Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-46588

Invalid check of empty contextid in function get_context_from_params

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.6.5, 2.7.1, 2.8
    • Fix Version/s: 2.6.6, 2.7.3
    • Component/s: Web Services
    • Labels:
    • Testing Instructions:
      Hide

      Upload a couple of files to your private file area

      Enable "Mobile services" Plugins / Web Services / Services

      Create a new service in the same page, include in that service the function: core_files_get_files

      Create a Token for the same user you used to upload files to your private files area and for the service you created before:
      Click on Site administration ► Plugins ► Web services ► Manage tokens
      Click add, select user and service

      Next, you can do a CURL REST call simulating a WS client request:

      You need to change:

      • The URL pointing to your Moodle site
      • The wstoken value: The one you created
      • The instanceid: The id of the user you used to upload the files

      curl 'http://localhost/moodlebugs/webservice/rest/server.php?moodlewsrestformat=json' -H 'Pragma: no-cache' -H 'Origin: file://' -H 'Accept-Encoding: gzip,deflate,sdch' -H 'Accept-Language: es,en;q=0.8,de-DE;q=0.6,de;q=0.4' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1798.0 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: application/json, text/javascript, /; q=0.01' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' --data 'contextid=-1&component=user&filearea=private&itemid=0&filepath=&filename=&contextlevel=user&instanceid=4&wsfunction=core_files_get_files&wstoken=1c64c9f95d565cab6e1285e75356ce35' --compressed

      You should receive a JSON string containing a list of the files in your private area, as you can see the contextid is -1. The contextlevel and instanceid functions are used to retrieve the contextid via the get_context_from_params function

      Show
      Upload a couple of files to your private file area Enable "Mobile services" Plugins / Web Services / Services Create a new service in the same page, include in that service the function: core_files_get_files Create a Token for the same user you used to upload files to your private files area and for the service you created before: Click on Site administration ► Plugins ► Web services ► Manage tokens Click add, select user and service Next, you can do a CURL REST call simulating a WS client request: You need to change: The URL pointing to your Moodle site The wstoken value: The one you created The instanceid: The id of the user you used to upload the files curl 'http://localhost/moodlebugs/webservice/rest/server.php?moodlewsrestformat=json' -H 'Pragma: no-cache' -H 'Origin: file:// ' -H 'Accept-Encoding: gzip,deflate,sdch' -H 'Accept-Language: es,en;q=0.8,de-DE;q=0.6,de;q=0.4' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1798.0 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: application/json, text/javascript, / ; q=0.01' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' --data 'contextid=-1&component=user&filearea=private&itemid=0&filepath=&filename=&contextlevel=user&instanceid=4&wsfunction=core_files_get_files&wstoken=1c64c9f95d565cab6e1285e75356ce35' --compressed You should receive a JSON string containing a list of the files in your private area, as you can see the contextid is -1. The contextlevel and instanceid functions are used to retrieve the contextid via the get_context_from_params function
    • Affected Branches:
      MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
    • Fixed Branches:
      MOODLE_26_STABLE, MOODLE_27_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-46588-master

      Description

      The external lib get_context_from_params function doesn't check correctly the contextid optional parameter

      It should use !empty instead of isset because the value may be empty

      An example of this is the core_files_get_files external function that assign null to the contextid attribute (instead doing an unset):

                    if ($fileinfo['contextid'] == -1) {
                        $fileinfo['contextid'] = null;
                    }
                    $context = self::get_context_from_params($fileinfo);
      

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  10/Nov/14