[MDL-48542] Possible to render a Moodle site completely inaccessible by passing '###' to customusermenuitems setting - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.8 regressions, 2.8.1
Fix Version/s: 2.8.3
Component/s: Administration
Labels:

Affected Branches:
MOODLE_28_STABLE
Fixed Branches:
MOODLE_28_STABLE
Pull from Repository:
git://github.com/jethac/moodle.git
Pull Master Branch:
~~MDL-48542~~-master
Pull Master Diff URL:
https://github.com/jethac/moodle/compare/da0ef2e...MDL-48542-master
Difficulty:
Easy
Testing Instructions:
Hide

Automated test

Run PHPUnit tests in lib/tests/user_menu_test.php.

Manual test

Go to Site administration ▶ Appearance ▶ Themes ▶ Theme settings

Append '###' to the Custom User Menu setting and press save.

Observe that the world no longer explodes, and you have a divider in the user menu where you'd expect to see one.

The fun part, Added by Dan:

Try and input as many different types as malicious inputs as you can and try and break it

Observe that whatever input you add, there is always a divider before the final entry (and possibly two if you have ###)
Show
Automated test Run PHPUnit tests in lib/tests/user_menu_test.php . Manual test Go to Site administration ▶ Appearance ▶ Themes ▶ Theme settings Append '###' to the Custom User Menu setting and press save. Observe that the world no longer explodes, and you have a divider in the user menu where you'd expect to see one. The fun part, Added by Dan: Try and input as many different types as malicious inputs as you can and try and break it Observe that whatever input you add, there is always a divider before the final entry (and possibly two if you have ###)

Sprint:
FRONTEND Sprint 16, Team B Sprint 1, Team Beards Sprint 2
Issue size:
Small

Description

Steps to reproduce:

Go to Site administration ▶ Appearance ▶ Themes ▶ Theme settings
Append '###' to the Custom User Menu setting
Press save

Expected result:

It is used as a divider (e.g. like the custom menu items setting mentioned above it) or is ignored or fails validation

Actual result:

Boom

renders the site completely inaccessible

Coding error detected, it must be fixed by a programmer: PHP catchable fatal error

Debug info: Argument 1 passed to action_menu_link_secondary::__construct() must be an instance of moodle_url, null given, called in [dirroot]/lib/outputrenderers.php on line 3066 and defined

Error code: codingerror

Stack trace:

line 393 of /lib/setuplib.php: coding_exception thrown

line 3535 of /lib/outputcomponents.php: call to default_error_handler()

line 3066 of /lib/outputrenderers.php: call to action_menu_link_secondary->__construct()

line 53 of /theme/clean/layout/columns2.php: call to core_renderer->user_menu()

line 915 of /lib/outputrenderers.php: call to include()

line 845 of /lib/outputrenderers.php: call to core_renderer->render_page_layout()

line 107 of /admin/settings.php: call to core_renderer->header()

It can only be recovered by manually fixing in the database and purging caches.

Attachments

Issue Links

is a regression caused by

MDL-47559 Add customusermenu theme setting so admins can add items to the new user menu

Closed

Activity

People

Assignee:: Jetha Chan

Reporter:: Dan Poltawski

Peer reviewer:: Adrian Greeve

Integrator:: Andrew Lyons

Tester:: Rajesh Taneja

Participants:: Adrian Greeve, Andrew Lyons, CiBoT, Dan Poltawski, Eloy Lafuente (stronk7), Jetha Chan, Marina Glancy, Rajesh Taneja

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 10/Dec/14 7:04 AM

Updated:: 30/Jan/15 3:11 AM

Resolved:: 30/Jan/15 3:11 AM

Fix Release Date:: 2/Feb/15