Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48542

Possible to render a Moodle site completely inaccessible by passing '###' to customusermenuitems setting

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Automated test

      1. Run PHPUnit tests in lib/tests/user_menu_test.php.

      Manual test

      1. Go to Site administration ▶ Appearance ▶ Themes ▶ Theme settings
      2. Append '###' to the Custom User Menu setting and press save.
        • Observe that the world no longer explodes, and you have a divider in the user menu where you'd expect to see one.

      The fun part, Added by Dan:

      1. Try and input as many different types as malicious inputs as you can and try and break it
      2. Observe that whatever input you add, there is always a divider before the final entry (and possibly two if you have ###)
      Show
      Automated test Run PHPUnit tests in lib/tests/user_menu_test.php . Manual test Go to Site administration ▶ Appearance ▶ Themes ▶ Theme settings Append '###' to the Custom User Menu setting and press save. Observe that the world no longer explodes, and you have a divider in the user menu where you'd expect to see one. The fun part, Added by Dan: Try and input as many different types as malicious inputs as you can and try and break it Observe that whatever input you add, there is always a divider before the final entry (and possibly two if you have ###)
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_28_STABLE
    • Fixed Branches:
      MOODLE_28_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-48542-master
    • Sprint:
      FRONTEND Sprint 16, Team B Sprint 1, Team Beards Sprint 2
    • Issue size:
      Small

      Description

      Steps to reproduce:

      1. Go to Site administration ▶ Appearance ▶ Themes ▶ Theme settings
      2. Append '###' to the Custom User Menu setting
      3. Press save

      Expected result:

      • It is used as a divider (e.g. like the custom menu items setting mentioned above it) or is ignored or fails validation

      Actual result:

      • Boom renders the site completely inaccessible

        Coding error detected, it must be fixed by a programmer: PHP catchable fatal error
        Debug info: Argument 1 passed to action_menu_link_secondary::__construct() must be an instance of moodle_url, null given, called in [dirroot]/lib/outputrenderers.php on line 3066 and defined
        Error code: codingerror
        Stack trace:
        line 393 of /lib/setuplib.php: coding_exception thrown
        line 3535 of /lib/outputcomponents.php: call to default_error_handler()
        line 3066 of /lib/outputrenderers.php: call to action_menu_link_secondary->__construct()
        line 53 of /theme/clean/layout/columns2.php: call to core_renderer->user_menu()
        line 915 of /lib/outputrenderers.php: call to include()
        line 845 of /lib/outputrenderers.php: call to core_renderer->render_page_layout()
        line 107 of /admin/settings.php: call to core_renderer->header()
        

      • It can only be recovered by manually fixing in the database and purging caches.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  2/Feb/15