Moodle

enables images in course's summary to be visible on category pages for anonymous users (not logged in)

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 1.9
  • Fix Version/s: 2.0
  • Component/s: Course, Usability
  • Labels:
    None
  • Difficulty:
    Easy
  • Affected Branches:
    MOODLE_19_STABLE
  • Fixed Branches:
    MOODLE_20_STABLE

Description

When anonymous users ( which are not logged into the moodle system ) are viewing Category Pages,
it enables them to see images that teachers put inside Course's Summary which are
inside the course's file repository. and are normally not accessible to
un-authenticated (not logged in) users. if at all, exposed by the teacher in the main course pages.

the patch...
i have added a security trimmed /sendfile.php instead of /file.php
and i replaced the following line (moodle/course/lib.php line 1946) :

echo format_text( $course->summary, FORMAT_MOODLE, $options, $course->id);

with this line:

echo format_text( str_replace("file.php", "sendfile.php", $course->summary), FORMAT_MOODLE, $options, $course->id);

and i am attaching the sendfile.php (for review as well !)

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Petr Škoda (skodak) added a comment -

Hello,
yes this is a known problem, the solution is part of 2.0 file api rewrite. There are no plans to lower security of course files in 1.9.x, sorry.

Petr

Show
Petr Škoda (skodak) added a comment - Hello, yes this is a known problem, the solution is part of 2.0 file api rewrite. There are no plans to lower security of course files in 1.9.x, sorry. Petr
Hide
Permalink
Petr Škoda (skodak) added a comment -

the attached sendfile.php is definitely not good idea for 1.9.x , it would have to at least test that the file is actually in the description and that it is not backup file or any module file...

Show
Petr Škoda (skodak) added a comment - the attached sendfile.php is definitely not good idea for 1.9.x , it would have to at least test that the file is actually in the description and that it is not backup file or any module file...
Hide
Permalink
Nadav Kavalerchik added a comment -

if i am checking (will add a check) that files are images, only! will that be ok ?

Show
Nadav Kavalerchik added a comment - if i am checking (will add a check) that files are images, only! will that be ok ?
Hide
Permalink
Petr Škoda (skodak) added a comment -

no, you have to make sure the file is actually used in the description text, otherwise anybody may "steal" course files

Show
Petr Škoda (skodak) added a comment - no, you have to make sure the file is actually used in the description text, otherwise anybody may "steal" course files

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.