Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Incomplete
    • Affects Version/s: 2.0
    • Fix Version/s: STABLE backlog
    • Component/s: Wiki (2.x)
    • Labels:
    • Affected Branches:
      MOODLE_20_STABLE

      Description

      Tim just created new security related pages in our docs http://docs.moodle.org/en/Development:Security

      1/ learn how to use require_login() and require_course_login()
      2/ learn how to use sesskey to prevent CSRF
      3/ add missing capability tests
      4/ learn how to use s() in forms - potential XSS in block_wiki_search - PARAM_ACTION prevents it, but this type is not correct there because it would work for english only

        Gliffy Diagrams

          Activity

          Hide
          Petr Skoda added a comment -

          this is not a real security issue, but following can not work:

          <code php>
          $option = optional_param('editoption','', PARAM_ALPHA);
          if ($option == get_string('cancel')) {
          <code>

          Show
          Petr Skoda added a comment - this is not a real security issue, but following can not work: <code php> $option = optional_param('editoption','', PARAM_ALPHA); if ($option == get_string('cancel')) { <code>
          Hide
          Petr Skoda added a comment -

          still also will not work $newcontent = optional_param('newcontent','', PARAM_CLEANHTML);
          because it is not always in HTML format

          Show
          Petr Skoda added a comment - still also will not work $newcontent = optional_param('newcontent','', PARAM_CLEANHTML); because it is not always in HTML format
          Hide
          Ludo ( Marc Alier) added a comment -

          Jordi, Petr,
          is this still an opened issue?

          Show
          Ludo ( Marc Alier) added a comment - Jordi, Petr, is this still an opened issue?
          Hide
          Petr Skoda added a comment -

          yes I have just found multiple security issues in the mod/wiki, going to post them here today
          ciao

          Show
          Petr Skoda added a comment - yes I have just found multiple security issues in the mod/wiki, going to post them here today ciao
          Hide
          Helen Foster added a comment -

          Petr, sorry I can't see your post! Can this issue be resolved now?

          Show
          Helen Foster added a comment - Petr, sorry I can't see your post! Can this issue be resolved now?
          Hide
          Petr Skoda added a comment -

          No idea, I did not study the code recently, going to have a quick look later today....

          Show
          Petr Skoda added a comment - No idea, I did not study the code recently, going to have a quick look later today....
          Hide
          Helen Foster added a comment -

          Dongsheng please could you look into whether there are any security issues in the wiki.

          Show
          Helen Foster added a comment - Dongsheng please could you look into whether there are any security issues in the wiki.
          Hide
          Dongsheng Cai added a comment -

          This issue was assigned to me automatically, however I will not be able to work on this issue in the immediate future. In order to create a truer sense of the state of this issue and to allow other developers to have chance to become involved, I am removing myself as the assignee of this issue.
          For more information, see http://docs.moodle.org/dev/Changes_to_issue_assignment

          Show
          Dongsheng Cai added a comment - This issue was assigned to me automatically, however I will not be able to work on this issue in the immediate future. In order to create a truer sense of the state of this issue and to allow other developers to have chance to become involved, I am removing myself as the assignee of this issue. For more information, see http://docs.moodle.org/dev/Changes_to_issue_assignment
          Hide
          Marina Glancy added a comment -

          Closing this issue as the most have been already fixed in other issues. If some security holes still remain please create a separate issue with specific details and appropriate security status. Thanks.

          Show
          Marina Glancy added a comment - Closing this issue as the most have been already fixed in other issues. If some security holes still remain please create a separate issue with specific details and appropriate security status. Thanks.

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: