Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-19353 portfolio code review META
  3. MDL-19354

use of portfolio callbackfile and callbackclass parameters in portfolio/add.php is unaccepable

    XMLWordPrintable

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 2.0
    • Component/s: Portfolio
    • Labels:
      None
    • Affected Branches:
      MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE

      Description

      Following code from portfolio/add.php is a security nightmare - allowing anybody (including guests) to include ANY moodle file from dirroot and instantiate ANY class with ANY parameters is unacceptable, please note that there is also no sesskey CSRF protection!

      $callbackfile = optional_param('callbackfile', null, PARAM_PATH); // callback file eg /mod/forum/lib.php - the location of the exporting content
      $callbackclass = optional_param('callbackclass', null, PARAM_ALPHAEXT); // callback class eg forum_portfolio_caller - the class to handle the exporting content.

      $callbackargs = array();
      foreach (array_keys(array_merge($_GET, $_POST)) as $key) {
      if (strpos($key, 'ca_') === 0) {
      if (!$value = optional_param($key, false, PARAM_ALPHAEXT)) {
      if (!$value = optional_param($key, false, PARAM_NUMBER))

      { $value = optional_param($key, false, PARAM_PATH); }

      }
      // strip off ca_ for niceness
      $callbackargs[substr($key, 3)] = $value;
      }
      }
      // righto, now we have the callback args set up
      // load up the caller file and class and tell it to set up all the data
      // it needs
      require_once($CFG->dirroot . $callbackfile);
      $caller = new $callbackclass($callbackargs);

        Attachments

          Activity

            People

            • Assignee:
              mjollnir Penny Leach
              Reporter:
              skodak Petr Skoda
              Participants:
              Component watchers:
              Jake Dallimore, Jun Pataleta
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                24/Nov/10