From 2355205ad89d8c1718e823256f9bb8196f358730 Mon Sep 17 00:00:00 2001
From: Martin Gauk <gauk@math.tu-berlin.de>
Date: Tue, 29 Sep 2020 09:08:45 +0000
Subject: [PATCH 1/2] MDL-69257 H5P: Check size of uploaded files and virus
 scan

---
 h5p/ajax.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/h5p/ajax.php b/h5p/ajax.php
index 2291e2ff90e2f..8352c8b248cd3 100644
--- a/h5p/ajax.php
+++ b/h5p/ajax.php
@@ -75,6 +75,17 @@
         $token = required_param('token', PARAM_RAW);
         $contentid = required_param('contentId', PARAM_INT);
 
+        // Check size of each uploaded file and scan for viruses.
+        foreach ($_FILES as $uploadedfile) {
+            $filename = clean_param($uploadedfile['name'], PARAM_FILE);
+            $maxsize = get_max_upload_file_size($CFG->maxbytes);
+            if ($uploadedfile['size'] > $maxsize) {
+                H5PCore::ajaxError(get_string('maxbytesfile', 'error', ['file' => $filename, 'size' => display_size($maxsize)]));
+                return;
+            }
+            \core\antivirus\manager::scan_file($uploadedfile['tmp_name'], $filename, true);
+        }
+
         $editor->ajax->action(H5PEditorEndpoints::FILES, $token, $contentid);
         break;
 

From 2212df5dd8ddd820260713c47559269561536adb Mon Sep 17 00:00:00 2001
From: Mihail Geshoski <mihail@moodle.com>
Date: Fri, 9 Oct 2020 10:23:28 +0800
Subject: [PATCH 2/2] MDL-69257 core_h5p: Move $maxsize outside the foreach
 loop

There is no reason to repeatedly obtain the maximum size for uploading
files as a part of foreach loop.
---
 h5p/ajax.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/h5p/ajax.php b/h5p/ajax.php
index 8352c8b248cd3..1547b6f346cb9 100644
--- a/h5p/ajax.php
+++ b/h5p/ajax.php
@@ -75,10 +75,10 @@
         $token = required_param('token', PARAM_RAW);
         $contentid = required_param('contentId', PARAM_INT);
 
+        $maxsize = get_max_upload_file_size($CFG->maxbytes);
         // Check size of each uploaded file and scan for viruses.
         foreach ($_FILES as $uploadedfile) {
             $filename = clean_param($uploadedfile['name'], PARAM_FILE);
-            $maxsize = get_max_upload_file_size($CFG->maxbytes);
             if ($uploadedfile['size'] > $maxsize) {
                 H5PCore::ajaxError(get_string('maxbytesfile', 'error', ['file' => $filename, 'size' => display_size($maxsize)]));
                 return;