Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48104

Avoid use of eval() in mod_assign grading form

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.5.9, 2.6.5, 2.7.2, 2.8.1
    • Fix Version/s: 2.7.4, 2.8.2
    • Component/s: Assignment, JavaScript
    • Labels:
    • Testing Instructions:
      Hide
      1. Create a new assignment enabling Files as a feedback type
      2. View the grading page
      3. Without ticking any boxes, choose to "Lock submissions" and press "Go"
        • Confirm that an alert was showing informing you taht no-one was selected
      4. Place a tick in the checkbox beside a user
      5. Choose to "Lock submissions" and click Go
        • Confirm that a question was shown
      6. Cancel
      7. Change the dropdown from "Lock submissions" to "Send feedback files"
      8. Choose to "Lock submissions" and click Go
        • Confirm that a question was shown
      Show
      Create a new assignment enabling Files as a feedback type View the grading page Without ticking any boxes, choose to "Lock submissions" and press "Go" Confirm that an alert was showing informing you taht no-one was selected Place a tick in the checkbox beside a user Choose to "Lock submissions" and click Go Confirm that a question was shown Cancel Change the dropdown from "Lock submissions" to "Send feedback files" Choose to "Lock submissions" and click Go Confirm that a question was shown
    • Affected Branches:
      MOODLE_25_STABLE, MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
    • Fixed Branches:
      MOODLE_27_STABLE, MOODLE_28_STABLE
    • Sprint:
      FRONTEND Sprint 15

      Description

      There is an unnecessary eval() in the following code which is an open door to XSS attacks.

      mod/assign/module.js
      confirmmessage = eval('M.str.assign.batchoperationconfirm' + operation.get('value'));
      

      The Javascript here resolves a string using the value from an HTML element. If the attacker can inject HTML content where this code is used (which I tried and failed as a student), then it is possible to hijack the field and trick the eval into executing arbitrary code.

      An easy fix is to use M.util.get_string().

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              dobedobedoh Andrew Nicols
              Reporter:
              fred Frédéric Massart
              Peer reviewer:
              Ankit Agarwal
              Integrator:
              Dan Poltawski
              Tester:
              Mark Nelson
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                12/Jan/15