In this chapter we will focus on files submitted by any course participant, any kind of security issues involved with that and ways of protecting your system. The material will be covered in the following order:
- Uploading files into Moodle
- Dangers and pitfalls
- Anti-virus and Moodle
In an educational process oriented towards digital systems lot of things must be adapted to the new way of interaction between a student and a teacher. One of the most notable changes is the way results of particular assignments are treated. For example, if a teacher wants to assign a task to write a paper about medieval English literature for all participants in a course he would create an "Upload single file" activity.
By adding this and other kinds of activities that require the user to submit various types of files, poses potential security problems. Before going into more details let us expose all points of file submitting in Moodle available to the students and teachers.
The files not part of the core platform, files that are dynamic—changeable nature, are stored within Moodledata directory. Every course within Moodle has a sub directory within Moodledata. The name of the directory is identical to the value of the course ID within database. For example, if course ID is 4 it will have folder<path to Moodledata>/Moodledata/4. You can see the course ID within the URL as a URL parameter.
Every type of content uploaded to the specific course is stored within its Moodledata directory.
Within Moodle course there are five places where user can upload files and they are:
- WYSIWYG HTMLArea editor
- Glossary
- Upload a single file or Advanced uploading of files activity
- Forum
- Database activity module
WYSIWYG is an acronym for What You See Is What You Get. The term is used to describe an editor or other kind of tool in which the content displayed during editing appears very similar if not identical to the final output. Moodle comes with included WYSIWYG editor intended for creating rich content pages (formatted text, embedded images, links to external and/or internal resources, etc.). That editor comes with the facility for inserting images.
This feature permits uploading ANY kind of file as long as it fits within the system limits for maximum file size (upload_max_filesize directive in php.ini). This is the reason this option is so dangerous. A user can easily upload a virus-infected file which can potentially be opened by a teacher or other users. It is worth noting that ONLY teachers and administrators can upload files in this way. Common users can only link to the external files. A Moodle admin can also control the limit for the maximum upload file size setting this limit in the Site Administration block in the section: Security |Site Policies | Maximum uploaded file size, choosing the desired limit. Also the teacher can configure this setting in his course using the Maximum upload size configuration located at the course administration block.
A glossary can be placed within any course by a teacher or administrator and allows all participants to create and maintain a custom list of term definitions. During the process of creation of new term an attachment can be specified by a user. No file type limitations are present other than the size of the file.
This type of assignment is commonly used for treating tasks that require students to present written papers in electronic format. Usually students produce a document in some word processor or PDF format suitable for submitting. However, there are no limitations as to which format can be uploaded.
Forums are an excellent way of initiating discussion between participants in a course. Everybody within a course with adequate permissions can add a new discussion topic or respond to an existing one. Unless explicitly disabled, all forums by default permit users to attach a file together with their message and also insert an image if WYSIWYG editor is enabled.