Moodle Community Sites

Marc, thanks for your report. Is it only moodle.org which is affected, or other 1.9.4+ sites?

This seems to happen only in moodle.org - just tested a local install with latest moodle 1.9.4+

Some custom code in tex filter files of moodle.org?

Mauno, thanks for your feedback. Reassigning to Martin.

Assigning to Jordan. Not sure if it's the move to the new server or the new security fixes. I'm guessing the former.

There is no custom code on moodle.org for any of this stuff.

Could it come from settings page in administration where paths to latex, dvips and convert are given - some space etc?

Somehow moodle.org manages to add that usepackage code if tex starts with space or uses [ ] ...

$$\alpha$$ works ok but $$ \alpha$$ gives extra code.

Resolved by setting config option filter_tex_latexpreamble to the default in the moodle.org database - it was missing the initial \ on all arguments causing latex to fail

And if settings are ok some other filter might cause the problem - it just does not look logical some normal latex works and some give those package messages.

Try for example $$\alpha\beta$$ , $$ \alpha\beta$$ , $$\alpha \beta$$ or $$ \alpha \beta $$ that are all valid - which works?

Answer is - none!

OK - solved now - Thanks Jordan!

(I was testing this some seconds before your post and cleared cache to see that everything is fine now)

For info, this also happened to the Open University's 1.9.3ish system, so I don't think this is only a moodle.org site issue. The same solution (change the spaces to backslashes as per default in filter_tex_latexpreamble) resolved the issue.

We think we haven't ever changed this setting so it should be default - while it's possible somebody could have broken it without telling me or Rod, since it's happened in two sites, it seems likely to me that some upgrade somewhere along the line probably stripped the backslashes

to clarify - I said 1.9.3 but that is 1.9.3 plus security patches - we probably took the TeX security patch, meaning that is a possible cause of this breakage.

http://moodle.org/security/ MDL-18552, CVE-2009-1171
Do you think this "security fix" broke the tex?

My understanding is that worst case is that a tex exploit could be used to view some files..... Has anyone balanced out the possible worst case result of a Tex exploit on Moodle vs limited functionality and introduction of additional errors?

I don't think the security fix itself could have changed the settings in database and nobody has touched file filtersettings.php,v 1.1.2.2 2007/12/19 17:38:42 where default settings for those usepackage commands are. The worst theoretical case is that somebody had used the security hole before fix and got access to database (it was possible to get config.php or any other files before that fix) - more likely the cause is that either some human moodler has changed some settings or used some command to strip backslashes or some upgrading process that has stripped backslashes - hopefully no other needed backslashes are missing.

I have not noticed any such issues although I have upgraded practically every week (Debian Lenny recently)