--- loncom/lond 2017/05/09 03:04:21 1.536 +++ loncom/lond 2018/02/01 04:50:41 1.542 @@ -2,7 +2,7 @@ # The LearningOnline Network # lond "LON Daemon" Server (port "LOND" 5663) # -# $Id: lond,v 1.536 2017/05/09 03:04:21 raeburn Exp $ +# $Id: lond,v 1.542 2018/02/01 04:50:41 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -65,7 +65,7 @@ my $DEBUG = 0; # Non zero to ena my $status=''; my $lastlog=''; -my $VERSION='$Revision: 1.536 $'; #' stupid emacs +my $VERSION='$Revision: 1.542 $'; #' stupid emacs my $remoteVERSION; my $currenthostid="default"; my $currentdomainid; @@ -1606,12 +1606,14 @@ sub du2_handler { # # 1. for a directory, and the path does not begin with one of: # (a) /home/httpd/html/res/ -# (b) /home/httpd/html/res/userfiles/ +# (b) /home/httpd/html/userfiles/ # (c) /home/httpd/lonUsers//<1>/<2>/<3>//userfiles # or is: # -# 2. for a file, and the path (after prepending) does not begin with: -# /home/httpd/lonUsers//<1>/<2>/<3>// +# 2. for a file, and the path (after prepending) does not begin with one of: +# (a) /home/httpd/lonUsers//<1>/<2>/<3>// +# (b) /home/httpd/html/res/// +# (c) /home/httpd/html/userfiles/// # # the response will be "refused". # @@ -1642,8 +1644,8 @@ sub ls_handler { } if (-e $ulsdir) { if(-d $ulsdir) { - unless (($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || - ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/userfiles/})) { + unless (($ulsdir =~ m{^/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || + ($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/userfiles})) { &Failure($client,"refused\n",$userinput); return 1; } @@ -1670,7 +1672,8 @@ sub ls_handler { closedir(LSDIR); } } else { - unless ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/}) { + unless (($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/}) || + ($ulsdir =~ m{^/home/httpd/html/(?:res|userfiles)/$LONCAPA::match_domain/$LONCAPA::match_name/})) { &Failure($client,"refused\n",$userinput); return 1; } @@ -1703,12 +1706,14 @@ sub ls_handler { # # 1. for a directory, and the path does not begin with one of: # (a) /home/httpd/html/res/ -# (b) /home/httpd/html/res/userfiles/ +# (b) /home/httpd/html/userfiles/ # (c) /home/httpd/lonUsers//<1>/<2>/<3>//userfiles # or is: # -# 2. for a file, and the path (after prepending) does not begin with: -# /home/httpd/lonUsers//<1>/<2>/<3>// +# 2. for a file, and the path (after prepending) does not begin with one of: +# (a) /home/httpd/lonUsers//<1>/<2>/<3>// +# (b) /home/httpd/html/res/// +# (c) /home/httpd/html/userfiles/// # # the response will be "refused". # @@ -1738,8 +1743,8 @@ sub ls2_handler { } if (-e $ulsdir) { if(-d $ulsdir) { - unless (($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || - ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/userfiles/})) { + unless (($ulsdir =~ m{^/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || + ($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/userfiles})) { &Failure($client,"refused\n","$userinput"); return 1; } @@ -1767,7 +1772,8 @@ sub ls2_handler { closedir(LSDIR); } } else { - unless ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/}) { + unless (($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/}) || + ($ulsdir =~ m{^/home/httpd/html/(?:res|userfiles)/$LONCAPA::match_domain/$LONCAPA::match_name/})) { &Failure($client,"refused\n",$userinput); return 1; } @@ -1792,14 +1798,17 @@ sub ls2_handler { # # 1. for a directory, and the path does not begin with one of: # (a) /home/httpd/html/res/ -# (b) /home/httpd/html/res/userfiles/ +# (b) /home/httpd/html/userfiles/ # (c) /home/httpd/lonUsers//<1>/<2>/<3>//userfiles -# (d) /home/httpd/html/priv// and client is the homeserver +# (d) /home/httpd/html/priv/ and client is the homeserver # # or is: # -# 2. for a file, and the path (after prepending) does not begin with: -# /home/httpd/lonUsers//<1>/<2>/<3>// +# 2. for a file, and the path (after prepending) does not begin with one of: +# (a) /home/httpd/lonUsers//<1>/<2>/<3>// +# (b) /home/httpd/html/res/// +# (c) /home/httpd/html/userfiles/// +# (d) /home/httpd/html/priv/// and client is the homeserver # # the response will be "refused". # @@ -1876,9 +1885,9 @@ sub ls3_handler { if (-e $ulsdir) { if(-d $ulsdir) { unless (($getpropath) || ($getuserdir) || - ($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || - ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/userfiles/}) || - (($ulsdir =~ m{/home/httpd/html/priv/$LONCAPA::match_domain/}) && ($islocal))) { + ($ulsdir =~ m{^/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || + ($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/userfiles}) || + (($ulsdir =~ m{^/home/httpd/html/priv/$LONCAPA::match_domain}) && ($islocal))) { &Failure($client,"refused\n",$userinput); return 1; } @@ -1907,7 +1916,9 @@ sub ls3_handler { } } else { unless (($getpropath) || ($getuserdir) || - ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/})) { + ($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/}) || + ($ulsdir =~ m{^/home/httpd/html/(?:res|userfiles)/$LONCAPA::match_domain/$LONCAPA::match_name/}) || + (($ulsdir =~ m{^/home/httpd/html/priv/$LONCAPA::match_domain/$LONCAPA::match_name/}) && ($islocal))) { &Failure($client,"refused\n",$userinput); return 1; } @@ -2591,32 +2602,26 @@ sub update_resource_handler { my $transname="$fname.in.transfer"; my $remoteurl=&Apache::lonnet::reply("sub:$fname","$clientname"); my $response; -# FIXME: cannot replicate files that take more than two minutes to transfer? -# alarm(120); -# FIXME: this should use the LWP mechanism, not internal alarms. - alarm(1200); - { - my $request=new HTTP::Request('GET',"$remoteurl"); - $response=&LONCAPA::LWPReq::makerequest($clientname,$request,$transname,\%perlvar,1200,0,1); - } - alarm(0); +# FIXME: cannot replicate files that take more than two minutes to transfer -- needs checking now 1200s timeout used +# for LWP request. + my $request=new HTTP::Request('GET',"$remoteurl"); + $response=&LONCAPA::LWPReq::makerequest($clientname,$request,$transname,\%perlvar,1200,0,1); if ($response->is_error()) { -# FIXME: we should probably clean up here instead of just whine - unlink($transname); + my $reply=&Apache::lonnet::reply("unsub:$fname","$clientname"); + &devalidate_meta_cache($fname); + if (-e $transname) { + unlink($transname); + } + unlink($fname); my $message=$response->status_line; &logthis("LWP GET: $message for $fname ($remoteurl)"); } else { if ($remoteurl!~/\.meta$/) { -# FIXME: isn't there an internal LWP mechanism for this? - alarm(120); - { - my $mrequest=new HTTP::Request('GET',$remoteurl.'.meta'); - my $mresponse = &LONCAPA::LWPReq::makerequest($clientname,$mrequest,$fname.'.meta',\%perlvar,120,0,1); - if ($mresponse->is_error()) { - unlink($fname.'.meta'); - } + my $mrequest=new HTTP::Request('GET',$remoteurl.'.meta'); + my $mresponse = &LONCAPA::LWPReq::makerequest($clientname,$mrequest,$fname.'.meta',\%perlvar,120,0,1); + if ($mresponse->is_error()) { + unlink($fname.'.meta'); } - alarm(0); } # we successfully transfered, copy file over to real name rename($transname,$fname); @@ -2686,17 +2691,13 @@ sub fetch_user_file_handler { my $remoteurl=$clientprotocol.'://'.$clienthost.'/userfiles/'.$fname; my $response; Debug("Remote URL : $remoteurl Transfername $transname Destname: $destname"); - alarm(1200); - { - my $request=new HTTP::Request('GET',"$remoteurl"); - my $verifycert = 1; - my @machine_ids = &Apache::lonnet::current_machine_ids(); - if (grep(/^\Q$clientname\E$/,@machine_ids)) { - $verifycert = 0; - } - $response = &LONCAPA::LWPReq::makerequest($clientname,$request,$transname,\%perlvar,1200,$verifycert); - } - alarm(0); + my $request=new HTTP::Request('GET',"$remoteurl"); + my $verifycert = 1; + my @machine_ids = &Apache::lonnet::current_machine_ids(); + if (grep(/^\Q$clientname\E$/,@machine_ids)) { + $verifycert = 0; + } + $response = &LONCAPA::LWPReq::makerequest($clientname,$request,$transname,\%perlvar,1200,$verifycert); if ($response->is_error()) { unlink($transname); my $message=$response->status_line; @@ -5745,9 +5746,10 @@ sub validate_course_section_handler { # Formal Parameters: # $cmd - The command request that got us dispatched. # $tail - The tail of the command. In this case this is a colon separated -# set of words that will be split into: +# set of values that will be split into: # $inst_class - Institutional code for the specific class section -# $courseowner - The escaped username:domain of the course owner +# $ownerlist - An escaped comma-separated list of username:domain +# of the course owner, and co-owner(s). # $cdom - The domain of the course from the institution's # point of view. # $client - The socket open on the client. @@ -5772,6 +5774,56 @@ sub validate_class_access_handler { ®ister_handler("autovalidateclass_sec", \&validate_class_access_handler, 0, 1, 0); # +# Validate course owner or co-owners(s) access to enrollment data for all sections +# and crosslistings for a particular course. +# +# +# Formal Parameters: +# $cmd - The command request that got us dispatched. +# $tail - The tail of the command. In this case this is a colon separated +# set of values that will be split into: +# $ownerlist - An escaped comma-separated list of username:domain +# of the course owner, and co-owner(s). +# $cdom - The domain of the course from the institution's +# point of view. +# $classes - Frozen hash of institutional course sections and +# crosslistings. +# $client - The socket open on the client. +# Returns: +# 1 - continue processing. +# + +sub validate_classes_handler { + my ($cmd, $tail, $client) = @_; + my $userinput = "$cmd:$tail"; + my ($ownerlist,$cdom,$classes) = split(/:/, $tail); + my $classesref = &Apache::lonnet::thaw_unescape($classes); + my $owners = &unescape($ownerlist); + my $result; + eval { + local($SIG{__DIE__})='DEFAULT'; + my %validations; + my $response = &localenroll::check_instclasses($owners,$cdom,$classesref, + \%validations); + if ($response eq 'ok') { + foreach my $key (keys(%validations)) { + $result .= &escape($key).'='.&Apache::lonnet::freeze_escape($validations{$key}).'&'; + } + $result =~ s/\&$//; + } else { + $result = 'error'; + } + }; + if (!$@) { + &Reply($client, \$result, $userinput); + } else { + &Failure($client,"unknown_cmd\n",$userinput); + } + return 1; +} +®ister_handler("autovalidateinstclasses", \&validate_classes_handler, 0, 1, 0); + +# # Create a password for a new LON-CAPA user added by auto-enrollment. # Only used for case where authentication method for new user is localauth # @@ -8742,7 +8794,6 @@ IO::File Apache::File POSIX Crypt::IDEA -LWP::UserAgent() GDBM_File Authen::Krb4 Authen::Krb5