Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-33950

Make sure that repository_ajax.php correctly validates access control when creating references

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.3
    • Fix Version/s: 2.3.2
    • Component/s: Files API
    • Labels:
    • Testing Instructions:
      Hide

      TEST 1

      1. work in one browser as admin and in another as teacher
      2. as admin create two courses and enroll teacher in both of them
      3. as admin create a resource in course A and add files to it
      4. as teacher create a resource in course B and add file from #3 as a copy/reference, open dialogue window "Select file" and wait
      5. as admin unenroll teacher from course A (teacher can no longer access the file he is trying to insert)
      6. as a teacher click 'select' and make sure you can not select a file

      TEST 2
      1. as admin create two courses and enroll teacher only in course B
      2. as admin create a resource in course A and add files to it
      3. as admin create a resource in course B and add file as a reference (alias) to the file from #2.
      4. as teacher create a resource in course B and try to pick a file from #3 (both as copy and a reference)
      5. make sure teacher is able to pick the file. In case of reference he will see '(Undisclosed)' as the source because he can not access course A.

      Repeat both tests with Javascript disabled for teacher (note that user can not create aliases without JS)

      Show
      TEST 1 1. work in one browser as admin and in another as teacher 2. as admin create two courses and enroll teacher in both of them 3. as admin create a resource in course A and add files to it 4. as teacher create a resource in course B and add file from #3 as a copy/reference, open dialogue window "Select file" and wait 5. as admin unenroll teacher from course A (teacher can no longer access the file he is trying to insert) 6. as a teacher click 'select' and make sure you can not select a file TEST 2 1. as admin create two courses and enroll teacher only in course B 2. as admin create a resource in course A and add files to it 3. as admin create a resource in course B and add file as a reference (alias) to the file from #2. 4. as teacher create a resource in course B and try to pick a file from #3 (both as copy and a reference) 5. make sure teacher is able to pick the file. In case of reference he will see '(Undisclosed)' as the source because he can not access course A. Repeat both tests with Javascript disabled for teacher (note that user can not create aliases without JS)
    • Affected Branches:
      MOODLE_23_STABLE
    • Fixed Branches:
      MOODLE_23_STABLE

      Description

      If I read the code right there is no access control validation in repository_ajax.php, see block starting with "if ($usefilereference) {",
      somehow the $source contents should be validated for moodle files and maybe also for external repos.

      This could probably allow stealing of any moodle file.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  10/Sep/12