[MDL-26260] Loophole in quiz 'secure mode' in some themes - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.0.1, 2.0.7, 2.1.4, 2.2.1, 2.3
Fix Version/s: 2.0.8, 2.1.5, 2.2.2
Component/s: Quiz
Labels:
- netspot
- partner
- triaged

Affected Branches:
MOODLE_20_STABLE, MOODLE_21_STABLE, MOODLE_22_STABLE, MOODLE_23_STABLE
Fixed Branches:
MOODLE_20_STABLE, MOODLE_21_STABLE, MOODLE_22_STABLE
Pull from Repository:
git://github.com/timhunt/moodle.git
Pull Master Branch:
~~MDL-26260~~
Pull Master Diff URL:
https://github.com/timhunt/moodle/compare/master...MDL-26260
Testing Instructions:
Hide

1. Create a quiz with Browser security set to "... popup ..."

2. Attempt the quiz as a student. Try to defeat the security by clicking the the few pixels around the edge of the screen. In particular try to

get the context menu to appear

start to drag to select some text

3. Ignore the fact that in Moodle 2.0, you get multiple alerts for each click. That seems to be a YUI bug. If it is causing you problems, you need to upgrade to Moodle 2.1 or later.
Show
1. Create a quiz with Browser security set to "... popup ..." 2. Attempt the quiz as a student. Try to defeat the security by clicking the the few pixels around the edge of the screen. In particular try to get the context menu to appear start to drag to select some text 3. Ignore the fact that in Moodle 2.0, you get multiple alerts for each click. That seems to be a YUI bug. If it is causing you problems, you need to upgrade to Moodle 2.1 or later.

Description

When attempting a quiz in secure mode as a student, it attempts to disable right click by using JavaScript. When a right click is detected, a popup box comes up, but then gets stuck in a loop which forces the user to have to close the page which cancels the quiz attempt. Added a detach call in to the function so it does not loop until another right click event is called. Also disabled the double alert boxes appearing by disabling the message from appearing when the context menu tries to appear.

Whilst testing this, another loophole was detected where you could right click on the boundary of the page and the right click context menu would appear just fine. This was because it was only triggering the event on 'document.body'. Changing this to 'document' seems to have patched this.

Attachments

Issue Links

duplicates

MDL-25722 "Full screen pop-up with some JavaScript security" in Quiz not functioning correctly

Closed

Activity

People

Assignee:: Tim Hunt

Reporter:: Jason Ilicic

Peer reviewer:: Rajesh Taneja

Integrator:: Aparup Banerjee

Tester:: Jason Fowler

Participants:: Andrew Davis, Aparup Banerjee, Charles Fulton, Eloy Lafuente (stronk7), Jason Fowler, Jason Ilicic, Michael Blake, Rajesh Taneja, Sam Hemelryk, Tim Hunt

Component watchers:: Tim Hunt, Ilya Tregubov, Kevin Percy, Mathew May, Mihail Geshoski, Shamim Rezaie

Votes:: 2 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 04/Feb/11 4:18 PM

Updated:: 03/Feb/12 4:20 AM

Resolved:: 03/Feb/12 4:20 AM

Fix Release Date:: 12/Mar/12