Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48542

Possible to render a Moodle site completely inaccessible by passing '###' to customusermenuitems setting

    XMLWordPrintable

Details

    • MOODLE_28_STABLE
    • MOODLE_28_STABLE
    • MDL-48542-master
    • Easy
    • Hide

      Automated test

      1. Run PHPUnit tests in lib/tests/user_menu_test.php.

      Manual test

      1. Go to Site administration ▶ Appearance ▶ Themes ▶ Theme settings
      2. Append '###' to the Custom User Menu setting and press save.
        • Observe that the world no longer explodes, and you have a divider in the user menu where you'd expect to see one.

      The fun part, Added by Dan:

      1. Try and input as many different types as malicious inputs as you can and try and break it
      2. Observe that whatever input you add, there is always a divider before the final entry (and possibly two if you have ###)
      Show
      Automated test Run PHPUnit tests in lib/tests/user_menu_test.php . Manual test Go to Site administration ▶ Appearance ▶ Themes ▶ Theme settings Append '###' to the Custom User Menu setting and press save. Observe that the world no longer explodes, and you have a divider in the user menu where you'd expect to see one. The fun part, Added by Dan: Try and input as many different types as malicious inputs as you can and try and break it Observe that whatever input you add, there is always a divider before the final entry (and possibly two if you have ###)
    • FRONTEND Sprint 16, Team B Sprint 1, Team Beards Sprint 2
    • Small

    Description

      Steps to reproduce:

      1. Go to Site administration ▶ Appearance ▶ Themes ▶ Theme settings
      2. Append '###' to the Custom User Menu setting
      3. Press save

      Expected result:

      • It is used as a divider (e.g. like the custom menu items setting mentioned above it) or is ignored or fails validation

      Actual result:

      • Boom renders the site completely inaccessible

        Coding error detected, it must be fixed by a programmer: PHP catchable fatal error
        Debug info: Argument 1 passed to action_menu_link_secondary::__construct() must be an instance of moodle_url, null given, called in [dirroot]/lib/outputrenderers.php on line 3066 and defined
        Error code: codingerror
        Stack trace:
        line 393 of /lib/setuplib.php: coding_exception thrown
        line 3535 of /lib/outputcomponents.php: call to default_error_handler()
        line 3066 of /lib/outputrenderers.php: call to action_menu_link_secondary->__construct()
        line 53 of /theme/clean/layout/columns2.php: call to core_renderer->user_menu()
        line 915 of /lib/outputrenderers.php: call to include()
        line 845 of /lib/outputrenderers.php: call to core_renderer->render_page_layout()
        line 107 of /admin/settings.php: call to core_renderer->header()
        

      • It can only be recovered by manually fixing in the database and purging caches.

      Attachments

        Issue Links

          Activity

            People

              jethac Jetha Chan
              poltawski Dan Poltawski
              Adrian Greeve Adrian Greeve
              Andrew Lyons Andrew Lyons
              Rajesh Taneja Rajesh Taneja
              Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Stevani Andolo
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                2/Feb/15