From 5ad81abec21c80643a8b88a489c963701237e87f Mon Sep 17 00:00:00 2001
From: Yannick Warnier <ywarnier@beeznest.org>
Date: Fri, 2 Nov 2018 12:07:06 -0500
Subject: [PATCH] Avoid checking image files in SCORM content to increase speed

---
 .htaccess                             |  4 ++--
 documentation/installation_guide.html |  4 ++++
 documentation/security.html           | 26 ++++++++++++++++++++++++++
 3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/.htaccess b/.htaccess
index 06c2a89b74..f4a1221c92 100755
--- a/.htaccess
+++ b/.htaccess
@@ -23,8 +23,8 @@ RewriteRule ^courses/([^/]+)/?$ main/course_home/course_home.php?cDir=$1 [QSA,L]
 RewriteRule ^courses/([^/]+)/index.php$ main/course_home/course_home.php?cDir=$1 [QSA,L]
 
 # Rewrite everything in the scorm folder of a course to the download script
-# except JS and CSS files, which can be served directly
-RewriteRule ^courses/([^/]+)/scorm/(.*([\.js|\.css]))$ app/courses/$1/scorm/$2 [QSA,L]
+# except JS, CSS and some image files, which can be served directly
+RewriteRule ^courses/([^/]+)/scorm/(.*([\.js|\.css|\.png|\.jpg|\.jpeg|\.gif]))$ app/courses/$1/scorm/$2 [QSA,L]
 RewriteRule ^courses/([^/]+)/scorm/(.*)$ main/document/download_scorm.php?doc_url=/$2&cDir=$1 [QSA,L]
 
 # Rewrite everything in the document folder of a course to the download script
diff --git a/documentation/installation_guide.html b/documentation/installation_guide.html
index ce6b703636..7d87c3eae2 100755
--- a/documentation/installation_guide.html
+++ b/documentation/installation_guide.html
@@ -719,6 +719,7 @@ If you have issues with files taking a long time to download, make sure you reco
 	RewriteRule ^certificates/$ certificates/index.php?id=%1 [L]
 	RewriteRule ^courses/([^/]+)/?$ main/course_home/course_home.php?cDir=$1 [QSA,L]
 	RewriteRule ^courses/([^/]+)/index.php$ main/course_home/course_home.php?cDir=$1 [QSA,L]
+	RewriteRule ^courses/([^/]+)/scorm/(.*([\.js|\.css|\.png|\.jpg|\.jpeg|\.gif]))$ app/courses/$1/scorm/$2 [QSA,L] 
 	RewriteRule ^courses/([^/]+)/scorm/(.*)$ main/document/download_scorm.php?doc_url=/$2&cDir=$1 [QSA,L]
 	RewriteRule ^courses/([^/]+)/document/certificates/(.*)$ app/courses/$1/document/certificates/$2 [QSA,L]
 	RewriteRule ^courses/([^/]+)/document/(.*)$ main/document/download.php?doc_url=/$2&cDir=$1 [QSA,L]
@@ -726,6 +727,7 @@ If you have issues with files taking a long time to download, make sure you reco
 	RewriteRule ^courses/([^/]+)/work/(.*)$ main/work/download.php?file=work/$2&cDir=$1 [QSA,L]
 	RewriteRule ^courses/([^/]+)/course-pic85x85.png$ main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_image_source [QSA,L]
 	RewriteRule ^courses/([^/]+)/course-pic.png$ main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_image_large_source [QSA,L]
+	RewriteRule ^courses/([^/]+)/upload/course_home_icons/(.*([\.png|\.jpg|\.jpeg|\.gif]))$ app/courses/$1/upload/course_home_icons/$2 [QSA,L] 
 	RewriteRule ^courses/([^/]+)/(.*)$ app/courses/$1/$2 [QSA,L]
 	RewriteRule ^session/(\d{1,})/about/?$ main/session/about.php?session_id=$1 [L]
     RewriteRule ^badge/(\d{1,}) main/badge/issued.php?issue=$1 [L]
@@ -758,6 +760,7 @@ If you have issues with files taking a long time to download, make sure you reco
     rewrite ^certificates/$ certificates/index.php last;
     rewrite ^/courses/([^/]+)/$ /main/course_home/course_home.php?cDir=$1 last;
     rewrite ^/courses/([^/]+)/index.php$ /main/course_home/course_home.php?cDir=$1 last;
+    rewrite ^/courses/([^/]+)/scorm/(.*([\.js|\.css|\.png|\.jpg|\.jpeg|\.gif]))$ app/courses/$1/scorm/$2 last;
     rewrite ^/courses/([^/]+)/scorm/(.*)$ /main/document/download_scorm.php?doc_url=/$2&cDir=$1 last;
     # Alternatively, you can choose to give direct access to all SCORM files, which is much faster but less secure
     # rewrite "^/courses/([^/]+)/scorm/(.*)$" /app/courses/$1/scorm/$2 break;
@@ -766,6 +769,7 @@ If you have issues with files taking a long time to download, make sure you reco
     rewrite ^/courses/([^/]+)/document/(.*)$ /main/document/download.php?doc_url=/$2&cDir=$1 last;
     rewrite ^/courses/([^/]+)/upload/([^/]+)/(.*)$ /main/document/download_uploaded_files.php?code=$1&type=$2&file=$3 last;
     rewrite ^/courses/([^/]+)/work/(.*)$ /main/work/download.php?file=work/$2&cDir=$1 last;
+    rewrite ^/courses/([^/]+)/upload/course_home_icons/(.*([\.png|\.jpg|\.jpeg|\.gif]))$ app/courses/$1/upload/course_home_icons/$2 last;
     rewrite ^/courses/([^/]+)/(.*)$ /app/courses/$1/$2 last;
     rewrite ^/session/([^/]+)/about/?$ /main/session/about.php?session_id=$1 last;
     rewrite ^/course/([^/]+)/about/?$ /main/course_info/about.php?course_id=$1 last;
diff --git a/documentation/security.html b/documentation/security.html
index b1110194d2..86536735eb 100755
--- a/documentation/security.html
+++ b/documentation/security.html
@@ -24,6 +24,7 @@
   <li><a href="#4.Moving-config-file">Moving your configuration file out of the web directory</a></li>
   <li><a href="#5.Files-permissions">Restricting files permissions</a></li>
   <li><a href="#6.HSTS">HTTP Headers Security</a></li>
+  <li><a href="#7.Direct-web-access">Direct web access to files</a></li>
 </ol>
 
 <h2><a name="1.Disclosing-server-info"></a>1. Disclosing server info</h2>
@@ -171,6 +172,31 @@ This will prevent direct access to your settings and make it seem totally the sa
         we highly recommend the <a href="https://securityheaders.io/">securityheaders.io</a>
         website. If you want to read more about CSP and all related headers
         security techniques, check <a href="https://scotthelme.co.uk/">Scott Helme's blog</a>.
+    <br />
+<hr />
+<h2><a name="7.Direct-web-access">Direct web access to files</a></h2>
+    <p>If .htaccess is enabled or the .htaccess rules are translated into the
+    web server vhost configuration (see installation guide for that), Chamilo
+    will do some natural files access protection.<br />
+    <br />
+    This protection is executed through redirections of some URLs to make the
+    request go through some kind of permissions validation script. For
+    documents, this means going through the main/document/download.php script,
+    but there are some more specific rules (see .htaccess for details).<br />
+    <br />
+    While this does a great job to avoid access by unprivileged users, this
+    also creates an efficiency issue, whereby some files, in version 1.11, can
+    take up to 5 times the load time when it goes through the permissions
+    validation.<br />
+    <br />
+    Because of that, we have taken some decisions to reduce the impact in a
+    reasonable way. For example, static files in SCORM content
+    (in courses/[code]/scorm/) like CSS, JS, PNG, JPG and GIF are *not* scanned
+    this way (there is an exception for that). We believe that these resources
+    do not contain confidential information. If you *DO* have confidential
+    information in images, CSS or JavaScript files, you will need to update
+    these rules to suit your needs.
+    </p>
 <h2>Authors</h2>
 <ul>
 <li>Yannick Warnier, Zend Certified PHP Engineer, BeezNest Belgium SPRL,