Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48542

Possible to render a Moodle site completely inaccessible by passing '###' to customusermenuitems setting

XMLWordPrintable

    • MOODLE_28_STABLE
    • MOODLE_28_STABLE
    • MDL-48542-master
    • Easy
    • Hide

      Automated test

      1. Run PHPUnit tests in lib/tests/user_menu_test.php.

      Manual test

      1. Go to Site administration ▶ Appearance ▶ Themes ▶ Theme settings
      2. Append '###' to the Custom User Menu setting and press save.
        • Observe that the world no longer explodes, and you have a divider in the user menu where you'd expect to see one.

      The fun part, Added by Dan:

      1. Try and input as many different types as malicious inputs as you can and try and break it
      2. Observe that whatever input you add, there is always a divider before the final entry (and possibly two if you have ###)
      Show
      Automated test Run PHPUnit tests in lib/tests/user_menu_test.php . Manual test Go to Site administration ▶ Appearance ▶ Themes ▶ Theme settings Append '###' to the Custom User Menu setting and press save. Observe that the world no longer explodes, and you have a divider in the user menu where you'd expect to see one. The fun part, Added by Dan: Try and input as many different types as malicious inputs as you can and try and break it Observe that whatever input you add, there is always a divider before the final entry (and possibly two if you have ###)
    • FRONTEND Sprint 16, Team B Sprint 1, Team Beards Sprint 2
    • Small

      Steps to reproduce:

      1. Go to Site administration ▶ Appearance ▶ Themes ▶ Theme settings
      2. Append '###' to the Custom User Menu setting
      3. Press save

      Expected result:

      • It is used as a divider (e.g. like the custom menu items setting mentioned above it) or is ignored or fails validation

      Actual result:

      • Boom renders the site completely inaccessible

        Coding error detected, it must be fixed by a programmer: PHP catchable fatal error
        Debug info: Argument 1 passed to action_menu_link_secondary::__construct() must be an instance of moodle_url, null given, called in [dirroot]/lib/outputrenderers.php on line 3066 and defined
        Error code: codingerror
        Stack trace:
        line 393 of /lib/setuplib.php: coding_exception thrown
        line 3535 of /lib/outputcomponents.php: call to default_error_handler()
        line 3066 of /lib/outputrenderers.php: call to action_menu_link_secondary->__construct()
        line 53 of /theme/clean/layout/columns2.php: call to core_renderer->user_menu()
        line 915 of /lib/outputrenderers.php: call to include()
        line 845 of /lib/outputrenderers.php: call to core_renderer->render_page_layout()
        line 107 of /admin/settings.php: call to core_renderer->header()
        

      • It can only be recovered by manually fixing in the database and purging caches.

            jethac Jetha Chan
            poltawski Dan Poltawski
            Adrian Greeve Adrian Greeve
            Andrew Lyons Andrew Lyons
            Rajesh Taneja Rajesh Taneja
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.