[BACK]Return to lonexturlcheck.pm CVS log [TXT] [DIR] Up to [LON-CAPA] / loncom / interface
File:  [LON-CAPA] / loncom / interface / lonexturlcheck.pm
Revision 1.4: download - view: text, annotated - select for diffs
Sat Feb 15 03:54:43 2020 UTC (4 years, 3 months ago) by raeburn
Branches: MAIN
CVS tags: version_2_12_X, version_2_11_X, version_2_11_4_uiuc, version_2_11_4_msu, version_2_11_4, version_2_11_3_uiuc, version_2_11_3_msu, version_2_11_3, HEAD
- "use LONCAPA::LWPReq" not needed because "use Apache::loncommon" is used.

    1: # The LearningOnline Network with CAPA
    2: # Handler to check if external resource can be shown in iframe
    3: #
    4: # $Id: lonexturlcheck.pm,v 1.4 2020/02/15 03:54:43 raeburn Exp $
    5: #
    6: # Copyright Michigan State University Board of Trustees
    7: #
    8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
    9: #
   10: # LON-CAPA is free software; you can redistribute it and/or modify
   11: # it under the terms of the GNU General Public License as published by
   12: # the Free Software Foundation; either version 2 of the License, or
   13: # (at your option) any later version.
   14: #
   15: # LON-CAPA is distributed in the hope that it will be useful,
   16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
   17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   18: # GNU General Public License for more details.
   19: #
   20: # You should have received a copy of the GNU General Public License
   21: # along with LON-CAPA; if not, write to the Free Software
   22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA
   23: #
   24: # /home/httpd/html/adm/gpl.txt
   25: #
   26: # http://www.lon-capa.org/
   27: #
   28: #
   29: ###############################################################
   30: ###############################################################
   31: 
   32: =pod
   33: 
   34: =head1 NAME
   35: 
   36: Apache::lonexturlcheck - External Resource URL checker
   37: 
   38: =head1 SYNOPSIS
   39: 
   40: Called in course context by course personnel either with the course editing
   41: privilege or with view-only access to course editing tools.
   42: 
   43: Query string contains one item: name=exturl, value=URL of external resource
   44: (format: http://hostname/path or https://hostname/path).
   45:  
   46: The resource URL is sent to &loncommon::is_nonframeable() to check whether
   47: it can be displayed in an iframe in a page served by the current host.
   48: 
   49: =head1 OVERVIEW
   50: 
   51: Input: external resource URL (from query string passed to /adm/exturlcheck).
   52: 
   53: Hostname, lonHostID, and IP address for this node are retrieved from Apache.
   54: 
   55: Dependencies: calls &loncommon::is_nonframeable() to check if server where
   56: external resource is hosted is configured with a Content-Security-Policy or
   57: with X-Frame-options settings which prohibit display of the resource within
   58: an iframe in a LON-CAPA page served from this node.
   59: 
   60: Output to print buffer: (content-type: text/plain):  1, 0, -1 or empty string.
   61: '' -- display in iframe is allowed
   62: 1  -- display in iframe not allowed
   63: 0  -- invalid URL
   64: -1 -- could not verify course editing privilege or view-only access to
   65:       course editing tools
   66: 
   67: HTTP Return codes:
   68: 406 -- if user is not in a course
   69: 200 -- otherwise
   70: 
   71: =cut
   72: 
   73: package Apache::lonexturlcheck;
   74: 
   75: use strict;
   76: use Apache::Constants qw(:common :http);
   77: use Apache::lonnet;
   78: use Apache::loncommon;
   79: use HTTP::Request;
   80: 
   81: sub handler {
   82:     my $r=shift;
   83:     if ($r->header_only) {
   84:         &Apache::loncommon::content_type($r,'text/html');
   85:         $r->send_http_header;
   86:         return OK;
   87:     }
   88:     if (!$env{'request.course.fn'}) {
   89:         # Not in a course.
   90:         $env{'user.error.msg'}="/adm/lonexturlcheck:bre:0:0:Not in a course";
   91:         return HTTP_NOT_ACCEPTABLE;
   92:     }
   93:     &Apache::loncommon::content_type($r,'text/plain');
   94:     $r->send_http_header;
   95:     my $uselink;
   96:     if (($env{'request.course.id'}) &&
   97:         ((&Apache::lonnet::allowed('mdc',$env{'request.course.id'})) ||
   98:          (&Apache::lonnet::allowed('cev',$env{'request.course.id'})))) {
   99:         &Apache::loncommon::get_unprocessed_cgi($ENV{'QUERY_STRING'},['exturl']);
  100:         $env{'form.exturl'} =~ s/^\s+|\s+$//g;
  101:         if ($env{'form.exturl'} =~ m{^https?\://([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}}i) {
  102:             my $hostname = $r->hostname();
  103:             my $lonhost = $r->dir_config('lonHostID');
  104:             my $ip = &Apache::lonnet::get_host_ip($lonhost);
  105:             $r->print(&Apache::loncommon::is_nonframeable($env{'form.exturl'},'',$hostname,$ip,1));
  106:         } else {
  107:             $r->print(0);
  108:         }
  109:     } else {
  110:         $r->print(-1);
  111:     }
  112:     return OK;
  113: }
  114: 
  115: 1;
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>