Moodle
  1. Moodle
  2. MDL-43058

report_security_check_riskxss reports additional name fields in the user object.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.6, 2.7
    • Fix Version/s: 2.6.1
    • Component/s: Reports
    • Labels:
    • Story Points (Obsolete):
      3
    • Sprint:
      BACKEND Sprint 7

      Description

      The report_security_check_riskxss reports :

      You need to update your sql to include additional name fields in the user object.
      line 3580 of /lib/moodlelib.php: call to debugging()
      line 513 of /report/security/locallib.php: call to fullname()
      line 74 of /report/security/index.php: call to report_security_check_riskxss()

      Fix:

      /report/security/locallib.php

      if ($detailed) {
      --$users = $DB->get_records_sql("SELECT DISTINCT u.id, u.firstname, u.lastname, u.picture, u.imagealt $sqlfrom", $params);
      ++$userfields = user_picture::fields('u');
      ++$users = $DB->get_records_sql("SELECT DISTINCT $userfields $sqlfrom", $params);
      

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            Michael de Raadt added a comment -

            Thanks for reporting that and providing a patch.

            Show
            Michael de Raadt added a comment - Thanks for reporting that and providing a patch.
            Hide
            Sam Hemelryk added a comment -

            Thanks Adrian - looks good sending to integration now.

            Show
            Sam Hemelryk added a comment - Thanks Adrian - looks good sending to integration now.
            Hide
            Eloy Lafuente (stronk7) added a comment -

            Integrated (26 and master), thanks!

            Show
            Eloy Lafuente (stronk7) added a comment - Integrated (26 and master), thanks!
            Hide
            Frédéric Massart added a comment -

            Passing, thanks.

            Show
            Frédéric Massart added a comment - Passing, thanks.
            Hide
            Dan Poltawski added a comment -

            Thanks for your contributions, this change is now upstream!

            “ If debugging is the process of removing software bugs, then programming must be the process of putting them in. ” - Edsger Dijkstra

            Show
            Dan Poltawski added a comment - Thanks for your contributions, this change is now upstream! “ If debugging is the process of removing software bugs, then programming must be the process of putting them in. ” - Edsger Dijkstra

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Agile