Moodle
  1. Moodle
  2. MDL-20080

Ability to install and use input filters

    Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 1.9.5
    • Fix Version/s: None
    • Component/s: Filters, Libraries
    • Labels:
      None
    • Environment:
      This affects all areas where user textual input is possible.
    • Database:
      Any
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_19_STABLE
    • Rank:
      2453

      Description

      Moodle has a well-established framework which allows for the installation of pluggable and configurable output content filters. One prominent example are the Math content filters, used to render visual representations of formulas written, for instance, in the TeX or LaTeX language.

      Depending on how a particular content is processed by a filter, potential security issues may arise. For instance, without the required attention, a user may type a well-crafted sequence of LaTeX commands to be processed by the LaTeX filter which will reveal the contents of a protected of hidden file, or even alter the contents of such a file. On the other hand, simply banning all such commands prevents the teacher from using important and sometimes essential LaTeX constructs.

      Using just output filters it is impossible to solve this issue, because the output filter cannot precisely determine what are the rights of the content author. Furthermore, one single page, like a forum discussion, may show content which was produced by a teacher and also content which was input by a student.

      Our patch proposes to solve this issue by allowing moodle to filter input based on the rights of the individual who is providing the input. In fact, we are not proposing a new filter framework, but just allowing a filter.php file to also provide a function named filtername_input_filter. The main changes caused by this patch is to certify that places where user input is acquired make sure that the input filter chain gets called, thus filtering user input.

      Our new filter LatexRender-ng available at latexrender-ng.sourceforge.net is an example of such a filter. It replaces the old LatexRender filter with many moore new features, including the input filtering. Thus a teacher can use the full power of LaTeX while a student or other less authorized user will not be able to abuse it.

      It is possible that this solution is still incomplete. The author will be glad to know whether he can contribute any further and hopes that his contribution will be evaluated.

        Activity

        Hide
        Helen Foster added a comment -

        Waldeck, thanks for your report and patch

        Just adding a link to the forum discussion:

        Feedback wanted: LatexRender/Moodle security improvements http://moodle.org/mod/forum/discuss.php?d=130417

        Added Petr as a watcher for consideration of security improvements.

        Show
        Helen Foster added a comment - Waldeck, thanks for your report and patch Just adding a link to the forum discussion: Feedback wanted: LatexRender/Moodle security improvements http://moodle.org/mod/forum/discuss.php?d=130417 Added Petr as a watcher for consideration of security improvements.
        Hide
        Waldeck Schutzer added a comment -

        Helen, Thank you for the followup and for including a link to that interesting discussion we are having. I would like to add here a link to the course I wrote in Moodle which uses LatexRender intensively. It is accessible for guests at: http://www.dm.ufscar.br/profs/waldeck/moodle/course/view.php?id=4

        Perhaps that site will give you a better idea about the motivations which lead me to write a new math filter and to dig into moodle's internals for better security.

        Show
        Waldeck Schutzer added a comment - Helen, Thank you for the followup and for including a link to that interesting discussion we are having. I would like to add here a link to the course I wrote in Moodle which uses LatexRender intensively. It is accessible for guests at: http://www.dm.ufscar.br/profs/waldeck/moodle/course/view.php?id=4 Perhaps that site will give you a better idea about the motivations which lead me to write a new math filter and to dig into moodle's internals for better security.
        Hide
        Alan Trick added a comment -

        I would also like input filters, but for another reason. To help rid our database of all sorts of MS Office junk HTML.

        Show
        Alan Trick added a comment - I would also like input filters, but for another reason. To help rid our database of all sorts of MS Office junk HTML.
        Hide
        Eloy Lafuente (stronk7) added a comment -

        This issue was assigned to me automatically, however I will not be able to work on this issue in the immediate future. In order to create a truer sense of the state of this issue and to allow other developers to have chance to become involved, I am removing myself as the assignee of this issue.

        For more information, see http://docs.moodle.org/dev/Changes_to_issue_assignment

        Show
        Eloy Lafuente (stronk7) added a comment - This issue was assigned to me automatically, however I will not be able to work on this issue in the immediate future. In order to create a truer sense of the state of this issue and to allow other developers to have chance to become involved, I am removing myself as the assignee of this issue. For more information, see http://docs.moodle.org/dev/Changes_to_issue_assignment

          People

          • Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated: