Details
-
Type:
Bug
-
Status:
Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 1.9.2
-
Fix Version/s: 1.9.3
-
Component/s: Wiki (1.x)
-
Labels:None
-
Environment:ANY
-
Affected Branches:MOODLE_19_STABLE
-
Fixed Branches:MOODLE_19_STABLE
Description
Looks like security imporvements in the Wiki module prevent pages with colons in the title from being displayed as these are being stripped out before DB query.
File is /mod/wiki/view.php controller
Originally the code was line 16 in 1.9
$page = optional_param('page', false); // Wiki Page Name
In 1.9.2 this changed to
$page = optional_param('page', false, PARAM_PATH); // Wiki Page Name
This ended up stripping out ":" I guess this is only when the colon appears after a letter as in "Day One:" thereby looking like a drive letter
If fixed this on our implementation by using
$page = optional_param('page', false, PARAM_CLEAN); // Wiki Page Name
Not sure if this is the correct (security wise) clean option
Activity
- All
- Comments
- History
- Activity
- Source
- Test Sessions
Proper solution for this has been committed to CVS. Will be available in next weekly build. Resolving as fixed.
Ciao 
Hi Rahim, the fix was committed (and tested) time ago in MDL-15896. I've done a quick check right now and pages with colons seem to work ok.
Ciao
Hi Kristian,
if I'm not wrong that change was done because of one potential security problem in wiki module (if leaving PARAM_CLEAN). Anyway, it's being discussed in MDL-15896 (not sure if you can see it, because it's marked as security issue) and we are trying some alternatives to have those colons working again.
Until then, your change sounds ok (with some security risk). Will keep informed with any progress... ciao