Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Incomplete
    • Affects Version/s: 2.0
    • Fix Version/s: STABLE backlog
    • Component/s: Wiki (2.x)
    • Labels:
    • Affected Branches:
      MOODLE_20_STABLE
    • Rank:
      781

      Description

      Tim just created new security related pages in our docs http://docs.moodle.org/en/Development:Security

      1/ learn how to use require_login() and require_course_login()
      2/ learn how to use sesskey to prevent CSRF
      3/ add missing capability tests
      4/ learn how to use s() in forms - potential XSS in block_wiki_search - PARAM_ACTION prevents it, but this type is not correct there because it would work for english only

        Activity

        Hide
        Petr Škoda added a comment -

        this is not a real security issue, but following can not work:

        <code php>
        $option = optional_param('editoption','', PARAM_ALPHA);
        if ($option == get_string('cancel')) {
        <code>

        Show
        Petr Škoda added a comment - this is not a real security issue, but following can not work: <code php> $option = optional_param('editoption','', PARAM_ALPHA); if ($option == get_string('cancel')) { <code>
        Hide
        Petr Škoda added a comment -

        still also will not work $newcontent = optional_param('newcontent','', PARAM_CLEANHTML);
        because it is not always in HTML format

        Show
        Petr Škoda added a comment - still also will not work $newcontent = optional_param('newcontent','', PARAM_CLEANHTML); because it is not always in HTML format
        Hide
        Ludo ( Marc Alier) added a comment -

        Jordi, Petr,
        is this still an opened issue?

        Show
        Ludo ( Marc Alier) added a comment - Jordi, Petr, is this still an opened issue?
        Hide
        Petr Škoda added a comment -

        yes I have just found multiple security issues in the mod/wiki, going to post them here today
        ciao

        Show
        Petr Škoda added a comment - yes I have just found multiple security issues in the mod/wiki, going to post them here today ciao
        Hide
        Helen Foster added a comment -

        Petr, sorry I can't see your post! Can this issue be resolved now?

        Show
        Helen Foster added a comment - Petr, sorry I can't see your post! Can this issue be resolved now?
        Hide
        Petr Škoda added a comment -

        No idea, I did not study the code recently, going to have a quick look later today....

        Show
        Petr Škoda added a comment - No idea, I did not study the code recently, going to have a quick look later today....
        Hide
        Helen Foster added a comment -

        Dongsheng please could you look into whether there are any security issues in the wiki.

        Show
        Helen Foster added a comment - Dongsheng please could you look into whether there are any security issues in the wiki.
        Hide
        Dongsheng Cai added a comment -

        This issue was assigned to me automatically, however I will not be able to work on this issue in the immediate future. In order to create a truer sense of the state of this issue and to allow other developers to have chance to become involved, I am removing myself as the assignee of this issue.
        For more information, see http://docs.moodle.org/dev/Changes_to_issue_assignment

        Show
        Dongsheng Cai added a comment - This issue was assigned to me automatically, however I will not be able to work on this issue in the immediate future. In order to create a truer sense of the state of this issue and to allow other developers to have chance to become involved, I am removing myself as the assignee of this issue. For more information, see http://docs.moodle.org/dev/Changes_to_issue_assignment
        Hide
        Marina Glancy added a comment -

        Closing this issue as the most have been already fixed in other issues. If some security holes still remain please create a separate issue with specific details and appropriate security status. Thanks.

        Show
        Marina Glancy added a comment - Closing this issue as the most have been already fixed in other issues. If some security holes still remain please create a separate issue with specific details and appropriate security status. Thanks.

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: