Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.8.10, 1.9.6, 2.0
    • Fix Version/s: 1.8.11, 1.9.7, 2.0
    • Component/s: Database SQL/XMLDB
    • Labels:
      None
    • Database:
      Any
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_18_STABLE, MOODLE_19_STABLE, MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_18_STABLE, MOODLE_19_STABLE, MOODLE_20_STABLE

      Description

      The XMLDB Editor is missing sesskey protection (thanks Petr for spotting that). While it's difficult to perform any attack based on that (mainly because of the session-based nature of the whole editor), to be 100% sure and correct the sesskey thing must be applied to all "edit" actions in the editor.

      Going to do it. Ciao

        Gliffy Diagrams

          Activity

          Hide
          stronk7 Eloy Lafuente (stronk7) added a comment -

          Committed to 19_STABLE. Using this approach:

          • By default all actions are sesskey protected (thanks, OOP).
          • Some of them, if are safe can be configured to skipping the sesskey test.
          • The rest must be called with proper sesskey.

          Going to backport to 1.8 and merge to HEAD...ciao

          Show
          stronk7 Eloy Lafuente (stronk7) added a comment - Committed to 19_STABLE. Using this approach: By default all actions are sesskey protected (thanks, OOP). Some of them, if are safe can be configured to skipping the sesskey test. The rest must be called with proper sesskey. Going to backport to 1.8 and merge to HEAD...ciao
          Hide
          stronk7 Eloy Lafuente (stronk7) added a comment -

          18_STABLE done, going to fight with HEAD.

          Show
          stronk7 Eloy Lafuente (stronk7) added a comment - 18_STABLE done, going to fight with HEAD.
          Hide
          stronk7 Eloy Lafuente (stronk7) added a comment -

          Done! Resolving as fixed.

          Show
          stronk7 Eloy Lafuente (stronk7) added a comment - Done! Resolving as fixed.

            People

            • Assignee:
              stronk7 Eloy Lafuente (stronk7)
              Reporter:
              stronk7 Eloy Lafuente (stronk7)
              Tester:
              Nobody
              Participants:
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                25/Nov/09