Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.8.10, 1.9.6, 2.0
    • Fix Version/s: 1.8.11, 1.9.7, 2.0
    • Component/s: Database SQL/XMLDB
    • Labels:
      None
    • Database:
      Any
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_18_STABLE, MOODLE_19_STABLE, MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_18_STABLE, MOODLE_19_STABLE, MOODLE_20_STABLE

      Description

      The XMLDB Editor is missing sesskey protection (thanks Petr for spotting that). While it's difficult to perform any attack based on that (mainly because of the session-based nature of the whole editor), to be 100% sure and correct the sesskey thing must be applied to all "edit" actions in the editor.

      Going to do it. Ciao

        Gliffy Diagrams

          Attachments

            Activity

            Hide
            stronk7 Eloy Lafuente (stronk7) added a comment -

            Committed to 19_STABLE. Using this approach:

            • By default all actions are sesskey protected (thanks, OOP).
            • Some of them, if are safe can be configured to skipping the sesskey test.
            • The rest must be called with proper sesskey.

            Going to backport to 1.8 and merge to HEAD...ciao

            Show
            stronk7 Eloy Lafuente (stronk7) added a comment - Committed to 19_STABLE. Using this approach: By default all actions are sesskey protected (thanks, OOP). Some of them, if are safe can be configured to skipping the sesskey test. The rest must be called with proper sesskey. Going to backport to 1.8 and merge to HEAD...ciao
            Hide
            stronk7 Eloy Lafuente (stronk7) added a comment -

            18_STABLE done, going to fight with HEAD.

            Show
            stronk7 Eloy Lafuente (stronk7) added a comment - 18_STABLE done, going to fight with HEAD.
            Hide
            stronk7 Eloy Lafuente (stronk7) added a comment -

            Done! Resolving as fixed.

            Show
            stronk7 Eloy Lafuente (stronk7) added a comment - Done! Resolving as fixed.

              People

              • Assignee:
                stronk7 Eloy Lafuente (stronk7)
                Reporter:
                stronk7 Eloy Lafuente (stronk7)
                Tester:
                Nobody
                Participants:
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  25/Nov/09