Introduce a way to make sure that H5P libraries are "official"
I would like to discuss a feature that might improve the security of H5P and also the integrity of H5P platforms. And it might make sharing of content easier.
Currently, some people patch H5P libraries in order to tweak them to their needs. That's fine on their platform. However, those patched libraries also end up in exported files. In turn, they can end up on other platforms if people with sufficient permissions upload the exported files and the origin library that was patched is not yet available on the target platform or in an earlier version. That's probably not something that people expect.
Similarly, deliberately manipulated H5P libraries could potentially find their way onto H5P platforms.
Therefore, I suggest to at least compute some hash value for every official H5P library (over all files) and make it available publicly. The H5P editor core should check official H5P libraries against that checksum when they are supposed to be installed and ignore those libraries if the checksum doesn't match. Alternatively, it could issue a warning and require explicit confirmation. Or it behaves the same as today - depending on the user role or on some configuration. A similar approach could be chosen for any H5P library (version) that doesn't exist on the official H5P library server. I feel it's not thaaaat uncommon anymore that people install H5P libraries that are not available on the H5P Hub yet, but maybe some people might want to know that they are about to install a library that's not on the H5P Hub and want to confirm this at least. Could also depend on a setting or user role, of course.
One could make this more complex (with signatures), but as long as the H5P Hub is the "only true source" of libraries, the checksum approach should suffice.
Another positive aspect: If admins need to worry less about others installing H5P libraries, it's more likely they grant this capability to more people thus reducing the likelihood that someone wants to upload content but can't because a library from the file being uploaded is not yet installed on the platform.
What do you, the H5P community, think about this?
Fri, 01/14/2022 - 07:12
I wholeheartedly agree to the
I wholeheartedly agree to the proposal. We at Lumi have thought about this issue and the same solution in the past and we absolutely see the need for it. Our app is particularly prone to these problems as it heavily relies on users loading content and installing libraries freely. We've thought about both approaches (checksums and signing) and signing seems like an overkill at the moment, even if it is the technically better approach.
If there is an official specification the NodeJS port will pick it up right away. What I see as very important is that the specification is very clear in how the checksum must be calculated in a deterministic (and deliberately specified!) way and that it is not just a byproduct of a function of the PHP core that happens to look at files in a particular order because "that's how PHP orders file lists", for example.
Fri, 01/14/2022 - 19:23
My thinking exactly.
My thinking exactly.
Sat, 01/15/2022 - 12:17
Hi Oliver & Sebastian
The H5P editor core should check official H5P libraries against that checksum when they are supposed to be installed and
Sun, 01/16/2022 - 14:30
Hi Papi Jo!Thanks for
Hi Papi Jo!
Thanks for confirming the usefulness if such an option. I just wonder what the use case for not blocking to install could be in your opinion? The existing development mode behavior would override the blocking, of course.
Mon, 01/17/2022 - 16:50
I'm afraid I had not correctly understood your proposal. I expect you are talking about H5P libraries having the same name as the "official" ones, but which have been modified by users. I wrongly thought you were talking about new libraries created with different names.
So I agree with your proposal, of course.
Mon, 01/17/2022 - 18:19
Aah, I see. Well, yes and no,
Aah, I see. Well, yes and no, I guess. Those content types with a machine name that's not listed on the Hub and thus don't have a retrievable checksum should in fact be treated with care just like some patched content type with a listed machine name. Admins could install those if they wanted to, but I don't see why admins should not be able to decide to completely block those by default for others and only to allow them using content types from the Hub freely.
Thu, 09/01/2022 - 10:57
Just adding some real world
Just adding some real world example why this would be useful: https://h5p.org/node/1295120