[#MDL-20816] wiki security issues - Moodle Tracker

Details

Type: Sub-task
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 2.0
Fix Version/s: STABLE backlog
Component/s: Wiki (2.x)
Labels:
- triaged

Affected Branches:
MOODLE_20_STABLE

Description

Tim just created new security related pages in our docs http://docs.moodle.org/en/Development:Security

1/ learn how to use require_login() and require_course_login()
2/ learn how to use sesskey to prevent CSRF
3/ add missing capability tests
4/ learn how to use s() in forms - potential XSS in block_wiki_search - PARAM_ACTION prevents it, but this type is not correct there because it would work for english only

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Petr Škoda (skodak) added a comment - 11/Nov/09 6:19 PM

this is not a real security issue, but following can not work:

<code php>
$option = optional_param('editoption','', PARAM_ALPHA);
if ($option == get_string('cancel')) {
<code>

Show

Petr Škoda (skodak) added a comment - 11/Nov/09 6:19 PM this is not a real security issue, but following can not work: <code php> $option = optional_param('editoption','', PARAM_ALPHA); if ($option == get_string('cancel')) { <code>

Hide

Permalink

Petr Škoda (skodak) added a comment - 11/Nov/09 6:23 PM

still also will not work $newcontent = optional_param('newcontent','', PARAM_CLEANHTML);
because it is not always in HTML format

Show

Petr Škoda (skodak) added a comment - 11/Nov/09 6:23 PM still also will not work $newcontent = optional_param('newcontent','', PARAM_CLEANHTML); because it is not always in HTML format

Hide

Permalink

Ludo ( Marc Alier) added a comment - 07/Jul/10 1:20 PM

Jordi, Petr,
is this still an opened issue?

Show

Ludo ( Marc Alier) added a comment - 07/Jul/10 1:20 PM Jordi, Petr, is this still an opened issue?

Hide

Permalink

Petr Škoda (skodak) added a comment - 07/Jul/10 3:15 PM

yes I have just found multiple security issues in the mod/wiki, going to post them here today
ciao

Show

Petr Škoda (skodak) added a comment - 07/Jul/10 3:15 PM yes I have just found multiple security issues in the mod/wiki, going to post them here today ciao

Hide

Permalink

Helen Foster added a comment - 19/Nov/10 5:50 AM

Petr, sorry I can't see your post! Can this issue be resolved now?

Show

Helen Foster added a comment - 19/Nov/10 5:50 AM Petr, sorry I can't see your post! Can this issue be resolved now?

Hide

Permalink

Petr Škoda (skodak) added a comment - 19/Nov/10 9:19 AM

No idea, I did not study the code recently, going to have a quick look later today....

Show

Petr Škoda (skodak) added a comment - 19/Nov/10 9:19 AM No idea, I did not study the code recently, going to have a quick look later today....

Hide

Permalink

Helen Foster added a comment - 22/Jan/11 3:05 AM

Dongsheng please could you look into whether there are any security issues in the wiki.

Show

Helen Foster added a comment - 22/Jan/11 3:05 AM Dongsheng please could you look into whether there are any security issues in the wiki.

People

Assignee:

Dongsheng Cai

Reporter:

Petr Škoda (skodak)

Participants:

Dongsheng Cai, Helen Foster, Ludo ( Marc Alier), Petr Škoda (skodak)

Vote (0)

Watch (3)

Dates

Created:

11/Nov/09 6:18 PM

Updated:

22/Jan/11 3:05 AM