Details

    • Type: Sub-task Sub-task
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.8.10, 1.9.6, 2.0
    • Fix Version/s: 1.8.11, 1.9.7, 2.0
    • Component/s: Database SQL/XMLDB
    • Labels:
      None
    • Database:
      Any
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_18_STABLE, MOODLE_19_STABLE, MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_18_STABLE, MOODLE_19_STABLE, MOODLE_20_STABLE
    • Rank:
      35656

      Description

      The XMLDB Editor is missing sesskey protection (thanks Petr for spotting that). While it's difficult to perform any attack based on that (mainly because of the session-based nature of the whole editor), to be 100% sure and correct the sesskey thing must be applied to all "edit" actions in the editor.

      Going to do it. Ciao

        Activity

        Hide
        Eloy Lafuente (stronk7) added a comment -

        Committed to 19_STABLE. Using this approach:

        • By default all actions are sesskey protected (thanks, OOP).
        • Some of them, if are safe can be configured to skipping the sesskey test.
        • The rest must be called with proper sesskey.

        Going to backport to 1.8 and merge to HEAD...ciao

        Show
        Eloy Lafuente (stronk7) added a comment - Committed to 19_STABLE. Using this approach: By default all actions are sesskey protected (thanks, OOP). Some of them, if are safe can be configured to skipping the sesskey test. The rest must be called with proper sesskey. Going to backport to 1.8 and merge to HEAD...ciao
        Hide
        Eloy Lafuente (stronk7) added a comment -

        18_STABLE done, going to fight with HEAD.

        Show
        Eloy Lafuente (stronk7) added a comment - 18_STABLE done, going to fight with HEAD.
        Hide
        Eloy Lafuente (stronk7) added a comment -

        Done! Resolving as fixed.

        Show
        Eloy Lafuente (stronk7) added a comment - Done! Resolving as fixed.

          People

          • Assignee:
            Eloy Lafuente (stronk7)
            Reporter:
            Eloy Lafuente (stronk7)
            Tester:
            Nobody
            Participants:
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: