Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-43058

report_security_check_riskxss reports additional name fields in the user object.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.6, 2.7
    • Fix Version/s: 2.6.1
    • Component/s: Reports
    • Labels:
    • Testing Instructions:
      Hide
      • Check that none of the following pages display a developer warning about additional name fields.
      1. Go to [Administration ► Site administration ► Reports ► Security overview]
      2. Check these pages:
        • XSS trusted users.
        • Administrators.
        • Backup of user data.
      Show
      Check that none of the following pages display a developer warning about additional name fields. Go to [Administration ► Site administration ► Reports ► Security overview] Check these pages: XSS trusted users. Administrators. Backup of user data.
    • Affected Branches:
      MOODLE_26_STABLE, MOODLE_27_STABLE
    • Fixed Branches:
      MOODLE_26_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      wip-MDL-43058-master
    • Sprint:
      BACKEND Sprint 7
    • Story Points (Obsolete):
      3
    • Sprint:
      BACKEND Sprint 7

      Description

      The report_security_check_riskxss reports :

      You need to update your sql to include additional name fields in the user object.
      line 3580 of /lib/moodlelib.php: call to debugging()
      line 513 of /report/security/locallib.php: call to fullname()
      line 74 of /report/security/index.php: call to report_security_check_riskxss()

      Fix:

      /report/security/locallib.php

      if ($detailed) {
      --$users = $DB->get_records_sql("SELECT DISTINCT u.id, u.firstname, u.lastname, u.picture, u.imagealt $sqlfrom", $params);
      ++$userfields = user_picture::fields('u');
      ++$users = $DB->get_records_sql("SELECT DISTINCT $userfields $sqlfrom", $params);
      

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            salvetore Michael de Raadt added a comment -

            Thanks for reporting that and providing a patch.

            Show
            salvetore Michael de Raadt added a comment - Thanks for reporting that and providing a patch.
            Hide
            samhemelryk Sam Hemelryk added a comment -

            Thanks Adrian - looks good sending to integration now.

            Show
            samhemelryk Sam Hemelryk added a comment - Thanks Adrian - looks good sending to integration now.
            Hide
            stronk7 Eloy Lafuente (stronk7) added a comment -

            Integrated (26 and master), thanks!

            Show
            stronk7 Eloy Lafuente (stronk7) added a comment - Integrated (26 and master), thanks!
            Hide
            fred Frédéric Massart added a comment -

            Passing, thanks.

            Show
            fred Frédéric Massart added a comment - Passing, thanks.
            Hide
            poltawski Dan Poltawski added a comment -

            Thanks for your contributions, this change is now upstream!

            “ If debugging is the process of removing software bugs, then programming must be the process of putting them in. ” - Edsger Dijkstra

            Show
            poltawski Dan Poltawski added a comment - Thanks for your contributions, this change is now upstream! “ If debugging is the process of removing software bugs, then programming must be the process of putting them in. ” - Edsger Dijkstra

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  13/Jan/14

                  Agile