1 OVERVIEW
Input: external resource URL (from query string passed to /adm/exturlcheck).
Hostname, lonHostID, and IP address for this node are retrieved from Apache.
Dependencies: calls &loncommon::is_nonframeable() to check if server where
external resource is hosted is configured with a Content-Security-Policy or
with X-Frame-options settings which prohibit display of the resource within
an iframe in a LON-CAPA page served from this node.
Output to print buffer: (content-type: text/plain): 1, 0, -1 or empty string.
'' -- display in iframe is allowed
1 -- display in iframe not allowed
0 -- invalid URL
-1 -- could not verify course editing privilege or view-only access to
course editing tools
HTTP Return codes:
406 -- if user is not in a course
200 -- otherwise
=cut
package Apache::lonexturlcheck;
use strict;
use Apache::Constants qw(:common :http);
use Apache::lonnet;
use Apache::loncommon;
use HTTP::Request;
sub handler {
my $r=shift;
if ($r->header_only) {
&Apache::loncommon::content_type($r,'text/html');
$r->send_http_header;
return OK;
}
if (!$env{'request.course.fn'}) {
# Not in a course.
$env{'user.error.msg'}="/adm/lonexturlcheck:bre:0:0:Not in a course";
return HTTP_NOT_ACCEPTABLE;
}
&Apache::loncommon::content_type($r,'text/plain');
$r->send_http_header;
my $uselink;
if (($env{'request.course.id'}) &&
((&Apache::lonnet::allowed('mdc',$env{'request.course.id'})) ||
(&Apache::lonnet::allowed('cev',$env{'request.course.id'})))) {
&Apache::loncommon::get_unprocessed_cgi($ENV{'QUERY_STRING'},['exturl']);
$env{'form.exturl'} =~ s/^\s+|\s+$//g;
if ($env{'form.exturl'} =~ m{^https?\://([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}}i) {
my $hostname = $r->hostname();
my $lonhost = $r->dir_config('lonHostID');
my $ip = &Apache::lonnet::get_host_ip($lonhost);
$r->print(&Apache::loncommon::is_nonframeable($env{'form.exturl'},'',$hostname,$ip,1));
} else {
$r->print(0);
}
} else {
$r->print(-1);
}
return OK;
}
1;
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>