Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Incomplete
    • Affects Version/s: 2.0
    • Fix Version/s: STABLE backlog
    • Component/s: Wiki (2.x)
    • Labels:
    • Affected Branches:
      MOODLE_20_STABLE

      Description

      Tim just created new security related pages in our docs http://docs.moodle.org/en/Development:Security

      1/ learn how to use require_login() and require_course_login()
      2/ learn how to use sesskey to prevent CSRF
      3/ add missing capability tests
      4/ learn how to use s() in forms - potential XSS in block_wiki_search - PARAM_ACTION prevents it, but this type is not correct there because it would work for english only

        Gliffy Diagrams

          Attachments

            Activity

            Hide
            skodak Petr Skoda added a comment -

            this is not a real security issue, but following can not work:

            <code php>
            $option = optional_param('editoption','', PARAM_ALPHA);
            if ($option == get_string('cancel')) {
            <code>

            Show
            skodak Petr Skoda added a comment - this is not a real security issue, but following can not work: <code php> $option = optional_param('editoption','', PARAM_ALPHA); if ($option == get_string('cancel')) { <code>
            Hide
            skodak Petr Skoda added a comment -

            still also will not work $newcontent = optional_param('newcontent','', PARAM_CLEANHTML);
            because it is not always in HTML format

            Show
            skodak Petr Skoda added a comment - still also will not work $newcontent = optional_param('newcontent','', PARAM_CLEANHTML); because it is not always in HTML format
            Hide
            granludo Ludo ( Marc Alier) added a comment -

            Jordi, Petr,
            is this still an opened issue?

            Show
            granludo Ludo ( Marc Alier) added a comment - Jordi, Petr, is this still an opened issue?
            Hide
            skodak Petr Skoda added a comment -

            yes I have just found multiple security issues in the mod/wiki, going to post them here today
            ciao

            Show
            skodak Petr Skoda added a comment - yes I have just found multiple security issues in the mod/wiki, going to post them here today ciao
            Hide
            tsala Helen Foster added a comment -

            Petr, sorry I can't see your post! Can this issue be resolved now?

            Show
            tsala Helen Foster added a comment - Petr, sorry I can't see your post! Can this issue be resolved now?
            Hide
            skodak Petr Skoda added a comment -

            No idea, I did not study the code recently, going to have a quick look later today....

            Show
            skodak Petr Skoda added a comment - No idea, I did not study the code recently, going to have a quick look later today....
            Hide
            tsala Helen Foster added a comment -

            Dongsheng please could you look into whether there are any security issues in the wiki.

            Show
            tsala Helen Foster added a comment - Dongsheng please could you look into whether there are any security issues in the wiki.
            Hide
            dongsheng Dongsheng Cai added a comment -

            This issue was assigned to me automatically, however I will not be able to work on this issue in the immediate future. In order to create a truer sense of the state of this issue and to allow other developers to have chance to become involved, I am removing myself as the assignee of this issue.
            For more information, see http://docs.moodle.org/dev/Changes_to_issue_assignment

            Show
            dongsheng Dongsheng Cai added a comment - This issue was assigned to me automatically, however I will not be able to work on this issue in the immediate future. In order to create a truer sense of the state of this issue and to allow other developers to have chance to become involved, I am removing myself as the assignee of this issue. For more information, see http://docs.moodle.org/dev/Changes_to_issue_assignment
            Hide
            marina Marina Glancy added a comment -

            Closing this issue as the most have been already fixed in other issues. If some security holes still remain please create a separate issue with specific details and appropriate security status. Thanks.

            Show
            marina Marina Glancy added a comment - Closing this issue as the most have been already fixed in other issues. If some security holes still remain please create a separate issue with specific details and appropriate security status. Thanks.

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: