Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48496

Do not show detailed error messages in the response from curl requests in rss_client

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 2.7.4, 2.8.2
    • 2.6.6, 2.7.3, 2.8.1
    • Libraries
    • MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
    • MOODLE_27_STABLE, MOODLE_28_STABLE
    • Hide

      Test 1

      1. Add a new Remote RSS Feeds block
      2. Edit it to add a new feed
      3. Provide a few URLs
        • Some leading to a valid/invalid RSS feed
        • Some leading to the discovery of a valid/invalid feed 

          Example of invalid one.
          		 
          <html> 
              <head> 
                  <link rel="alternate" title="La Une" href="dict://localhost:11211" type="application/rss+xml"/>
          		 
              </head>
          		 
              <body> 
              </body>
          		 
          </html>

      4. Make sure that the error that is displayed when the feed is invalid is generic and does not provide any information on the system, the request, etc...

      Test 2

      1. Enable debug developer
      2. Copy a RSS feed to your localhost (e.g. https://github.com/FMCorz.atom)
      3. Set up the previous block to use that feed
      4. Make sure it works
      5. Rename the file on your localhost so that it becomes invalid
      6. Purge your cache
      7. Refresh the page where the block is and make sure you see an error with details
      8. Disable debug developer
      9. Purge your cache
      10. Refresh the page where the block is and make sure nothing is displayed
      11. Rename the file to what it should be
      12. Purge your cache
      13. Refresh the page where the block is and make sure the feed is working as expected
      Show
      Test 1 Add a new Remote RSS Feeds block Edit it to add a new feed Provide a few URLs Some leading to a valid/invalid RSS feed Some leading to the discovery of a valid/invalid feed Example of invalid one. <html> <head> <link rel="alternate" title="La Une" href="dict://localhost:11211" type="application/rss+xml"/> </head> <body> </body> </html> Make sure that the error that is displayed when the feed is invalid is generic and does not provide any information on the system, the request, etc... Test 2 Enable debug developer Copy a RSS feed to your localhost (e.g. https://github.com/FMCorz.atom ) Set up the previous block to use that feed Make sure it works Rename the file on your localhost so that it becomes invalid Purge your cache Refresh the page where the block is and make sure you see an error with details Disable debug developer Purge your cache Refresh the page where the block is and make sure nothing is displayed Rename the file to what it should be Purge your cache Refresh the page where the block is and make sure the feed is working as expected
    • BACKEND Sprint 19
    • Small

      As noted in MDL-48264, this can be used for attacks like port scanning the server from localhost.

        1. MDL-48496-26.mdk.patch
          3 kB
        2. MDL-48496-27.mdk.patch
          3 kB
        3. MDL-48496-28.mdk.patch
          3 kB
        4. MDL-48496-master.mdk.patch
          4 kB

            fred Frédéric Massart
            damyon Damyon Wiese
            Ankit Agarwal Ankit Agarwal
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Rajesh Taneja Rajesh Taneja
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.