Details

    • Type: Sub-task Sub-task
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.8.10, 1.9.6, 2.0
    • Fix Version/s: 1.8.11, 1.9.7, 2.0
    • Component/s: Database SQL/XMLDB
    • Labels:
      None
    • Database:
      Any
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_18_STABLE, MOODLE_19_STABLE, MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_18_STABLE, MOODLE_19_STABLE, MOODLE_20_STABLE

      Description

      The XMLDB Editor is missing sesskey protection (thanks Petr for spotting that). While it's difficult to perform any attack based on that (mainly because of the session-based nature of the whole editor), to be 100% sure and correct the sesskey thing must be applied to all "edit" actions in the editor.

      Going to do it. Ciao

        Gliffy Diagrams

          Activity

          Hide
          Eloy Lafuente (stronk7) added a comment -

          Committed to 19_STABLE. Using this approach:

          • By default all actions are sesskey protected (thanks, OOP).
          • Some of them, if are safe can be configured to skipping the sesskey test.
          • The rest must be called with proper sesskey.

          Going to backport to 1.8 and merge to HEAD...ciao

          Show
          Eloy Lafuente (stronk7) added a comment - Committed to 19_STABLE. Using this approach: By default all actions are sesskey protected (thanks, OOP). Some of them, if are safe can be configured to skipping the sesskey test. The rest must be called with proper sesskey. Going to backport to 1.8 and merge to HEAD...ciao
          Hide
          Eloy Lafuente (stronk7) added a comment -

          18_STABLE done, going to fight with HEAD.

          Show
          Eloy Lafuente (stronk7) added a comment - 18_STABLE done, going to fight with HEAD.
          Hide
          Eloy Lafuente (stronk7) added a comment -

          Done! Resolving as fixed.

          Show
          Eloy Lafuente (stronk7) added a comment - Done! Resolving as fixed.

            People

            • Assignee:
              Eloy Lafuente (stronk7)
              Reporter:
              Eloy Lafuente (stronk7)
              Tester:
              Nobody
              Participants:
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: