Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48753

badges_get_user_badges uses concatenation to form an SQL statement

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 2.7.5, 2.8.3
    • 2.6.6, 2.7.3, 2.8.2, 2.9
    • Badges
    • MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE, MOODLE_29_STABLE
    • MOODLE_27_STABLE, MOODLE_28_STABLE
    • MDL-48753_master
    • Hide
      1. Run unit tests on `vendor/bin/phpunit core_badges_badgeslib_testcase badges/tests/badgeslib_test.php`
      2. Run behat tests on @core_badges (thanks Yuliya for already covering this)
      1. Create a badge
      2. Issue it to a user
      3. Log in as that user and browse to your profile
      4. Check you see the badge.
      Show
      Run unit tests on `vendor/bin/phpunit core_badges_badgeslib_testcase badges/tests/badgeslib_test.php` Run behat tests on @core_badges (thanks Yuliya for already covering this) Create a badge Issue it to a user Log in as that user and browse to your profile Check you see the badge.

      The function badges_get_user_badges in lib/badgeslib.php is using concatenation to form part of an SQL statement.
      While all current core uses are safely handing the concatenated param it could potentially be exploited if the calling code was sloppy.
      This is a pretty minor issue at this point, however one that really should be addressed.

            samhemelryk Sam Hemelryk
            samhemelryk Sam Hemelryk
            Mark Nelson Mark Nelson
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Rajesh Taneja Rajesh Taneja
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.