Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48753

badges_get_user_badges uses concatenation to form an SQL statement

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 2.6.6, 2.7.3, 2.8.2, 2.9
    • 2.7.5, 2.8.3
    • Badges
    • MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE, MOODLE_29_STABLE
    • MOODLE_27_STABLE, MOODLE_28_STABLE
    • MDL-48753_master
    • Hide
      1. Run unit tests on `vendor/bin/phpunit core_badges_badgeslib_testcase badges/tests/badgeslib_test.php`
      2. Run behat tests on @core_badges (thanks Yuliya for already covering this)
      1. Create a badge
      2. Issue it to a user
      3. Log in as that user and browse to your profile
      4. Check you see the badge.
      Show
      Run unit tests on `vendor/bin/phpunit core_badges_badgeslib_testcase badges/tests/badgeslib_test.php` Run behat tests on @core_badges (thanks Yuliya for already covering this) Create a badge Issue it to a user Log in as that user and browse to your profile Check you see the badge.

    Description

      The function badges_get_user_badges in lib/badgeslib.php is using concatenation to form part of an SQL statement.
      While all current core uses are safely handing the concatenated param it could potentially be exploited if the calling code was sloppy.
      This is a pretty minor issue at this point, however one that really should be addressed.

      Attachments

        Activity

          People

            samhemelryk Sam Hemelryk
            samhemelryk Sam Hemelryk
            Mark Nelson Mark Nelson
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Rajesh Taneja Rajesh Taneja
            Yuliya Bozhko, Amaia Anabitarte, Bas Brands, Carlos Escobedo, Laurent David, Raquel Ortega, Sabina Abellan, Sara Arjona (@sarjona)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              2/Feb/15