Moodle

Apply sesskey() mechanism to all the actions in the XMLDB Editor

Details

  • Type: Sub-task Sub-task
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 1.8.10, 1.9.6, 2.0
  • Fix Version/s: 1.8.11, 1.9.7, 2.0
  • Component/s: Database SQL/XMLDB
  • Labels:
    None
  • Database:
    Any
  • Difficulty:
    Easy
  • Affected Branches:
    MOODLE_18_STABLE, MOODLE_19_STABLE, MOODLE_20_STABLE
  • Fixed Branches:
    MOODLE_18_STABLE, MOODLE_19_STABLE, MOODLE_20_STABLE

Description

The XMLDB Editor is missing sesskey protection (thanks Petr for spotting that). While it's difficult to perform any attack based on that (mainly because of the session-based nature of the whole editor), to be 100% sure and correct the sesskey thing must be applied to all "edit" actions in the editor.

Going to do it. Ciao

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Eloy Lafuente (stronk7) added a comment -

Committed to 19_STABLE. Using this approach:

  • By default all actions are sesskey protected (thanks, OOP).
  • Some of them, if are safe can be configured to skipping the sesskey test.
  • The rest must be called with proper sesskey.

Going to backport to 1.8 and merge to HEAD...ciao

Show
Eloy Lafuente (stronk7) added a comment - Committed to 19_STABLE. Using this approach:
  • By default all actions are sesskey protected (thanks, OOP).
  • Some of them, if are safe can be configured to skipping the sesskey test.
  • The rest must be called with proper sesskey.
Going to backport to 1.8 and merge to HEAD...ciao
Hide
Permalink
Eloy Lafuente (stronk7) added a comment -

18_STABLE done, going to fight with HEAD.

Show
Eloy Lafuente (stronk7) added a comment - 18_STABLE done, going to fight with HEAD.
Hide
Permalink
Eloy Lafuente (stronk7) added a comment -

Done! Resolving as fixed.

Show
Eloy Lafuente (stronk7) added a comment - Done! Resolving as fixed.

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.